Hi Rob,
I have two hosts: ipa1 and ipa2
ipa1: Fedora 37 freeipa-server-4.10.1-1.fc37.x86_64 Managed suffixes: domain, ca running with ipactl start --force because the update is not working (The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API). I tried to upgrade, but the upgrade did not go through.
ipa2: Fedora 35 freeipa-server-4.9.11-1.fc35.x86_64 Managed suffixes: domain
So my thought process was: if it can not authenticate against the CA REST API, I need to add the CA capability to ipa2
Am Mo., 17. Feb. 2025 um 17:55 Uhr schrieb Rob Crittenden < rcritten@redhat.com>:
Boris via FreeIPA-users wrote:
Hi,
I just got two IPA servers handed over and those are a mess.
To get this sorted out I want to start with having both as a CA host. Even the webUI says "It is strongly recommended to keep the following services installed on more than one server: CA"
I have basically 0 knowledge about IPA, the named is crashing ragularly with asseratation errors, the login on the 2nd IPA webinterface fails "due to unknown reason", updates on the first IPA are not working and the host ist started with "ipactl start --force" and no one know the directorymanager password anymore.
So I thought to start small and get the second CA running.
Can you provide more information?
What OS and version of IPA?
Why does your first server require a force start? What does it log when you don't?
You need a fully working CA to add another one.
rob