Symptoms

Two FreeIPA servers, freeipa0 and freeipa1, replicate both domain and CA data. freeipa0’s pki-tomcat server crashes and cannot process logins via sssd-ipa. Meanwhile, freeipa1’s Directory 389 server generates errors indicating replication synchronization problems.

The error messages state: “Data required to update replica has been purged from the changelog. If the error persists the replica must be reinitialized.” This suggests the synchronization process was interrupted and freeipa1 cannot read replica data from freeipa0.

Potential triggers include: multiple system upgrades (adding/removing a temporary replica, OS swaps requiring host removal/re-addition), and out-of-memory conditions on the freeipa0 VM due to hypervisor memory pressure.

Resolution

To reinitialize the problematic freeipa1 replica:

  1. Authenticate as an IPA administrator using kinit

  2. Examine topology layout with ipa topologysegment-find, specifying “ca” as the suffix when prompted. This displays segment information showing left and right nodes.

  3. Execute the reinitialization command targeting the affected node:

ipa topologysegment-reinitialize ca freeipa0.0x424b.com-to-freeipa1.0x424b.com --right

The process requires several minutes. Subsequently, check logs for resolution of replication errors.

For additional guidance, run: ipa help topologysegment-reinitialize