Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advance
I forgot to mention that the system is running on Centos 8 and ipa 4.7
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.
I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
● ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca http://ipaserver.plugins.ca Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Hi Rob,
Thanks again for your help. I checked the certs as one of the first steps and they seem to be right (unless they are not shown by ipa-getcert)
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015302': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20200110015320': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
About the scaped chars, following your hint I still can’t connect:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun/%2flapd-TNU-COM-UY.socket ldapi:///var/run//lapd%5C-TNU%5C-COM%5C-UY.socket
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
For the partial log, it repeats the same error about not being able to connect to ldap:
Nov 22 11:23:14 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 22 11:23:14 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: ipa-dnskeysyncd: INFO LDAP bind... Nov 22 11:23:16 dc2.tnu.com.uy platform-python[249536]: GSSAPI client step 1 Nov 22 11:23:16 dc2.tnu.com.uy platform-python[249536]: GSSAPI client step 1 Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: ipa-dnskeysyncd: ERROR Login to LDAP server failed: {'result': 49, 'desc': 'Invalid credentials', 'ctrls': []} Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: Traceback (most recent call last): Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 110, in <module> Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI) Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1255, in sasl_interactive_bind_s Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1224, in _apply_method_s Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: return func(self,*args,**kwargs) Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 476, in sasl_interactive_bind_s Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl> Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: reraise(exc_type, exc_value, exc_traceback) Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: raise exc_value Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: result = func(*args,**kwargs) Nov 22 11:23:16 dc2.tnu.com.uy ipa-dnskeysyncd[249536]: ldap.INVALID_CREDENTIALS: {'result': 49, 'desc': 'Invalid credentials', 'ctrls': []} Nov 22 11:23:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Nov 22 11:23:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Nov 22 11:24:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Nov 22 11:24:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 1242. Nov 22 11:24:16 dc2.tnu.com.uy systemd[1]: Stopped IPA key daemon. Nov 22 11:24:16 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 22 11:24:17 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: ipa-dnskeysyncd: INFO LDAP bind... Nov 22 11:24:18 dc2.tnu.com.uy platform-python[249579]: GSSAPI client step 1 Nov 22 11:24:18 dc2.tnu.com.uy platform-python[249579]: GSSAPI client step 1 Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: ipa-dnskeysyncd: ERROR Login to LDAP server failed: {'result': 49, 'desc': 'Invalid credentials', 'ctrls': []} Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: Traceback (most recent call last): Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 110, in <module> Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI) Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1255, in sasl_interactive_bind_s Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1224, in _apply_method_s Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: return func(self,*args,**kwargs) Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 476, in sasl_interactive_bind_s Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl> Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: reraise(exc_type, exc_value, exc_traceback) Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: raise exc_value Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: result = func(*args,**kwargs) Nov 22 11:24:18 dc2.tnu.com.uy ipa-dnskeysyncd[249579]: ldap.INVALID_CREDENTIALS: {'result': 49, 'desc': 'Invalid credentials', 'ctrls': []} Nov 22 11:24:19 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Nov 22 11:24:19 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Nov 22 11:25:19 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Nov 22 11:25:19 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 1243. Nov 22 11:25:19 dc2.tnu.com.uy systemd[1]: Stopped IPA key daemon. Nov 22 11:25:19 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 22 11:25:19 dc2.tnu.com.uy ipa-dnskeysyncd[250241]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Nov 22 11:25:21 dc2.tnu.com.uy ipa-dnskeysyncd[250241]: ipa-dnskeysyncd: INFO LDAP bind... Nov 22 11:25:21 dc2.tnu.com.uy platform-python[250241]: GSSAPI client step 1 Nov 22 11:25:21 dc2.tnu.com.uy platform-python[250241]: GSSAPI client step 1 Nov 22 11:25:21 dc2.tnu.com.uy platform-python[250241]: GSSAPI client step 1 Nov 22 11:25:21 dc2.tnu.com.uy platform-python[250241]: GSSAPI client step 2 Nov 22 11:25:21 dc2.tnu.com.uy ipa-dnskeysyncd[250241]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:25:21 dc2.tnu.com.uy ipa-dnskeysyncd[250241]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:25:24 dc2.tnu.com.uy platform-python[250255]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Nov 22 11:25:24 dc2.tnu.com.uy platform-python[250255]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Nov 22 11:25:24 dc2.tnu.com.uy platform-python[250255]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Nov 22 11:25:24 dc2.tnu.com.uy platform-python[250255]: GSSAPI client step 1 Nov 22 11:25:24 dc2.tnu.com.uy platform-python[250255]: GSSAPI client step 1 Nov 22 11:25:24 dc2.tnu.com.uy platform-python[250255]: GSSAPI client step 1 Nov 22 11:26:16 dc2.tnu.com.uy ipa-dnskeysyncd[250241]: ipa-dnskeysyncd: ERROR syncrepl_poll: LDAP error ({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': []}) Nov 22 11:26:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE Nov 22 11:26:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'. Nov 22 11:27:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Service RestartSec=1min expired, scheduling restart. Nov 22 11:27:16 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Scheduled restart job, restart counter is at 1244. Nov 22 11:27:16 dc2.tnu.com.uy systemd[1]: Stopped IPA key daemon. Nov 22 11:27:16 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 22 11:27:17 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO LDAP bind... Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 23 03:00:06 dc2.tnu.com.uy systemd[1]: Stopping IPA key daemon... Nov 23 03:00:06 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Signal 15 received: Shutting down! Nov 23 03:00:06 dc2.tnu.com.uy systemd[1]: ipa-dnskeysyncd.service: Succeeded. Nov 23 03:00:06 dc2.tnu.com.uy systemd[1]: Stopped IPA key daemon.
