freeipa-2.lab.lan replication setup

[root@freeipa-2 fedora]# ipa-replica-install
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Password for admin@LAB.LAN:
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
  [2/41]: enabling ldapi
  [3/41]: configure autobind for root
  [4/41]: stopping directory server
  [5/41]: updating configuration in dse.ldif
  [6/41]: starting directory server
  [7/41]: adding default schema
  [8/41]: enabling memberof plugin
  [9/41]: enabling winsync plugin
  [10/41]: configuring replication version plugin
  [11/41]: enabling IPA enrollment plugin
  [12/41]: configuring uniqueness plugin
  [13/41]: configuring uuid plugin
  [14/41]: configuring modrdn plugin
  [15/41]: configuring DNS plugin
  [16/41]: enabling entryUSN plugin
  [17/41]: configuring lockout plugin
  [18/41]: configuring topology plugin
  [19/41]: creating indices
  [20/41]: enabling referential integrity plugin
  [21/41]: configuring certmap.conf
  [22/41]: configure new location for managed entries
  [23/41]: configure dirsrv ccache
  [24/41]: enabling SASL mapping fallback
  [25/41]: restarting directory server
  [26/41]: creating DS keytab
  [27/41]: ignore time skew for initial replication
  [28/41]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 6 seconds elapsed
Update succeeded

  [29/41]: prevent time skew after initial replication
  [30/41]: adding sasl mappings to the directory
  [31/41]: updating schema
  [32/41]: setting Auto Member configuration
  [33/41]: enabling S4U2Proxy delegation
  [34/41]: initializing group membership
  [35/41]: adding master entry
  [36/41]: initializing domain level
  [37/41]: configuring Posix uid/gid generation
  [38/41]: adding replication acis
  [39/41]: activating sidgen plugin
  [40/41]: activating extdom plugin
  [41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/5]: configuring KDC
  [2/5]: adding the password extension to the directory
  [3/5]: creating anonymous principal
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [error] RuntimeError: Certificate issuance failed (CA_REJECTED)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR    Certificate issuance failed (CA_REJECTED)
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more in
formation
[root@freeipa-2 fedora]# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20180525141223':
        status: CA_REJECTED
        ca-error: Server at https://freeipa-2.lab.lan/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'htt
ps://freeipa-2.lab.lan/ipa/xml' failed.  libcurl failed even to execute the HTTP transaction, explaining:  Failed to
connect to freeipa-2.lab.lan port 443: Connection refused).
        stuck: yes
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LAB-LAN',nickname='Server-Cert',token='NSS Certifica
te DB',pinfile='/etc/dirsrv/slapd-LAB-LAN/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-LAB-LAN',nickname='Server-Cert'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LAB-LAN
        track: yes
        auto-renew: yes