This is crazy.. why freeIPA is so difficult to debug. 

I can't attach a replica without thousand errors + errors don't make sense also.  

Question, Can I create replication from 4.6 to 4.9 ? 

What if I want to build a new freeIPA on a new OS and export/import all users to a new environment? is it going to work and how? 

On Thu, May 16, 2024 at 2:23 PM Rob Crittenden <rcritten@redhat.com> wrote:
Satish Patel via FreeIPA-users wrote:
> Folks,
>
> Trying to deploy CA on a replica node and failed here without any
> information. Can I restart the process again? Even log directories are
> empty /var/log/pki/pki-tomcat 
>
> My OS is RockyLunux 8.9 and Master CA running on CentOS7.x  
>
> [root@ldap-vx-010103-3 ~]# ipa-ca-install
> Directory Manager (existing master) password:
>
> Run connection check to master
> Connection check OK
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
>   [1/28]: creating certificate server db
>   [2/28]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 161 seconds elapsed
> Update succeeded
>
>   [3/28]: creating ACIs for admin
>   [4/28]: creating installation admin user
>   [5/28]: configuring certificate server instance
>
> ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance
> ipaserver.install.dogtaginstance: CRITICAL See the installation logs and
> the following files/directories for more information:
> ipaserver.install.dogtaginstance: CRITICAL   /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> CA configuration failed.
>

/var/log/ipaserver-install.log may hold some clues

There should be a pki-ca-spawn log in /var/log/pki related to the install.

There is no uninstall for the CA (or KRA). You'd have to uninstall the
replica and re-install it.

rob