Thanks for the suggestion!
I spun a new CentOS 7 image with 7.9.2009 / FreeIPA 4.6.8 (which involved setting up the incus server to cgroups v1). Then I tried creating a replica from the 4.5. It again broke on pki-tomcatd, but with a somewhat baffling error that I didn't know what to do about:
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
[5/30]: configuring certificate server instance
[error] IOError: [Errno 13] Permission denied: '/tmp/tmpRJcwYV'
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
This appears to be related to
Which apparently was fixed on FreeIPA 4.7.
I couldn't find a release with 4.7 so I tried again with a VM with CentOS 8-Stream, which is supposed to have 4.9. Only yum/dnf couldn't find the ipa-server package at all; they'd list ipa-client, but not server. I'm not familiar with RPM-based systems so it took a lot of digging (including trying my hand at Rocky Linux and localinstall from manual RPM downloads, which led to problems with dependencies) until I found out I had to add module_hotfixes=1 in the appstream.repo file.
With FreeIPA 4.9 once again the CA setup failed, with a new error:
[error] RemoteRetrieveError: Failed to authenticate to CA REST API
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
There were some hard-to-read HTTP errors on the install log so I was already getting ready to give up and try to create a replica from Docker or something. But just as a hail-mary I run the uninstall scripts, rebooted, and tried again, and to my surprise this time pki-tomcatd install worked! I got a warning then on the KDC step:
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed (CA_UNREACHABLE: Server at
https://vm-ipa-half-3.intra.viaboxxsystems.de/ipa/json failed request, will retry: 4035 (Request failed with status 500: Non-2xx response from CA REST
API: 500. ).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
But ipa-replica-install finished with status: successful for the first time, and "ipa-pkinit-manage enable" worked. I now have a FreeIPA 4.9.13 replica with CA; hopefully 4.11 will replicate from that without issues and then I can promote it to primary CA.
---
In summary, these are the issues I found so far trying to upgrade from FreeIPA 4.5.0:
Upgrade FreeIPA 4.5 / CentOS7 to the last CentOS 7 / FreeIPA 4.6: breaks due to certmonger timeout.
Replicate to current FreeIPA 4.11 / Fedora 39: breaks due to hash incompatibility.
Replicate to FreeIPA 4.6 / fresh CentOS 7: breaks due to systemd /tmp permissions error.
Replicate to FreeIPA 4.7: couldn't find lxc containers with this version.
Replicate to Freeipa 4.9 / CentOS 8-Stream: had to downgrade incus host to cgroups v1; first couple attempts failed, but eventually it worked.
[]s
