Johannes Falke via FreeIPA-users wrote:
After postponing the my home network FreeIPA server upgrade (FreeIPA 4.7.x/Fedora 29 -> FreeIPA 4.8.x/Fedora 30) due previously running into this error already, I am running into the same error again but now want to fix it. On FreeIPA 4.7.x/Fedora 29 my set-up was judged healthy by ipa-healthcheck.
However, `ipa-server-upgrade` fails with the message "Failed to authenticate to CA REST API".
Seeing the upgrade debug log would be useful to see where exactly it failed.
rob
The pki-tomcatd@pki-tomcat.service log (during the upgrade) looks as follows:
Dec 11 21:17:16 ipa.my.domain systemd[1]: Starting PKI Tomcat Server pki-tomcat... Dec 11 21:17:16 ipa.my.domain pki-server[2405]: ---------------------------- Dec 11 21:17:16 ipa.my.domain pki-server[2405]: pki-tomcat instance migrated Dec 11 21:17:16 ipa.my.domain pki-server[2405]: ---------------------------- Dec 11 21:17:17 ipa.my.domain systemd[1]: Started PKI Tomcat Server pki-tomcat. Dec 11 21:17:17 ipa.my.domain server[2514]: Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java Dec 11 21:17:17 ipa.my.domain server[2514]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar Dec 11 21:17:17 ipa.my.domain server[2514]: main class used: org.apache.catalina.startup.Bootstrap Dec 11 21:17:17 ipa.my.domain server[2514]: flags used: -Djava.library.path=/usr/lib64/nuxwdog-jni Dec 11 21:17:17 ipa.my.domain server[2514]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy Dec 11 21:17:17 ipa.my.domain server[2514]: arguments used: start Dec 11 21:17:22 ipa.my.domain server[2514]: main: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file 0.main - [11/Dec/2022:21:17:22 CET] [14] [6] [AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown Dec 11 21:17:22 ipa.my.domain server[2514]: main: Failed to write in file: "AUDIT_LOG_SHUTDOWN", entry: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file 0.main - [11/Dec/2022:21:17:22 CET] [14] [6] [AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown, error: Audit Event Failure! Dec 11 21:17:22 ipa.my.domain server[2514]: main: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file 0.main - [11/Dec/2022:21:17:22 CET] [14] [6] [AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown Dec 11 21:17:22 ipa.my.domain server[2514]: main: Failed to write in file: "AUDIT_LOG_SHUTDOWN", entry: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file 0.main - [11/Dec/2022:21:17:22 CET] [14] [6] [AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID=$System$][Outcome=Success] audit function shutdown, error: Audit Event Failure! Dec 11 21:17:28 ipa.my.domain server[2514]: SEVERE: CA subsystem unavailable. Check CA debug log. Dec 11 21:17:33 ipa.my.domain server[2514]: SEVERE: CA subsystem unavailable. Check CA debug log.
after which pki-tomcatd@pki-tomcat crashes.
the pki-tomcat CA debug log has the following SEVERE exceptions:
/var/log/pki/pki-tomcat/ca/debug.2022-12-11.log
[...] 2022-12-11 21:17:22 [main] FINE: LdapBoundConnection: Connecting to ipa.my.domain:636 with client cert auth 2022-12-11 21:17:22 [main] FINE: ldapconn/PKISocketFactory.makeSSLSocket: begins 2022-12-11 21:17:22 [main] FINE: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH 2022-12-11 21:17:22 [main] FINE: LogFile: event type not selected: CLIENT_ACCESS_SESSION_ESTABLISH 2022-12-11 21:17:22 [main] SEVERE: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) java.net.ConnectException: Connection refused (Connection refused) [...traceback...] 2022-12-11 21:17:22 [main] SEVERE: LdapBoundConnFactory: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) [...traceback...] 2022-12-11 21:17:22 [main] SEVERE: DBSubsystem: initialization failed: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) [...traceback...] 2022-12-11 21:17:22 [main] SEVERE: Unable to start CMS engine: Internal Database Error encountered: Unable to connect to LDAP serve r: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) [...traceback...] 2022-12-11 21:17:22 [main] SEVERE: Shutting down. 2022-12-11 21:17:22 [main] INFO: Shutting down CA subsystem [...]
Looking at the `journalctl` log, it seems the dirsrv@MY-DOMAIN.service receives a stop command during the ipa-server-upgrade script just before this error occurs.
Dec 11 21:17:19 ipa.my.domain systemd[1]: Stopping 389 Directory Server MY-DOMAIN.... Dec 11 21:17:19 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:19.575684141 +0100] - INFO - op_thread_cleanup - slapd shutting d> Dec 11 21:17:19 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:19.581818694 +0100] - INFO - slapd_daemon - slapd shutting down -> Dec 11 21:17:19 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:19.595175102 +0100] - INFO - slapd_daemon - slapd shutting down -> Dec 11 21:17:20 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:20.597957402 +0100] - INFO - dblayer_pre_close - Waiting for 4 da> Dec 11 21:17:22 ipa.my.domain server[2514]: main: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to> Dec 11 21:17:22 ipa.my.domain server[2514]: main: Failed to write in file: "AUDIT_LOG_SHUTDOWN", entry: Attempt to log message "/v> Dec 11 21:17:22 ipa.my.domain server[2514]: main: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to> Dec 11 21:17:22 ipa.my.domain server[2514]: main: Failed to write in file: "AUDIT_LOG_SHUTDOWN", entry: Attempt to log message "/v> Dec 11 21:17:22 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:22.815909751 +0100] - INFO - dblayer_pre_close - All database thr> Dec 11 21:17:22 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:22.831586103 +0100] - INFO - ldbm_back_instance_set_destructor - > Dec 11 21:17:22 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:22.851949498 +0100] - INFO - connection_post_shutdown_cleanup - s> Dec 11 21:17:22 ipa.my.domain ns-slapd[2338]: [11/Dec/2022:21:17:22.864268380 +0100] - INFO - main - slapd stopped. Dec 11 21:17:23 ipa.my.domain systemd[1]: dirsrv@MY-DOMAIN.service: Succeeded. Dec 11 21:17:23 ipa.my.domain systemd[1]: Stopped 389 Directory Server MY-DOMAIN.. Dec 11 21:17:23 ipa.my.domain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 m> Dec 11 21:17:23 ipa.my.domain systemd[1]: Starting 389 Directory Server MY-DOMAIN....
I'm not sure how the LDAP connection is supposed to work if the LDAP server gets shut down, but since this is all handled/managed by ipa-server-upgrade, I assume this is correct...? Or is this some bug in the ipa-server-upgrade script?
Does anyone have a clue what the root cause of this error might be or how to figure it out?