Hallo all
I have a strange issue with one of my ipa servers. after an upgrade from fedora 35 to fedora 37 the ipa-server-upgrade failed on the pki-tomcat part. The ipaupgrade.log says:
2022-12-21T15:27:52Z
INFO Migrating profile
'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET
https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT
2022-12-21T15:27:52Z DEBUG response body (decoded):
b'<!doctype html><html
lang="de"><head><title>HTTP Status 404
\xe2\x80\x93 nicht gefunden</title><style
type="text/css">body {font-family:Tahoma,Arial,sans-serif;}
h1, h2, h3, b {color:white;background-color:#525D76;} h1
{font-size:22px;} h2 {font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;}
.line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class="line"
/><p><b>Type</b> Status
Report</p><p><b>Message</b> The
requested resource [/ca/rest/account
/login] is not
available</p><p><b>Beschreibung</b> The
origin server did not find a current representation for the
target resource or is not willing to
disclose that one exists.</p><hr class="line"
/><h3>Apache
Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.
2022-12-21T15:27:52Z DEBUG File
"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line
180, in execute
return_value = self.run()
^^^^^^^^^^
File
"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 2061, in upgrade
upgrade_configuration()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 1914, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2155, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data,
overwrite=False)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2209, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File
"/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py",
line 1211, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to
authenticate to CA REST API'))
2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command
failed, exception: RemoteRetrieveError: Failed to authenticate
to CA REST API
The catalina logfile says:
21-Dec-2022
16:27:26.946 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal One or
more listeners failed to start. Full details will be
found in the appropriate container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal Context
[/ca] startup failed due to previous errors
the CA debug log file says:
2022-12-21
16:27:26 [main] FINE: LdapBoundConnection: Connecting to
ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Verbindungsaufbau abgelehnt
with many java traceback errors following. directory server is running at this time and there is no connection reported at the given time. ipa-healthceck does not give anny errors or warnings. Re-starting the pki-tomcat server manually afterwards ist working fine and does not give any errors. starting ipa in force mode gives no errors as well. What can I do?
Regards
Martin