You'd be right, I worked it out over the weekend. On the fifth time of
checking, having convinced myself the certificates all looked good, I
renewed the expried Kerberos certificate...
It didn't seem to take effect straight away for bringing up the replica
though but I didn't have time to dig in
Hi Thomas,
you can have a look at
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
Usually the communication issue between PKI and LDAP is linked to an
expired certificate, or a mismatch between the content of
uid=pkidbuser,ou=people,o=ipaca and