Please let me know if I can provide you with more information to debut this issue. Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket ldapi:///var/run/slapd\-EXAMPLE\-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca http://ipaserver.plugins.ca <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
/var/log/ipaupgrade.log
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
dirsrv/slapd-TNU-COM-UY/errors
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
localhost_access_log.2022-11-30.txt
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden rcritten@redhat.com escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier via FreeIPA-users wrote:
Hi,
I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right.
The initial status was:
Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I got it to this state:
Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier via FreeIPA-users wrote: > Hi, > > I have a production server that was not maintained and I see that the > HTTP certificate has expired long ago. I tried to renew it but I'm > not being agle to get it right. > > The initial status was: > > Request ID '20191219011208': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > > Then following this thread > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... > > I got it to this state: > > Request ID '20191219011208': > status: MONITORING > ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, > will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. > libcurl failed even to execute the HTTP transaction, explaining: > SSL certificate problem: certificate has expired). > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > > The post indicates that I have to put an old date in the server to > get it renewed, but as the server is in production, it means that all > clients will fail to log to the server. Evenmore, what time should I > return to, before the certificate expiration or right after? > Thanks in advanc
I'd guess that this affects a lot more than just the web server cert. getcert list will tell you.
Depending on that outcome affect the suggested remediation.
As for going back in time, you'd need a server outage to do this and it only would be backwards in time for a short time. Just long enough so the services could start with non-expired certificates to get them renewed. But there are other ways to do this that don't require fiddling with time.
rob
Ok, with the skip-version-check flag it starts correctly, but if I try to restart the service without the flag, it fails in the same point. The error is related to the upgrade process then. I’m upgrading from 4.7 to 4.9 as I didn’t find any restriction in the documentation. Is it possible that there’s an issue with that upgrade path? Thanks
El 30 nov. 2022, a las 16:21, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/>> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
> El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com > <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> > mailto:rcritten@redhat.com > mailto:rcritten@redhat.com> escribió: > > Juan Pablo Lorier via FreeIPA-users wrote: >> Hi, >> >> I have a production server that was not maintained and I see that the >> HTTP certificate has expired long ago. I tried to renew it but I'm >> not being agle to get it right. >> >> The initial status was: >> >> Request ID '20191219011208': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> Then following this thread >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >> >> I got it to this state: >> >> Request ID '20191219011208': >> status: MONITORING >> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >> libcurl failed even to execute the HTTP transaction, explaining: >> SSL certificate problem: certificate has expired). >> stuck: no >> key pair storage: >> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> The post indicates that I have to put an old date in the server to >> get it renewed, but as the server is in production, it means that all >> clients will fail to log to the server. Evenmore, what time should I >> return to, before the certificate expiration or right after? >> Thanks in advanc > > I'd guess that this affects a lot more than just the web server cert. > getcert list will tell you. > > Depending on that outcome affect the suggested remediation. > > As for going back in time, you'd need a server outage to do this > and it > only would be backwards in time for a short time. Just long enough so > the services could start with non-expired certificates to get them > renewed. But there are other ways to do this that don't require > fiddling > with time. > > rob
I’m adding more information:
ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@dc2 ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
El 30 nov. 2022, a las 16:21, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier wrote:
Hi Rob,
Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%.
