Hi guys.
adding second master failed a number of times so I did go
without '--setup-ca', now on that master I get lots of:
Invalid PKI instance: pki-tomcat:
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "CRITICAL",
"uuid": "7b920e6a-4f47-4541-80fa-e9d87dadff20",
"when": "20220118102040Z",
"duration": "0.000175",
"kw": {
"msg": "Invalid PKI instance: pki-tomcat"
}
},
...
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "fb01a7bd-3457-4007-8c3d-66662e23b6df",
"when": "20220118102040Z",
"duration": "0.006617",
"kw": {
"key": "20210709164208",
"dbdir": "/etc/pki/pki-tomcat/alias",
"nickname": "auditSigningCert cert-pki-kra",
"error": "NSSDB '/etc/pki/pki-tomcat/alias' not
initialized.",
"msg": "Request id {key}: Unable to retrieve cert
'{nickname}' from '{dbdir}': {error}"
}
},
..
first master's healthcheck does not mention these problems.
Is it that IPA - falsely - believe that this second master
is CA/KRA?
If so, then how to resolve this - this second master,
according to '--uinstall' was removed successfully(each time
'--setup-ca' failed)
many thanks, L.