Welcome to the forums!
This is an interesting issue and sounds like a bug I had seen in other deployments and other IPA versions. What I’m thinking is the issue here is that there is a mismatch between the NSS DB and configuration file for pki-tomcat. Here’s what I’d try to do:
On the CA/KRA server (Rocky Linux 8):
- Ensure you have taken a backup of the system and/or have ran
ipa-backup. - Take a backup of /etc/pki/pki-tomcat/ca/CS.cfg
- Run
certutil -L -d /etc/pki/pki-tomcat/alias -n 'transportCert cert-pki-kra' -a | grep -v ' CERTIFICATE' | tr -d '\n\r'- This should make the certificate a single line.
- Edit
/etc/pki/pki-tomcat/ca/CS.cfgand find the lineca.connector.KRA.transportCertand replace the value with the above output. systemctl restart pki-tomcatd@pki-tomcatto restart CA/KRA- Remove the broken replica with
ipa server-del ipa05.dev.ngc.dk - On the broken replica,
ipa-server-install --uninstall -U
After that, you can try to re-run the ipa-replica-install with --setup-kra or run ipa-replica-install and then ipa-kra-install afterwards.