This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start:
# systemctl status ipa-dnskeysyncd.service
*●*ipa-dnskeysyncd.service - IPA key daemon Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled) Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago Main PID: 250496 (ipa-dnskeysyncd) Tasks: 1 (limit: 23652) Memory: 68.4M CGroup: /system.slice/ipa-dnskeysyncd.service └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/>> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
#less /var/log/dirsrv/slapd-*/access
[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108
I see that after the update, the files were changed:
[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root 202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root 208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root 208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root 195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root 203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root 156705 Jan 9 2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root 202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root 208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root 208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root 202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root 202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root 202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root 208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root 202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root 202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
I can’t connect to the LDAP service:
# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
# less /var/log/ipaupgrade.log
Server built: Jun 29 2021 22:00:15 UTC Server number: 9.0.30.0 OS Name: Linux OS Version: 4.18.0-348.7.1.el8_5.x86_64 Architecture: amd64 JVM Version: 1.8.0_322-b06 JVM Vendor: Red Hat, Inc.
2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.
2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration ca.start('pki-tomcat') File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start skip_output=not capture_output) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
#ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running
Thanks
> El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com > <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> > mailto:rcritten@redhat.com > mailto:rcritten@redhat.com> escribió: > > Juan Pablo Lorier via FreeIPA-users wrote: >> Hi, >> >> I have a production server that was not maintained and I see that the >> HTTP certificate has expired long ago. I tried to renew it but I'm >> not being agle to get it right. >> >> The initial status was: >> >> Request ID '20191219011208': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> Then following this thread >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >> >> I got it to this state: >> >> Request ID '20191219011208': >> status: MONITORING >> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >> libcurl failed even to execute the HTTP transaction, explaining: >> SSL certificate problem: certificate has expired). >> stuck: no >> key pair storage: >> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> The post indicates that I have to put an old date in the server to >> get it renewed, but as the server is in production, it means that all >> clients will fail to log to the server. Evenmore, what time should I >> return to, before the certificate expiration or right after? >> Thanks in advanc > > I'd guess that this affects a lot more than just the web server cert. > getcert list will tell you. > > Depending on that outcome affect the suggested remediation. > > As for going back in time, you'd need a server outage to do this > and it > only would be backwards in time for a short time. Just long enough so > the services could start with non-expired certificates to get them > renewed. But there are other ways to do this that don't require > fiddling > with time. > > rob
Juan Pablo Lorier wrote:
Ok, with the skip-version-check flag it starts correctly, but if I try to restart the service without the flag, it fails in the same point. The error is related to the upgrade process then. I’m upgrading from 4.7 to 4.9 as I didn’t find any restriction in the documentation. Is it possible that there’s an issue with that upgrade path?
If is likely related to your expired certificates. Did you look to see if others besides the HTTP cert expired?
rob
Thanks
El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote: > Hi Rob, > > Thanks for the reply. As I didn’t know other way but to go back in > time, > I just did it and now the server is running 100%. > > This was all part of an update from 4.7 to 4.9. According to the > documentation, it was just a matter to def update but it seems > that is > not such a happy path.> > I updated the second server but it’s not able to finalize the update > process. DNS is failing to start: > > # systemctl status ipa-dnskeysyncd.service > > > *●*ipa-dnskeysyncd.service - IPA key daemon > Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; > disabled; vendor preset: disabled) > Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h > 14min ago > Main PID: 250496 (ipa-dnskeysyncd) > Tasks: 1 (limit: 23652) > Memory: 68.4M > CGroup: /system.slice/ipa-dnskeysyncd.service > └─250496 /usr/libexec/platform-python -I > /usr/libexec/ipa/ipa-dnskeysyncd > > Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client > step 1 > Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client > step 2 > Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: > ipa-dnskeysyncd: > INFO Commencing sync process > Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: > ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, > sychronizing with ODS and BIND > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(96): Missing log.level in configuration. Using > default value: INFO* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(96): Missing slots.mechanisms in configuration. > Using > default value: ALL* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(124): Missing slots.removable in configuration. > Using > default value: false* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client > step 1 > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client > step 1 > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > > > > GSSAPI client step 1 > [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service > > > -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 > 12:40:17 -03. -- > Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing all plugin modules in ipaserver.plugins... > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.aci > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.automember > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.automount > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.baseldap > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG ipaserver.plugins.baseldap is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.baseuser > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.batch > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.ca > http://ipaserver.plugins.ca/ > http://ipaserver.plugins.ca/ > http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> > <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ > http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.caacl > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.cert > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.certmap > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.certprofile > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.config > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.delegation > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dns > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dnsserver > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dogtag > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.domainlevel > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.group > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbac > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG ipaserver.plugins.hbac is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacrule > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacsvc > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbactest > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.host > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hostgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.idrange > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.idviews > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.internal > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.join > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.krbtpolicy > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.ldap2 > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.location > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.migration > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.misc > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.netgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otp > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG ipaserver.plugins.otp is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otpconfig > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otptoken > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: > ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that.
