Hi Rob,

I have two hosts: ipa1 and ipa2

ipa1:
Fedora 37
freeipa-server-4.10.1-1.fc37.x86_64
Managed suffixes: domain, ca
running with ipactl start --force because the update is not working (The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API).
I tried to upgrade, but the upgrade did not go through.

ipa2:
Fedora 35
freeipa-server-4.9.11-1.fc35.x86_64
Managed suffixes: domain

So my thought process was: if it can not authenticate against the CA REST API, I need to add the CA capability to ipa2




Am Mo., 17. Feb. 2025 um 17:55 Uhr schrieb Rob Crittenden <rcritten@redhat.com>:
Boris via FreeIPA-users wrote:
> Hi,
>
> I just got two IPA servers handed over and those are a mess.
>
> To get this sorted out I want to start with having both as a CA host.
> Even the webUI says "It is strongly recommended to keep the following
> services installed on more than one server: CA"
>
> I have basically 0 knowledge about IPA, the named is crashing ragularly
> with asseratation errors, the login on the 2nd IPA webinterface fails
> "due to unknown reason", updates on the first IPA are not working and
> the host ist started with "ipactl start --force" and no one know the
> directorymanager password anymore.
>
> So I thought to start small and get the second CA running.

Can you provide more information?

What OS and version of IPA?

Why does your first server require a force start? What does it log when
you don't?

You need a fully working CA to add another one.

rob



--
Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.