Master server: aaa01 Replica server1: dir01 (installing replica servers ) Replica server2: dirus02 (which is a replica server previously that has been removed from replication) As noticed while installing ipa replica server, replica server retrieving two certificates from the master server, and saving it in /etc/ipa/ca.crt in this process at the stage Configuring the web interface (httpd) we got the below error i.e. ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt' returned non-zero exit status 255 =============================================== While installing Replica /var/log/ipaclient-install.log --------------------------------------------------- 2022-08-15T13:52:08Z DEBUG stderr= 2022-08-15T13:52:08Z DEBUG trying to retrieve CA cert via LDAP from aaa01.ipa.example.com 2022-08-15T13:52:09Z DEBUG retrieving schema for SchemaCache url=ldap://aaa01.ipa.example.com:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17fe812440> 2022-08-15T13:52:11Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.EXAMPLE.COM Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM Valid From: 2018-04-12 14:15:30 Valid Until: 2038-04-12 14:15:30 Subject: CN=dirus02.ipa.example.com,O=IPA.EXAMPLE.COM Issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM Valid From: 2019-01-21 11:54:13 Valid Until: 2021-01-21 11:54:13 2022-08-15T13:52:11Z DEBUG Starting external process 2022-08-15T13:52:11Z DEBUG args=/usr/sbin/ipa-join -s aaa01.ipa.example.com -b dc=ipa,dc=onmobile,dc=com -h dirpav01-tfln-mdr1-omes.ipa.example.com 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 2022-08-15T13:52:15Z DEBUG stdout= 2022-08-15T13:52:15Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab Certificate subject base is: O=IPA.EXAMPLE.COM 2022-08-15T13:52:15Z INFO Enrolled in IPA realm IPA.EXAMPLE.COM 2022-08-15T13:52:15Z DEBUG Starting external process 2022-08-15T13:52:15Z DEBUG args=/usr/bin/kdestroy 2022-08-15T13:52:15Z DEBUG Process finished, return code=0 2022-08-15T13:52:15Z DEBUG stdout= ==================================   While installing replica /var/log/ipareplica-install.log -------------------------------------------------- 2022-08-15T15:07:11Z DEBUG [14/22]: importing CA certificates from LDAP 2022-08-15T15:07:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-08-15T15:07:11Z DEBUG Starting external process 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n IPA.ONMOBILE.COM IPA CA -t CT,C,C -a -f /etc/httpd/alias/pwdfile.txt 2022-08-15T15:07:11Z DEBUG Process finished, return code=0 2022-08-15T15:07:11Z DEBUG stdout= 2022-08-15T15:07:11Z DEBUG stderr= 2022-08-15T15:07:11Z DEBUG Starting external process 2022-08-15T15:07:11Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -A -n Server-Cert -t ,, -a -f /etc/httpd/alias/pwdfile.txt 2022-08-15T15:07:12Z DEBUG Process finished, return code=255 2022-08-15T15:07:12Z DEBUG stdout= 2022-08-15T15:07:12Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database. 2022-08-15T15:07:12Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step Observation in Master server(aaa01) ldap database : ======================================= [root@aaa01~]# ldapsearch -D 'cn=directory manager' -w XXXXXXXXX | grep "ipaCertSubject" ipaCertSubject: CN=Certificate Authority,O=IPA.EXAMPLE.COM ipaCertSubject: CN=dirus02.ipa.example.com,O=IPA.EXAMPLE.COM [root@aaa01~]# ==================== We could see this certificate "CN=dirus02.ipa.example.com,O=IPA.EXAMPLE.COM" in IPA master server GUI as well we have revoked it too , but still it retrieves the same and installation got fails everytime ================= In ideal case while installing replica it has to retrieve only one certificate i.e. CN=Certificate Authority,O=IPA.EXAMPLE.COM but this case it retrieves Please let us know if any more details required and let us know how can we fix this issue, without impact on whole setup ... View more