> > #less /var/log/dirsrv/slapd-*/access > > [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 > tag=101 > nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 > [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH > base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewab > leAge krbTicketFlags krbAuthIndMaxTicketLife > krbAuthIndMaxRenewableAge" > [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 > tag=101 > nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 > [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 > tag=97 > nentries=0 wtime=0.000071973 optime=0.002531582 > etime=0.002602416, SASL > bind in progress > [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 > tag=97 > nentries=0 wtime=0.000058962 optime=0.001451477 > etime=0.001509337, SASL > bind in progress > [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 > tag=97 > nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 > dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= > com,dc=uy" > [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH > base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" > attrs="objectClass cn fqdn serverHostN > ame memberOf ipaSshPubKey ipaUniqueID" > [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 > tag=101 > nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH > base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" > scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU > niqueID" > [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 > tag=101 > nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH > base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" > attrs="objectClass ipaUniqueID cn memb > er entryusn" > [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 > tag=101 > nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH > base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC > ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro > ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" > attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt > ipaSudoRunAs > ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU > ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory > userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory > ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e > xternalUser entryusn" > [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 > tag=101 > nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 > tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 > etime=0.000956734 > [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 > tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 > etime=0.001489204 > [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 > tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 > etime=0.003098843 > [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 > tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 > etime=0.002897696 > [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 > tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 > etime=0.001372435 > [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 > tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 > etime=0.001748601 > [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 > tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 > etime=0.015402108 > > > I see that after the update, the files were changed: > > > [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* > /etc/dirsrv/slapd-TNU-COM-UY: > total 4208 > -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem > -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem > -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 > TNU.COM.UY20IPA20CA.pem > -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db > -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig > -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf > -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif > -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak > -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 > dse.ldif.ipa.1cf1fe204fd69494 > -rw-------. 1 dirsrv root 202234 Nov 21 14:01 > dse.ldif.ipa.1dd1d38cbd8d26ae > -rw-------. 1 dirsrv root 208355 Nov 22 11:26 > dse.ldif.ipa.21662457cb42c116 > -rw-------. 1 dirsrv root 208355 Nov 22 10:47 > dse.ldif.ipa.256a5d66e550a957 > -rw-------. 1 dirsrv root 195350 Nov 21 13:35 > dse.ldif.ipa.274744b10eed3d9b > -rw-------. 1 dirsrv root 203050 Nov 21 19:09 > dse.ldif.ipa.385fb48f5462219c > -rw-------. 1 dirsrv root 156705 Jan 9 2020 > dse.ldif.ipa.6b71b47d73ca452a > -rw-------. 1 dirsrv root 202234 Nov 21 13:38 > dse.ldif.ipa.767aba4a82811822 > -rw-------. 1 dirsrv root 208355 Nov 21 21:07 > dse.ldif.ipa.814a4de587fc22ec > -rw-------. 1 dirsrv root 208355 Nov 22 10:49 > dse.ldif.ipa.889036fc0907e7de > -rw-------. 1 dirsrv root 202234 Nov 21 13:47 > dse.ldif.ipa.8fd2b7413b99dfa3 > -rw-------. 1 dirsrv root 202234 Nov 21 13:42 > dse.ldif.ipa.958ca3a96922f2fd > -rw-------. 1 dirsrv root 202234 Nov 21 14:48 > dse.ldif.ipa.bacd6d1d200348bf > -rw-------. 1 dirsrv root 208355 Nov 22 11:24 > dse.ldif.ipa.bfadc14f0e609072 > -rw-------. 1 dirsrv root 202234 Nov 21 14:23 > dse.ldif.ipa.f1e864261a119b6c > -rw-------. 1 dirsrv root 202234 Nov 21 15:42 > dse.ldif.ipa.fa918bf07c17e2e8 > -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out > -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK > -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif > -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db > -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig > -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt > -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt > -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig > -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt > -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig > drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema > drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak > -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf > > > I can’t connect to the LDAP service: > > # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket
