Cannot obtain CA certificate, when setting up a replica.

[gangrif]

Hello, I am in the process of building out a new IPA domain in my lab on RHEL 9 with IdM.
Ive setup my server just fine, but want at least one replica. But I cant seem to get my replica setup using the ansible-freeipa roles. i keep getting this error:

TASK [ipaclient : Install - Join IPA] *************************************************************************
fatal: [192.168.200.173]: FAILED! => {"changed": false, "msg": "Cannot obtain CA certificate\nHTTP certificate download requires --force"}

I suppose I could setup the replica manually, but i'd rather get the automation working. I also worry that joining a client will also have similar problems.

Additionally, from the logs on this system:

2025-05-31T14:33:14Z DEBUG trying to retrieve CA cert via LDAP from 192.168.200.119
2025-05-31T14:33:14Z DEBUG get_ca_certs_from_ldap() error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/192.168.200.119@IDM.(MYDOMAIN.COM) not found in Kerberos database)
2025-05-31T14:33:14Z DEBUG Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server ldap/192.168.200.119@IDM.(MYDOMAIN.COM) not found in Kerberos database)
2025-05-31T14:33:14Z ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP

It sounds like the ipa client is looking for additional credentials, or the abilty to force join. I do not see a way via the role to force the join (and this feels like the wrong answer anyway). I provide the admin password, dm password, domain, ream, and principle via ipareplica:vars, is there something else I'm missing?

Thanks!

[gangrif]

Oh, also, ive used this playbook to setup systems in the past, for test environments, and demos, but ive never run into this issue. I did update the playbooks from the RHEL rpm repos though, previously I was using a direct pull from this git repo, that was actually rather old. So its possible that something in the role has changed that I am not aware of.

[gangrif]

I figured this out, long story short, it seems that my replica was unhappy that I was calling my primary directory server by its IP address in my inventory, it wanted the name. and of course dns resolution (which is sort of a given when dealing with IdM/IPA.).