Hi Rob and thanks for your answer.
Indeed, I see this error:

[root@ipa2 ~]# ipa-replica-manage -v list ipa2.fluent.local
ipa3.fluent.local: replica
  last update status: Error (18) Replication error acquiring replica: Incremental update transient warning.  Backing off, will retry update later. (transient warning)
  last update ended: 1970-01-01 00:00:00+00:00

Is it possible to remove a reclipa with "ipa-replica-manage del ipa2" and
then connect it again with the same name?

On Mon, 23 May 2022 at 23:08, Rob Crittenden <rcritten@redhat.com> wrote:
Pavlo Pocheptsov via FreeIPA-users wrote:
> Hi list.
> ipa2 node was promoted to ca with ipa-ca-instal
> and it shows all is good on its side:
>
> [root@ipa2 ~]# ipa-replica-manage list
> ipa3: master
> ipa2: master
> [root@ipa2 ~]# ipa-csreplica-manage list
> ipa3: master
> ipa2: *master*
> [root@ipa2 ~]# ipa config-show |grep CA
>   Certificate Subject base: O=removed
>   IPA CA servers: *ipa2, ipa3*
>   IPA CA renewal master: ipa3
> [root@ipa2 ~]# ipa server-role-find | grep -A1 -B1 CA
>   Server name: ipa2
>   Role name: CA server
>   Role status: *enabled*
> --
>   Server name: ipa3
>   Role name: CA server
>   Role status: *enabled*
> [root@ipa2 ~]# ipa-replica-manage list-ruv
> Replica Update Vectors:
> ipa2:389: 11
> ipa3:389: 9
> Certificate Server Replica Update Vectors:
> ipa2:389: 12
> ipa3:389: 10
>
> But ipa3 node doesn't see ipa2 as ca master:
>
> [root@ipa3 ~]# ipa-replica-manage list
> ipa3: master
> ipa2: master
> [root@ipa3 ~]# ipa-csreplica-manage list
> ipa3: master
> ipa2: *CA not configured*
> [root@ipa3 ~]# ipa config-show |grep CA
>   Certificate Subject base: O=removed
>   IPA CA servers: *ipa3*  <----- no ipa2 here
>   IPA CA renewal master: ipa3
> [root@ipa3 ~]# ipa server-role-find | grep -B1 -A1 CA
>   Server name: ipa2
>   Role name: CA server
>   Role status: *absent*
> --
>   Server name: ipa3
>   Role name: CA server
>   Role status: enabled
> [root@ipa3 ~]# ipa-replica-manage list-ruv
> Replica Update Vectors:
> ipa3:389: 9
> ipa2:389: 11
> Certificate Server Replica Update Vectors:
> ipa3:389: 10
> ipa2:389: 12
>
> Centos 7.9
> FreeIPA, version: 4.6.8
>
> What is the real situation here? Is there CA replication btw replicas or no?
> Is it possible to fix this and make ipa2 CA role visible on ipa3?
> Any extra information I can provide to fully understand the issue?

I'd look for replication issues.

rob