On 10/27/2017 06:41 PM, Bhavin Vaidya via FreeIPA-users wrote:
ldapsearch from client works, on same host which we are trying to create replica. (ran ipa-client to test and then uninstall).
[root@ds04 certs]# ldapsearch -x -v -H ldaps://ds01.example.com -s base -b '' namingContexts -d 1
...
TLS: certificate [CN=Certificate Authority,O=EXAMPLE.COM] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
...
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It doesn't look like ldapsearch is working.  Why do you say that it works?

[root@ds01 openldap]# certutil -d /etc/openldap/cacerts -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

I'm not sure that's relevant to the problem you're having on ds04, since that directory isn't used by the FreeIPA LDAP server (as far as I know).  But now it looks like ds04 doesn't have the CA cert for FreeIPA, and therefore does not trust its TLS certificates.  Without that trust, it naturally follows that both ldapsearch fails and replication does not start.

It also looks like your FreeIPA installation on ds01 is somehow inconsistent, with /etc/openldap/certs being out of date or corrupt.  That may or may not be related.

If this problem only affects one host, I'd suggest wiping it clean and starting over.  If you can't add any new host, then it would probably be helpful to see the logs from the ipa server setup on a brand new host which you try to add to the cluster.