Juan Pablo Lorier wrote:
The only expired cert was the HTTP in the dc1 server, dc2 had all the certs valid:
This does not show all of the tracked certificates. Use plain getcert which will show for for all CA helpers.
rob
*Dc1:*
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20191218181440': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:14:49 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20191219011104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:13:39 -03 dns: dc1.tnu.com.uy principal name: ldap/dc1.tnu.com.uy@TNU.COM.UY mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20211217030046': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-12-18 00:01:22 -03 dns: dc1.tnu.com.uy principal name: HTTP/dc1.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
*Dc2*:
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221130160326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221130160327': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
El 30 nov. 2022, a las 18:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Ok, with the skip-version-check flag it starts correctly, but if I try to restart the service without the flag, it fails in the same point. The error is related to the upgrade process then. I’m upgrading from 4.7 to 4.9 as I didn’t find any restriction in the documentation. Is it possible that there’s an issue with that upgrade path?
If is likely related to your expired certificates. Did you look to see if others besides the HTTP cert expired?
rob
Thanks
El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote: > Hi again, > > I used the ldapi from /etc/ipa/default.conf and I was able to get a > different reply: > > ldapsearch -Y GSSAPI -H > ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket > ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket > > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket > expired) > > But if I try to renew the ticket, it fails: > > kinit admin > kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting > initial credentials > > The running DC is in 4.7 and it should reply to the kinit requests > > > I added the debug option to see if I can ge further information. > > ipactl restart > IPA version error: data needs to be upgraded (expected version > '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version > '4.7.1-11.module_el8.0.0+79+bbd20d7b') > Automatically running upgrade, for details see > /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Error caught updating > nsDS5ReplicatedAttributeList: Server is unwilling to perform: > Entry and > attributes are managed by topology plugin.No direct modifications > allowed. > Error caught updating nsDS5ReplicatedAttributeListTotal: Server is > unwilling to perform: Entry and attributes are managed by topology > plugin.No direct modifications allowed. > Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > CalledProcessError: CalledProcessError(Command ['/bin/systemctl', > 'start', 'pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit > status > 1: 'Job for pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service failed because the control > process exited with error code.\nSee "systemctl status > pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" > and "journalctl -xe" for details.\n') > The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for > more information > > See the upgrade log for more details and/or run > /usr/sbin/ipa-server-upgrade again > Stopping ipa-dnskeysyncd Service > Stopping ipa-otpd Service > Stopping pki-tomcatd Service > Stopping ipa-custodia Service > Stopping httpd Service > Stopping named Service > Stopping kadmin Service > Stopping krb5kdc Service > Stopping Directory Service > Aborting ipactl > > Regards > > >> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com >> mailto:rcritten@redhat.com >> mailto:rcritten@redhat.com >> mailto:rcritten@redhat.com> escribió: >> >> Juan Pablo Lorier wrote: >>> Hi Rob, >>> >>> Thanks for the reply. As I didn’t know other way but to go back in >>> time, >>> I just did it and now the server is running 100%. >>> >>> This was all part of an update from 4.7 to 4.9. According to the >>> documentation, it was just a matter to def update but it seems >>> that is >>> not such a happy path.> >>> I updated the second server but it’s not able to finalize the >>> update >>> process. DNS is failing to start: >>> >>> # systemctl status ipa-dnskeysyncd.service >>> >>> >>> *●*ipa-dnskeysyncd.service - IPA key daemon >>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>> disabled; vendor preset: disabled) >>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>> 14min ago >>> Main PID: 250496 (ipa-dnskeysyncd) >>> Tasks: 1 (limit: 23652) >>> Memory: 68.4M >>> CGroup: /system.slice/ipa-dnskeysyncd.service >>> └─250496 /usr/libexec/platform-python -I >>> /usr/libexec/ipa/ipa-dnskeysyncd >>> >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>> client >>> step 1 >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>> client >>> step 2 >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>> ipa-dnskeysyncd: >>> INFO Commencing sync process >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>> sychronizing with ODS and BIND >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing log.level in configuration. Using >>> default value: INFO* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>> Using >>> default value: ALL* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(124): Missing slots.removable in configuration. >>> Using >>> default value: false* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>> client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>> client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> >>> >>> >>> GSSAPI client step 1 >>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>> >>> >>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>> 12:40:17 -03. -- >>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing all plugin modules in ipaserver.plugins... >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.aci >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automember >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automount >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseldap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseuser >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.batch >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ca >>> http://ipaserver.plugins.ca/ >>> http://ipaserver.plugins.ca/ >>> http://ipaserver.plugins.ca >> http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >>> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ >>> http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.caacl >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.cert >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certmap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certprofile >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.config >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.delegation >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dns >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dogtag >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.group >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbac >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbactest >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.host >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idrange >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idviews >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.internal >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.join >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.location >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.migration >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.misc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.netgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otp >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otptoken >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.passwd >> >> There should be quite a bit more after that. >> >>> >>> #less /var/log/dirsrv/slapd-*/access >>> >>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>> krbMaxRenewab >>> leAge krbTicketFlags krbAuthIndMaxTicketLife >>> krbAuthIndMaxRenewableAge" >>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>> tag=97 >>> nentries=0 wtime=0.000071973 optime=0.002531582 >>> etime=0.002602416, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>> tag=97 >>> nentries=0 wtime=0.000058962 optime=0.001451477 >>> etime=0.001509337, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >>> tag=97 >>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>> com,dc=uy" >>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>> attrs="objectClass cn fqdn serverHostN >>> ame memberOf ipaSshPubKey ipaUniqueID" >>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf >>> ipaU >>> niqueID" >>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>> attrs="objectClass ipaUniqueID cn memb >>> er entryusn" >>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>> tag=101 >>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>> ipaSudoRunAs >>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>> xternalUser entryusn" >>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>> tag=101 >>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>> etime=0.000956734 >>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>> etime=0.001489204 >>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>> etime=0.003098843 >>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>> etime=0.002897696 >>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>> etime=0.001372435 >>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>> etime=0.001748601 >>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>> etime=0.015402108 >>> >>> >>> I see that after the update, the files were changed: >>> >>> >>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>> /etc/dirsrv/slapd-TNU-COM-UY: >>> total 4208 >>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >>> TNU.COM.UY20IPA20CA.pem >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>> dse.ldif.ipa.1cf1fe204fd69494 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>> dse.ldif.ipa.1dd1d38cbd8d26ae >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>> dse.ldif.ipa.21662457cb42c116 >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>> dse.ldif.ipa.256a5d66e550a957 >>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>> dse.ldif.ipa.274744b10eed3d9b >>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>> dse.ldif.ipa.385fb48f5462219c >>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>> dse.ldif.ipa.6b71b47d73ca452a >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>> dse.ldif.ipa.767aba4a82811822 >>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>> dse.ldif.ipa.814a4de587fc22ec >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>> dse.ldif.ipa.889036fc0907e7de >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>> dse.ldif.ipa.8fd2b7413b99dfa3 >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>> dse.ldif.ipa.958ca3a96922f2fd >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>> dse.ldif.ipa.bacd6d1d200348bf >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>> dse.ldif.ipa.bfadc14f0e609072 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>> dse.ldif.ipa.f1e864261a119b6c >>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>> dse.ldif.ipa.fa918bf07c17e2e8 >>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 >>> dse.ldif.modified.out >>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 >>> slapd-collations.conf >>> >>> >>> I can’t connect to the LDAP service: >>> >>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >> >> You have to escape the socket path: >> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket >> >>> # less /var/log/ipaupgrade.log >>> >>> Server built: Jun 29 2021 22:00:15 UTC >>> Server number: 9.0.30.0 >>> OS Name: Linux >>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>> Architecture: amd64 >>> JVM Version: 1.8.0_322-b06 >>> JVM Vendor: Red Hat, Inc. >>> >>> 2022-11-22T14:26:56Z DEBUG stderr= >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >>> 'kra'] >>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:56Z DEBUG stdout= >>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>> instance pki-tomcat. >>> >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>> 'pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] >>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:57Z DEBUG stdout= >>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>> for pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>> process exited with error code. >>> See "systemctl status pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for >>> details. >>> >>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log and run command ipa-server-upgrade >>> manually. >>> 2022-11-22T14:26:57Z DEBUG File >>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >>> 180, in >>> execute >>> return_value = self.run() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 54, in run >>> server.upgrade() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 2055, in upgrade >>> upgrade_configuration() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 1783, in upgrade_configuration >>> ca.start('pki-tomcat') >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 524, in start >>> self.service.start(instance_name, >>> capture_output=capture_output, >>> wait=wait) >>> File >>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>> line 306, in start >>> skip_output=not capture_output) >>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", >>> line >>> 600, in run >>> p.returncode, arg_string, output_log, error_log >>> >>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>> exception: CalledProcessError: CalledProcessError(Command >>> ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >>> status >>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>> process exited with error code.\nSee "systemctl status >>> pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>> /var/log/ipaupgrade.log for details: >>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>> 'start', 'pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >>> status >>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>> process exited with error code.\nSee "systemctl status >>> pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command >>> failed. See >>> /var/log/ipaupgrade.log for more information >>> (END) >> >> The CA failed to start. This is often due to expired >> certificates that >> get exposed when an upgrade is done. Check that out. >> >>> #ipactl status >>> >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: STOPPED >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> pki-tomcatd Service: STOPPED >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> 2 service(s) are not running >>> >>> >>> Thanks >>> >>>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>>> <rcritten@redhat.com mailto:rcritten@redhat.com >>>> mailto:rcritten@redhat.com >>>> mailto:rcritten@redhat.com >>>> mailto:rcritten@redhat.com> escribió: >>>> >>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> I have a production server that was not maintained and I see >>>>> that the >>>>> HTTP certificate has expired long ago. I tried to renew it >>>>> but I'm >>>>> not being agle to get it right. >>>>> >>>>> The initial status was: >>>>> >>>>> Request ID '20191219011208': >>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>> stuck: yes >>>>> key pair storage: >>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> Then following this thread >>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>> >>>>> I got it to this state: >>>>> >>>>> Request ID '20191219011208': >>>>> status: MONITORING >>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed >>>>> request, >>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>> SSL certificate problem: certificate has expired). >>>>> stuck: no >>>>> key pair storage: >>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> The post indicates that I have to put an old date in the >>>>> server to >>>>> get it renewed, but as the server is in production, it means >>>>> that all >>>>> clients will fail to log to the server. Evenmore, what time >>>>> should I >>>>> return to, before the certificate expiration or right after? >>>>> Thanks in advanc >>>> >>>> I'd guess that this affects a lot more than just the web server >>>> cert. >>>> getcert list will tell you. >>>> >>>> Depending on that outcome affect the suggested remediation. >>>> >>>> As for going back in time, you'd need a server outage to do this >>>> and it >>>> only would be backwards in time for a short time. Just long >>>> enough so >>>> the services could start with non-expired certificates to get them >>>> renewed. But there are other ways to do this that don't require >>>> fiddling >>>> with time. >>>> >>>> rob