Hi,

i’m in the process of migration a Centos 7.9 FreeIPA domain to Alma 9.5.

plan is to do the following:
start:
S1 = centos 7.9
S2 = centos 7.9

then
S1 = centos 7.9
S2 = alma 8.10

then
S1 = alma 9.5
S2 = alma 8.10

then
S1 = alma 9.5
S2 = alma 9.5

I know i can’t go directly and have to go via 8. Centos 8, RH 8 or Alma 8 (because of this problem RHEL9 Replica Install fail at 22/30 Importing RA key - FreeIPA-users - Fedora mailing-lists)

If I install Alma 8.10, I can install the ipa client and successfully make it a replica (ipa-replica-install), but when I come to make it a CA - from the ipareplica-ca-install.log:

server1 = centos 7.9
server2 = alma 8.10

INFO: Using CA at https://server2:443
INFO: Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Storing registry config: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
INFO: Requesting ranges from CA master
INFO: Requesting request ID range
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://server1:443 --ignore-banner ca-range-request request --install-token /tmp/tmp1xkh73lh/install-token --output-format json --debug
INFO: Connecting to https://server1:443
INFO: HTTP request: GET /pki/rest/info HTTP/1.1
INFO: Accept: application/xml
INFO: Host: server1:443
INFO: Connection: Keep-Alive
INFO: User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_432)
FINE: Request:

INFO: Server certificate: CN=server1,O=DOMAIN
INFO: HTTP response: HTTP/1.1 403 Forbidden
INFO: Date: Sun, 26 Jan 2025 16:34:26 GMT
INFO: Server: Apache
INFO: Content-Length: 215
INFO: Keep-Alive: timeout=30, max=100
INFO: Connection: Keep-Alive
INFO: Content-Type: text/html; charset=iso-8859-1
FINE: Response:

403 Forbidden

Forbidden

You don't have permission to access /pki/rest/info on this server.

If i try and curl to the url i get a response from port 8443 but not 443. It appears tomcat on my new replica is trying the wrong port?

has anyone come across anything similar?

thanks.