I noticed that the referenced files in /var/kerberos/krb5kdc differ. They also have quite different modification dates- On ipa1, the kdc.crt is older (22.Auf 2023), on ipa2 it is much newer (13. Jan 2024)
I looked into the certs with openssl x509 -in kdc.crt -text
These certs are not issued by our CA authority, they must be something created by IPA internally.
Comparing the certs with meld, I noticed different dates, of course, but also that the cert on the working ipa1 server has sections that are missing by the other cert, namely
X509v3 Subject Alternative Name: othername:<unsupported>, othername:<unsupported>
and X509v3 Subject Key Identifier: 46:31:70:5C:55:B6:9F:D5:EC:29:9C:54:AE:3B:53:F5:0B:91:39:3A 1.3.6.1.4.1.311.20.2: .".K.D.C.s._.P.K.I.N.I.T._.C.e.r.t.s
ISTR remember there was another thread where someone had similar issue and solved it be requesting a new cert?
I