Boris wrote: > Hi Rob, > > I have two hosts: ipa1 and ipa2 > > ipa1: > Fedora 37 > freeipa-server-4.10.1-1.fc37.x86_64 > Managed suffixes: domain, ca > running with ipactl start --force because the update is not working (The > ipa-server-upgrade command failed, exception: RemoteRetrieveError: > Failed to authenticate to CA REST API). > I tried to upgrade, but the upgrade did not go through.
Your existing CA is having issues. I'd start by checking that your CA certificates are still valid: getcert list | grep expires You might also try installing the freeipa-healthcheck package and running ipa-healthcheck. Expect a lot of errors since it won't be able to connect to the CA but it will also check the validity dates, etc. > ipa2: > Fedora 35 > freeipa-server-4.9.11-1.fc35.x86_64 > Managed suffixes: domain > > So my thought process was: if it can not authenticate against the CA > REST API, I need to add the CA capability to ipa2 You need to authenticate to the CA to create a clone of it. You can't install another CA until you get your existing one working. rob > > > > > Am Mo., 17. Feb. 2025 um 17:55 Uhr schrieb Rob Crittenden > <[email protected] <mailto:[email protected]>>: > > Boris via FreeIPA-users wrote: > > Hi, > > > > I just got two IPA servers handed over and those are a mess. > > > > To get this sorted out I want to start with having both as a CA host. > > Even the webUI says "It is strongly recommended to keep the following > > services installed on more than one server: CA" > > > > I have basically 0 knowledge about IPA, the named is crashing > ragularly > > with asseratation errors, the login on the 2nd IPA webinterface fails > > "due to unknown reason", updates on the first IPA are not working and > > the host ist started with "ipactl start --force" and no one know the > > directorymanager password anymore. > > > > So I thought to start small and get the second CA running. > > Can you provide more information? > > What OS and version of IPA? > > Why does your first server require a force start? What does it log when > you don't? > > You need a fully working CA to add another one. > > rob > > > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
