Folks,

I have a FreeIPA server running on CentOS7 and now I am trying to create a replica copy using RockyLinux 9.3. When I try to join, the error related cert expires. I have checked everywhere and didn't find any expired certificates.

/usr/sbin/ipa-client-install -p admin -w XXXX --realm=FOO.COM --domain=foo.com --server=ldap-1.foo.com --hostname ldap-2.foo.com -N --no-ssh --no-sshd --request-cert -U --force-join

...

Joining realm failed: Unable to initialize STARTTLS session
Connect error: error:0A000086:SSL routines::certificate verify failed (certificate has expired)
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Connect error: error:0A000086:SSL routines::certificate verify failed (certificate has expired)
Failed to bind to server!
Failed to get keytab
child exited with 9

Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.

On master ldap node I did "/usr/bin/getcert list" and all certs are up to date. Now sure from where this expired cert error is coming from.