John Obaterspok via FreeIPA-users wrote:
Den fre 22 jan. 2021 kl 09:54 skrev John Obaterspok
<john.obaterspok(a)gmail.com>:
>
> Hi,
>
> I'm stuck since about a week when I updated to latest ipa-server. It
> seems to be the same problem as Ian had ("FreeIPA centos8 update
> Failed to authenticate to CA REST API"). He seem to resolve this using
> a replicate which I dont have.
>
[... snip ...]
> [Migrating certificate profiles to LDAP]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> RemoteRetrieveError: Failed to authenticate to CA REST API
> ...
>
...
> CA subsystem unavailable. Check CA debug
>
log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\...
Strange enough, it's working just fine now after the server was
restarted after dnf-automatic update and scheduled reboot. Only thing
I did prior to this was to replace old ipa server name from
sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg +
/etc/pki/pki-tomcat/ca/CS.cfg
The old server name was when I did a fedora xx to centos 8 migration
using replica. I believe I followed the
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
guide
Do you remember what values you changed?
rob