<div dir="ltr"><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal">Hi,</div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal">I'm trying to create an ipa replica from ipa-server-3.0.0-47/pki-ca-9.0.3-45 to ipa-server-4.2.0-15/pki-ca-10.2.5-6 and cannot get the install to complete. The CS is configured as a sub to an external CA. <span style="font-size:12.8px">I keep getting the same error when running the replica-install. Digging into pki-ca's debug log, I find the following errors:</span></div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px"><br></span></div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px"> java.lang.Exception: SystemCertsVerification: system certs verification failure</span></div><div class="linestyle1 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal">&</div><div class="linestyle1 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"> CertUtils: verifySystemCertByNickname() failed: caSigningCert cert-pki-ca</div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px"><br></span></div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px">I've tried regenerating the source cacert.p12, upgrading pki-ca to latest, etc. It just seems like the new replica is unable to verify the certs while running selftests. </span><span style="font-size:12.8px">any good tips for a next step to work out whats going on?</span></div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px"><br></span></div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px">Thanks,</span></div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px"><br></span></div><div class="linestyle2 colourline" style="font-family:Consolas,'Lucida Console',monospace;padding-left:7px;word-wrap:break-word;color:rgb(0,0,0);font-size:12.8px;line-height:normal"><span style="font-size:12.8px">-rob</span></div></div>