I’m adding more information:
ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@dc2 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
El 30 nov. 2022, a las 16:21, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/>> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
> El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com > <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> > mailto:rcritten@redhat.com > mailto:rcritten@redhat.com> escribió: > > Juan Pablo Lorier via FreeIPA-users wrote: >> Hi, >> >> I have a production server that was not maintained and I see that the >> HTTP certificate has expired long ago. I tried to renew it but I'm >> not being agle to get it right. >> >> The initial status was: >> >> Request ID '20191219011208': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> Then following this thread >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >> >> I got it to this state: >> >> Request ID '20191219011208': >> status: MONITORING >> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >> libcurl failed even to execute the HTTP transaction, explaining: >> SSL certificate problem: certificate has expired). >> stuck: no >> key pair storage: >> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> The post indicates that I have to put an old date in the server to >> get it renewed, but as the server is in production, it means that all >> clients will fail to log to the server. Evenmore, what time should I >> return to, before the certificate expiration or right after? >> Thanks in advanc > > I'd guess that this affects a lot more than just the web server cert. > getcert list will tell you. > > Depending on that outcome affect the suggested remediation. > > As for going back in time, you'd need a server outage to do this > and it > only would be backwards in time for a short time. Just long enough so > the services could start with non-expired certificates to get them > renewed. But there are other ways to do this that don't require > fiddling > with time. > > rob