Hi Rob and thanks for your answer. Indeed, I see this error: [root@ipa2 ~]# ipa-replica-manage -v list ipa2.fluent.local > ipa3.fluent.local: replica > last update status: Error (18) Replication error acquiring replica: > Incremental update transient warning. Backing off, will retry update > later. (transient warning) > last update ended: 1970-01-01 00:00:00+00:00 >
Is it possible to remove a reclipa with "ipa-replica-manage del ipa2" and then connect it again with the same name? On Mon, 23 May 2022 at 23:08, Rob Crittenden <rcrit...@redhat.com> wrote: > Pavlo Pocheptsov via FreeIPA-users wrote: > > Hi list. > > ipa2 node was promoted to ca with ipa-ca-instal > > and it shows all is good on its side: > > > > [root@ipa2 ~]# ipa-replica-manage list > > ipa3: master > > ipa2: master > > [root@ipa2 ~]# ipa-csreplica-manage list > > ipa3: master > > ipa2: *master* > > [root@ipa2 ~]# ipa config-show |grep CA > > Certificate Subject base: O=removed > > IPA CA servers: *ipa2, ipa3* > > IPA CA renewal master: ipa3 > > [root@ipa2 ~]# ipa server-role-find | grep -A1 -B1 CA > > Server name: ipa2 > > Role name: CA server > > Role status: *enabled* > > -- > > Server name: ipa3 > > Role name: CA server > > Role status: *enabled* > > [root@ipa2 ~]# ipa-replica-manage list-ruv > > Replica Update Vectors: > > ipa2:389: 11 > > ipa3:389: 9 > > Certificate Server Replica Update Vectors: > > ipa2:389: 12 > > ipa3:389: 10 > > > > But ipa3 node doesn't see ipa2 as ca master: > > > > [root@ipa3 ~]# ipa-replica-manage list > > ipa3: master > > ipa2: master > > [root@ipa3 ~]# ipa-csreplica-manage list > > ipa3: master > > ipa2: *CA not configured* > > [root@ipa3 ~]# ipa config-show |grep CA > > Certificate Subject base: O=removed > > IPA CA servers: *ipa3* <----- no ipa2 here > > IPA CA renewal master: ipa3 > > [root@ipa3 ~]# ipa server-role-find | grep -B1 -A1 CA > > Server name: ipa2 > > Role name: CA server > > Role status: *absent* > > -- > > Server name: ipa3 > > Role name: CA server > > Role status: enabled > > [root@ipa3 ~]# ipa-replica-manage list-ruv > > Replica Update Vectors: > > ipa3:389: 9 > > ipa2:389: 11 > > Certificate Server Replica Update Vectors: > > ipa3:389: 10 > > ipa2:389: 12 > > > > Centos 7.9 > > FreeIPA, version: 4.6.8 > > > > What is the real situation here? Is there CA replication btw replicas or > no? > > Is it possible to fix this and make ipa2 CA role visible on ipa3? > > Any extra information I can provide to fully understand the issue? > > I'd look for replication issues. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure