FreeIPA KRA install fails on Rocky 9 replica (from rocky 8 cluster)

label · April 16, 2025, 10:31am

Welcome to the forums!

This is an interesting issue and sounds like a bug I had seen in other deployments and other IPA versions. What I’m thinking is the issue here is that there is a mismatch between the NSS DB and configuration file for pki-tomcat. Here’s what I’d try to do:

On the CA/KRA server (Rocky Linux 8):

Ensure you have taken a backup of the system and/or have ran ipa-backup.
Take a backup of /etc/pki/pki-tomcat/ca/CS.cfg
Run certutil -L -d /etc/pki/pki-tomcat/alias -n 'transportCert cert-pki-kra' -a | grep -v ' CERTIFICATE' | tr -d '\n\r'
- This should make the certificate a single line.
Edit /etc/pki/pki-tomcat/ca/CS.cfg and find the line ca.connector.KRA.transportCert and replace the value with the above output.
systemctl restart pki-tomcatd@pki-tomcat to restart CA/KRA
Remove the broken replica with ipa server-del ipa05.dev.ngc.dk
On the broken replica, ipa-server-install --uninstall -U

After that, you can try to re-run the ipa-replica-install with --setup-kra or run ipa-replica-install and then ipa-kra-install afterwards.

Topic		Replies	Views
Rocky 8.9 Idm Server Problem Rocky Linux Help & Support	4	1163	March 26, 2024
FreeIPA Web UI login fails after upgrade to rocky 8 Rocky Linux Help & Support rocky-linux-8	2	374	August 3, 2025
Ipa-server broken after upgrading RL 9.5 to 9.6 Rocky Linux Help & Support	1	64	December 21, 2025
Freeipa schema issue and replication Rocky Linux Help & Support rocky-linux-8	2	61	January 15, 2026
Doubt about CVE-2025-7493 fix in ipa-server-4.9.13-20.module+el8.10.0+2066+d74ade98 on Rocky Linux 8 Rocky Linux Help & Support rocky-linux-8 , rocky-linux-9 , rocky-linux-10	3	106	November 5, 2025

FreeIPA KRA install fails on Rocky 9 replica (from rocky 8 cluster)

Related topics