> # less /var/log/ipaupgrade.log > > Server built: Jun 29 2021 22:00:15 UTC > Server number: 9.0.30.0 > OS Name: Linux > OS Version: 4.18.0-348.7.1.el8_5.x86_64 > Architecture: amd64 > JVM Version: 1.8.0_322-b06 > JVM Vendor: Red Hat, Inc. > > 2022-11-22T14:26:56Z DEBUG stderr= > 2022-11-22T14:26:56Z DEBUG Starting external process > 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', > 'kra'] > 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 > 2022-11-22T14:26:56Z DEBUG stdout= > 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in > instance pki-tomcat. > > 2022-11-22T14:26:56Z DEBUG Starting external process > 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', > 'pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] > 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 > 2022-11-22T14:26:57Z DEBUG stdout= > 2022-11-22T14:26:57Z DEBUG stderr=Job > for pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service failed because the control > process exited with error code. > See "systemctl status pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for > details. > > 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2022-11-22T14:26:57Z DEBUG File > "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line > 180, in > execute > return_value = self.run() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 2055, in upgrade > upgrade_configuration() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 1783, in upgrade_configuration > ca.start('pki-tomcat') > File > "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 524, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > File > "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", > line 306, in start > skip_output=not capture_output) > File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line > 600, in run > p.returncode, arg_string, output_log, error_log > > 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, > exception: CalledProcessError: CalledProcessError(Command > ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit > status > 1: 'Job for pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service failed because the control > process exited with error code.\nSee "systemctl status > pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" > and "journalctl -xe" for details.\n') > 2022-11-22T14:26:57Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > CalledProcessError: CalledProcessError(Command ['/bin/systemctl', > 'start', 'pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit > status > 1: 'Job for pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service failed because the control > process exited with error code.\nSee "systemctl status > pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" > and "journalctl -xe" for details.\n') > 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > (END)
The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out.
> #ipactl status > > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: STOPPED > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > 2 service(s) are not running > > > Thanks > >> El 22 nov. 2022, a las 11:43, Rob Crittenden >> <rcritten@redhat.com mailto:rcritten@redhat.com >> mailto:rcritten@redhat.com >> mailto:rcritten@redhat.com >> mailto:rcritten@redhat.com> escribió: >> >> Juan Pablo Lorier via FreeIPA-users wrote: >>> Hi, >>> >>> I have a production server that was not maintained and I see >>> that the >>> HTTP certificate has expired long ago. I tried to renew it but I'm >>> not being agle to get it right. >>> >>> The initial status was: >>> >>> Request ID '20191219011208': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: >>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>> >>> Then following this thread >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>> >>> I got it to this state: >>> >>> Request ID '20191219011208': >>> status: MONITORING >>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>> libcurl failed even to execute the HTTP transaction, explaining: >>> SSL certificate problem: certificate has expired). >>> stuck: no >>> key pair storage: >>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>> >>> The post indicates that I have to put an old date in the server to >>> get it renewed, but as the server is in production, it means >>> that all >>> clients will fail to log to the server. Evenmore, what time >>> should I >>> return to, before the certificate expiration or right after? >>> Thanks in advanc >> >> I'd guess that this affects a lot more than just the web server >> cert. >> getcert list will tell you. >> >> Depending on that outcome affect the suggested remediation. >> >> As for going back in time, you'd need a server outage to do this >> and it >> only would be backwards in time for a short time. Just long >> enough so >> the services could start with non-expired certificates to get them >> renewed. But there are other ways to do this that don't require >> fiddling >> with time. >> >> rob
The only expired cert was the HTTP in the dc1 server, dc2 had all the certs valid:
Dc1:
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20191218181440': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:14:49 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20191219011104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:13:39 -03 dns: dc1.tnu.com.uy principal name: ldap/dc1.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20211217030046': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-12-18 00:01:22 -03 dns: dc1.tnu.com.uy principal name: HTTP/dc1.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Dc2:
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221130160326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221130160327': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
El 30 nov. 2022, a las 18:50, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Ok, with the skip-version-check flag it starts correctly, but if I try to restart the service without the flag, it fails in the same point. The error is related to the upgrade process then. I’m upgrading from 4.7 to 4.9 as I didn’t find any restriction in the documentation. Is it possible that there’s an issue with that upgrade path?
If is likely related to your expired certificates. Did you look to see if others besides the HTTP cert expired?
rob
Thanks
El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote:
Hi again,
I used the ldapi from /etc/ipa/default.conf and I was able to get a different reply:
ldapsearch -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
But if I try to renew the ticket, it fails:
kinit admin kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting initial credentials
The running DC is in 4.7 and it should reply to the kinit requests
I added the debug option to see if I can ge further information.
