Till Hofmann via FreeIPA-users wrote:
Hi all,
I managed to work around the issue by:
1. Setting up the replica without the CA (i.e., `ipa-replica-install` without
`--setup-ca`)
2. Set up the CA with `ipa-ca-install`. This also failed at some point (because it could
not contact the old master on port 8443), but it seemed to do "enough" so I
could actually ignore the missing steps.
I turned off the original master, verified that I could still log in on the clients and
also tested certificate renewal with `ipa-cacert-manage renew`, which was successful.
This is not a sufficient test. This command only renews the CA certificate.
I don't know what the missing steps were, I hope this won't
bite me in the long run. Do you have any suggestions what else I could test to verify that
the CA is also working properly?
If you want to test that the CA works then issue a new certificate,
revoke it, ensure it lands in the CRL at next generation.
You also need to set the certificate renewal master and CRL generator.