Boris wrote:
Hi Rob,
I have two hosts: ipa1 and ipa2
ipa1: Fedora 37 freeipa-server-4.10.1-1.fc37.x86_64 Managed suffixes: domain, ca running with ipactl start --force because the update is not working (The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API). I tried to upgrade, but the upgrade did not go through.
Your existing CA is having issues. I'd start by checking that your CA certificates are still valid: getcert list | grep expires
You might also try installing the freeipa-healthcheck package and running ipa-healthcheck. Expect a lot of errors since it won't be able to connect to the CA but it will also check the validity dates, etc.
ipa2: Fedora 35 freeipa-server-4.9.11-1.fc35.x86_64 Managed suffixes: domain
So my thought process was: if it can not authenticate against the CA REST API, I need to add the CA capability to ipa2
You need to authenticate to the CA to create a clone of it. You can't install another CA until you get your existing one working.
rob
Am Mo., 17. Feb. 2025 um 17:55 Uhr schrieb Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Boris via FreeIPA-users wrote: > Hi, > > I just got two IPA servers handed over and those are a mess. > > To get this sorted out I want to start with having both as a CA host. > Even the webUI says "It is strongly recommended to keep the following > services installed on more than one server: CA" > > I have basically 0 knowledge about IPA, the named is crashing ragularly > with asseratation errors, the login on the 2nd IPA webinterface fails > "due to unknown reason", updates on the first IPA are not working and > the host ist started with "ipactl start --force" and no one know the > directorymanager password anymore. > > So I thought to start small and get the second CA running. Can you provide more information? What OS and version of IPA? Why does your first server require a force start? What does it log when you don't? You need a fully working CA to add another one. rob-- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.