Hi,
This issue was resolved. We had implemented a more restrictive set of ssl cipher suites on the httpd server of the IPA masters that I was trying to initialize from and that was preventing the ipa-replica-install --setup-ca (not sure what the exact component would be) from completing a handshake/CA config on the replica.
These were observed on the master's httpd error log:
[Mon Apr 08 12:36:51.051315 2019] [:error] [pid 40464] SSL Library Error: -12286 No common encryption algorithm(s) with client
[Mon Apr 08 12:36:51.068917 2019] [:error] [pid 39291] SSL Library Error: -12286 No common encryption algorithm(s) with client
For reference, this is what my IPA master's nss.conf looked like, the commented out entries are the ones that the ipa-replica-install setup-ca did not like.
#NSSCipherSuite +ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_rsa_aes_256_gcm_sha_384,+dhe_rsa_aes_128_gcm_sha_256,+dhe_dss_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha_256,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_rsa_aes_256_sha_384,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha,+dhe_rsa_aes_128_sha_256,+dhe_rsa_aes_128_sha,+dhe_dss_aes_128_sha_256,+dhe_rsa_aes_256_sha_256,+dhe_dss_aes_256_sha_256,+dhe_rsa_aes_256_sha
NSSCipherSuite +ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_128_sha_256,+ecdhe_ecdsa_aes_256_gcm_sha_384,+ecdhe_ecdsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha_384,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_128_sha_256,+ecdhe_rsa_aes_256_gcm_sha_384,+ecdhe_rsa_aes_256_sha,+ecdhe_rsa_aes_256_sha_384,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,-fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,-ecdh_ecdsa_null_sha,-ecdh_ecdsa_rc4_128_sha,-ecdh_ecdsa_3des_sha,-ecdhe_ecdsa_null_sha,-ecdhe_ecdsa_rc4_128_sha,-ecdhe_ecdsa_3des_sha,-ecdh_rsa_null_sha,-ecdh_rsa_128_sha,-ecdh_rsa_3des_sha,-echde_rsa_null,-ecdhe_rsa_rc4_128_sha,-ecdhe_rsa_3des_sha
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
#NSSProtocol TLSv1.2