The CA installation fails because it finds an existing entry in "cn=
LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr
". It really looks like your topology used to have a self-signed CA at one point.
If you look at this entry, does it correspond to a CA known to you?
You can extract the certificate using
ldapsearch -D "cn=directory\ manager" -W -b "
cn=
LIX.POLYTECHNIQUE.FR IPA CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr" -LLL -o ldif-wrap=no
which should show a value for cacertificate;binary:: <content>
Then create a pem file with the format
-----BEGIN CERTIFICATE-----
<here paste the content>
-----END CERTIFICATE-----
and execute: openssl x509 -noout -text -in <pemfile>
You mentioned in a previous email that the server was originally part of a cluster but got "extracted" out of it to run the tests. Did this set of servers have a self-signed IPA CA? In the logs we can see reference to 3 different CA certificates for "CN=Certificate Authority, O=
LIX.POLYTECHNIQUE.FR" (self signed, issued in june, june and july 2016). It's really a confusing situation, as it's the subject that IPA CA would use by default but it could also be a completely different origin.
flo