Hi,
I have successfully created a replica from a 4.2.4 master (ipa01) into a new 4.6.6 master (ipa02).
I did it without --setup-ca option (because it had failed), so the only CA is still on the 4.2.4 server (ipa01).
When I try to setup theCA on ipa02 (the same replica file was used with ipa-replica-install), this fails:
$ ipa-ca-install replica-info-ipa02.hq.spinque.com.gpg
Directory Manager (existing master) password:
Run connection check to master
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Connection check failed!
See /var/log/ipareplica-conncheck.log for more information.
If the check results are not valid it can be skipped with --skip-conncheck parameter.
The log of conncheck (generated by ipa-ca-install) is in attachment. In there, I can see a couple of things going wrong:
...
2020-07-23T12:20:50Z ERROR ERROR: Remote master check failed with following error message(s):
invalid 'cn': must be "ipa02.hq.spinque.com"
Not sure if relevant, but also ipa-replica-install, though it completed successfully, gave this error:
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
ipaserver.install.ldapupdate: ERROR Add failure attribute "cn" not allowed
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Could you please help me find the issue?