Folks,

I have a FreeIPA server running on CentOS7 and now I am trying to create a replica copy using RockyLinux 9.3. When I try to join, the error related cert expires. I have checked everywhere and didn't find any expired certificates.

/usr/sbin/ipa-client-install -p admin -w XXXX --realm=FOO.COM --domain= foo.com --server=ldap-1.foo.com --hostname ldap-2.foo.com -N --no-ssh --no-sshd --request-cert -U --force-join

... ...

Joining realm failed: Unable to initialize STARTTLS session Connect error: error:0A000086:SSL routines::certificate verify failed (certificate has expired) Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... Unable to initialize STARTTLS session Connect error: error:0A000086:SSL routines::certificate verify failed (certificate has expired) Failed to bind to server! Failed to get keytab child exited with 9

Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete.

On master ldap node I did "/usr/bin/getcert list" and all certs are up to date. Now sure from where this expired cert error is coming from.