Promote a replica to the new IPA CA renewal master

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7
  • IPA 4.0 or later

Issue

  • The master server is broken and needs to promote a replica to be a new master.
  • For some reason, the master was not configured properly, and some operations like ipa restore or update failed.
  • After running the command ipa-csreplica-manage set-renewal-master the settings in the CS.cfg were not updated.
  • The CA renewal master was removed accidentally.

Resolution

If there is no urgency in the environment, follow the steps below to resolve the issue. However, if it is a critical environment, the quickest solution is to promote one of the replicas to be the new CRL master and reinstall the old IPA server as a replica. See the documentation on how to remove a replica and re-add it.

Identify a replica that has the CA installed. The hostname of the renewal master can be determined from LDAP (remember to fill in the domain information for -b):

 ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -b 'cn=masters,cn=ipa,cn=etc,dc=example,dc=com' '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn

IPA command (this will show the hostname of the CRL):

# ipa config-show
  --snip--
  IPA CA servers: idmdnsintegrationrhel8.linux.example.net

In this case the IPA CA server is: idmdnsintegrationrhel8.linux.example.net

Promoting the replica to be the new master server

The steps below need to be run in the replica that will be the new ipa master server. See more information on
how to promote a master IPA server to be a replica.

  1. Run the following command:
# ipa-csreplica-manage set-renewal-master
  1. Stop CA service:
# systemctl stop pki-tomcatd@pki-tomcat
  1. Check if the value of ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates in /etc/pki/pki-tomcat/ca/CS.cfg to true:
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true

  1. Check if the value of ca.transitRecordPageSize and ca.transitMaxRecords in /etc/pki/pki-tomcat/ca/CS.cfg are ca.transitRecordPageSize=200 ca.transitMaxRecords=1000000. Either remove ca.certStatusUpdateInterval=0 or set the value to 600 (the default).

  2. Start CA service:

# systemctl start pki-tomcatd@pki-tomcat
  1. Configure Apache to handle CRL requests in /etc/httpd/conf.d/ipa-pki-proxy.conf by commenting out the RewriteRule on the last line:
# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin https://<hostname>/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
  1. Restart Apache:
# systemctl restart httpd
  1. Check if the new server is the new ipa master:
#  ipa config-show |grep "IPA CA renewal master"

Reference: Promote_CA_to_Renewal_and_CRL_Master — FreeIPA documentation

  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments