I think the CA is working, but I don't know for sure and how to verify it. At least there are no expired certs on both ipa hosts
[root@ipa1 ~]# getcert list | grep expires
expires: 2025-11-29 13:19:40 CET
expires: 2025-04-15 16:27:34 CEST
expires: 2025-04-15 16:26:44 CEST
expires: 2025-04-15 16:27:14 CEST
expires: 2037-08-19 16:11:12 CEST
expires: 2025-04-15 16:27:54 CEST
expires: 2025-04-15 16:27:04 CEST
expires: 2040-02-12 12:46:50 CET
expires: 2025-05-29 16:12:51 CEST
expires: 2026-01-26 13:48:23 CET
[root@ipa2 ~]# getcert list | grep expires
expires: 2027-02-16 10:42:29 CET
expires: 2027-02-16 10:42:51 CET
expires: 2025-04-15 16:27:04 CEST
expires: 2027-02-16 10:43:26 CET
The healthcheck showed some "group is not correct" and "files are to permissive" which I resolved.
Now I have these to checks which do not tell me anything
"msg": "certmonger tracking request {key} found and is not expected on an IPA master."
"msg": "No KDC workers defined in {sysconfig}"
Boris wrote:
> Hi Rob,
>
> I have two hosts: ipa1 and ipa2
>
> ipa1:
> Fedora 37
> freeipa-server-4.10.1-1.fc37.x86_64
> Managed suffixes: domain, ca
> running with ipactl start --force because the update is not working (The
> ipa-server-upgrade command failed, exception: RemoteRetrieveError:
> Failed to authenticate to CA REST API).
> I tried to upgrade, but the upgrade did not go through.
Your existing CA is having issues. I'd start by checking that your CA
certificates are still valid: getcert list | grep expires
You might also try installing the freeipa-healthcheck package and
running ipa-healthcheck. Expect a lot of errors since it won't be able
to connect to the CA but it will also check the validity dates, etc.
> ipa2:
> Fedora 35
> freeipa-server-4.9.11-1.fc35.x86_64
> Managed suffixes: domain
>
> So my thought process was: if it can not authenticate against the CA
> REST API, I need to add the CA capability to ipa2
You need to authenticate to the CA to create a clone of it. You can't
install another CA until you get your existing one working.
rob