Serge Barkov via FreeIPA-users wrote:
Oh, I'm sorry. freeipa version is 4.4.4-1.fc25
I don't see any difference:
The problem node: [root@ipa0 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
The normal one: [root@ipa1 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
IIRC the CA uses the subsystem cert to authenticate to itself. You might try comparing the ca.subsystem.cert value in /etc/pki/pki-tomcat/ca/CS.cfg between the two servers.
rob