I think the CA is working, but I don't know for sure and how to verify it. At least there are no expired certs on both ipa hosts
[root@ipa1 ~]# getcert list | grep expires expires: 2025-11-29 13:19:40 CET expires: 2025-04-15 16:27:34 CEST expires: 2025-04-15 16:26:44 CEST expires: 2025-04-15 16:27:14 CEST expires: 2037-08-19 16:11:12 CEST expires: 2025-04-15 16:27:54 CEST expires: 2025-04-15 16:27:04 CEST expires: 2040-02-12 12:46:50 CET expires: 2025-05-29 16:12:51 CEST expires: 2026-01-26 13:48:23 CET
[root@ipa2 ~]# getcert list | grep expires expires: 2027-02-16 10:42:29 CET expires: 2027-02-16 10:42:51 CET expires: 2025-04-15 16:27:04 CEST expires: 2027-02-16 10:43:26 CET
The healthcheck showed some "group is not correct" and "files are to permissive" which I resolved. Now I have these to checks which do not tell me anything "msg": "certmonger tracking request {key} found and is not expected on an IPA master." "msg": "No KDC workers defined in {sysconfig}"
Am Di., 18. Feb. 2025 um 15:22 Uhr schrieb Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Boris wrote:
Hi Rob,
I have two hosts: ipa1 and ipa2
ipa1: Fedora 37 freeipa-server-4.10.1-1.fc37.x86_64 Managed suffixes: domain, ca running with ipactl start --force because the update is not working (The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API). I tried to upgrade, but the upgrade did not go through.
Your existing CA is having issues. I'd start by checking that your CA certificates are still valid: getcert list | grep expires
You might also try installing the freeipa-healthcheck package and running ipa-healthcheck. Expect a lot of errors since it won't be able to connect to the CA but it will also check the validity dates, etc.
ipa2: Fedora 35 freeipa-server-4.9.11-1.fc35.x86_64 Managed suffixes: domain
So my thought process was: if it can not authenticate against the CA REST API, I need to add the CA capability to ipa2
You need to authenticate to the CA to create a clone of it. You can't install another CA until you get your existing one working.
rob