Kendal Montgomery
2017-04-26 15:33:40 UTC
Hi all,
Iâve been struggling the last few days with rebuilding part of my FreeIPA infrastructure, which has lead me to some questions about how some of the IPA infrastructure works. To give a bit of background, I have two IPA servers (my initially installed IPA server, and a replica) both of which have DNS, NTP, and CA roles. Iâm running CentOS 7.3, FreeIPA 4.4 currently (upgraded from original CentOS 7 installations which I believe was FreeIPA 4.1? initiall). I have several remote sites that each have two IPA server replicas that have replication topology segments for domain and ca suffixes back to the two on-prem IPA servers. This has been working quite well for over a year now, through the upgrades, etc. Occasionally I get an issue with getting some conflicting records in LDAP, which Iâve cleared up by following some of the documentation out there. It seems when this happens however, I end up getting into a situation where replication stops working, and I end up needing to ârefreshâ the installations. I have done this once so far, and am in the process again currently, by deleting each remote IPA server (ipa server-del), then re-installing each server to get a clean copy of the databases for everything. Last time I had no issues doing this. This time around, Iâm running into some issues with the CA setup. I seem to be able to run ipa-replica-install just fine without the --setup-ca option. I may be running into some issues identified in an earlier post this week, so Iâll ask about this issue separately if I continue to have problems. In working through these issues, I realized I donât really know enough about how the interaction between the IPA clients and IPA server is working, with regard to the PKI infrastructure. I have some questions on what server roles I need at each site and how the PKI infrastructure works within the IPA environment, and how the clients communicate to it:
1) How do the IPA clients discover servers with the CA role and use them?
2) Is all this interaction done through APIs on the IPA server â in other words, are these requests fielded by the IPA server and proxied somehow to known servers with the CA role?
3) Do the clients need âdirectâ access to a server with the CA role to request and obtain certificates and renewals? (i.e. do I need each IPA server to have the CA role)?
4) Is it sufficient to just have one server with CA role at each site? Or even just one at the main on-prem site?
Kendal Montgomery
DevOps Engineer / Lab Manager
[cid:***@01D2BE80.F3B914D0]
Empowering collective insights
Iâve been struggling the last few days with rebuilding part of my FreeIPA infrastructure, which has lead me to some questions about how some of the IPA infrastructure works. To give a bit of background, I have two IPA servers (my initially installed IPA server, and a replica) both of which have DNS, NTP, and CA roles. Iâm running CentOS 7.3, FreeIPA 4.4 currently (upgraded from original CentOS 7 installations which I believe was FreeIPA 4.1? initiall). I have several remote sites that each have two IPA server replicas that have replication topology segments for domain and ca suffixes back to the two on-prem IPA servers. This has been working quite well for over a year now, through the upgrades, etc. Occasionally I get an issue with getting some conflicting records in LDAP, which Iâve cleared up by following some of the documentation out there. It seems when this happens however, I end up getting into a situation where replication stops working, and I end up needing to ârefreshâ the installations. I have done this once so far, and am in the process again currently, by deleting each remote IPA server (ipa server-del), then re-installing each server to get a clean copy of the databases for everything. Last time I had no issues doing this. This time around, Iâm running into some issues with the CA setup. I seem to be able to run ipa-replica-install just fine without the --setup-ca option. I may be running into some issues identified in an earlier post this week, so Iâll ask about this issue separately if I continue to have problems. In working through these issues, I realized I donât really know enough about how the interaction between the IPA clients and IPA server is working, with regard to the PKI infrastructure. I have some questions on what server roles I need at each site and how the PKI infrastructure works within the IPA environment, and how the clients communicate to it:
1) How do the IPA clients discover servers with the CA role and use them?
2) Is all this interaction done through APIs on the IPA server â in other words, are these requests fielded by the IPA server and proxied somehow to known servers with the CA role?
3) Do the clients need âdirectâ access to a server with the CA role to request and obtain certificates and renewals? (i.e. do I need each IPA server to have the CA role)?
4) Is it sufficient to just have one server with CA role at each site? Or even just one at the main on-prem site?
Kendal Montgomery
DevOps Engineer / Lab Manager
[cid:***@01D2BE80.F3B914D0]
Empowering collective insights