FreeIPA and KRA connector has already been defined for this CA
Trying to install an additional KRA and getting
KRA connector has already been defined for this CA
Has your KRA transport certificate rolled over since the original installation?
If yes, /etc/pki/pki-tomcat/ca/CS.cfg on the machine you try to sync from
might still have the old certificate in ca.connector.KRA.transportCert.
Since ipa-replica-install ... --setup-kra copies that file, it will try to add
itself with the wrong certificate leading to the above error.
-
Get the current transport certificate:
pki -u admin ca-kraconnector-show Host: ipa1.$domain:443 ... Transport Cert: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ... -
On the machine you sync from, replace the base64 encoded value for
ca.connector.KRA.transportCertin/etc/pki/pki-tomcat/ca/CS.cfg -
reload tomcat.