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version '4.7.1-11.module_el8.0.0+79+bbd20d7b') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl
Regards
> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com > mailto:rcritten@redhat.com > mailto:rcritten@redhat.com > mailto:rcritten@redhat.com> escribió: > > Juan Pablo Lorier wrote: >> Hi Rob, >> >> Thanks for the reply. As I didn’t know other way but to go back in >> time, >> I just did it and now the server is running 100%. >> >> This was all part of an update from 4.7 to 4.9. According to the >> documentation, it was just a matter to def update but it seems >> that is >> not such a happy path.> >> I updated the second server but it’s not able to finalize the update >> process. DNS is failing to start: >> >> # systemctl status ipa-dnskeysyncd.service >> >> >> *●*ipa-dnskeysyncd.service - IPA key daemon >> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >> disabled; vendor preset: disabled) >> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >> 14min ago >> Main PID: 250496 (ipa-dnskeysyncd) >> Tasks: 1 (limit: 23652) >> Memory: 68.4M >> CGroup: /system.slice/ipa-dnskeysyncd.service >> └─250496 /usr/libexec/platform-python -I >> /usr/libexec/ipa/ipa-dnskeysyncd >> >> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >> step 1 >> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >> step 2 >> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >> ipa-dnskeysyncd: >> INFO Commencing sync process >> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >> sychronizing with ODS and BIND >> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >> *Configuration.cpp(96): Missing log.level in configuration. Using >> default value: INFO* >> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >> Using >> default value: ALL* >> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >> *Configuration.cpp(124): Missing slots.removable in configuration. >> Using >> default value: false* >> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >> step 1 >> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >> step 1 >> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >> >> >> >> GSSAPI client step 1 >> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >> >> >> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >> 12:40:17 -03. -- >> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing all plugin modules in ipaserver.plugins... >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.aci >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.automember >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.automount >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.baseldap >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.baseuser >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.batch >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.ca >> http://ipaserver.plugins.ca/ >> http://ipaserver.plugins.ca/ >> http://ipaserver.plugins.ca > http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ >> http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.caacl >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.cert >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.certmap >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.certprofile >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.config >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.delegation >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.dns >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.dnsserver >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.dogtag >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.domainlevel >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.group >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.hbac >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG ipaserver.plugins.hbac is not a valid plugin module >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.hbacrule >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.hbacsvc >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.hbactest >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.host >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.hostgroup >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.idrange >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.idviews >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.internal >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.join >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.ldap2 >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.location >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.migration >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.misc >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.netgroup >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.otp >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG ipaserver.plugins.otp is not a valid plugin module >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.otpconfig >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.otptoken >> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >> ipalib.plugable: >> DEBUG importing plugin module ipaserver.plugins.passwd > > There should be quite a bit more after that. > >> >> #less /var/log/dirsrv/slapd-*/access >> >> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >> tag=101 >> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >> krbMaxRenewab >> leAge krbTicketFlags krbAuthIndMaxTicketLife >> krbAuthIndMaxRenewableAge" >> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >> tag=101 >> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >> method=sasl version=3 mech=GSSAPI >> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >> tag=97 >> nentries=0 wtime=0.000071973 optime=0.002531582 >> etime=0.002602416, SASL >> bind in progress >> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >> method=sasl version=3 mech=GSSAPI >> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >> tag=97 >> nentries=0 wtime=0.000058962 optime=0.001451477 >> etime=0.001509337, SASL >> bind in progress >> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >> method=sasl version=3 mech=GSSAPI >> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >> tag=97 >> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >> com,dc=uy" >> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >> attrs="objectClass cn fqdn serverHostN >> ame memberOf ipaSshPubKey ipaUniqueID" >> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >> tag=101 >> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU >> niqueID" >> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >> tag=101 >> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >> attrs="objectClass ipaUniqueID cn memb >> er entryusn" >> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >> tag=101 >> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >> ipaSudoRunAs >> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >> xternalUser entryusn" >> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >> tag=101 >> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >> etime=0.000956734 >> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >> etime=0.001489204 >> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >> etime=0.003098843 >> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >> etime=0.002897696 >> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >> etime=0.001372435 >> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >> etime=0.001748601 >> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >> etime=0.015402108 >> >> >> I see that after the update, the files were changed: >> >> >> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >> /etc/dirsrv/slapd-TNU-COM-UY: >> total 4208 >> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >> TNU.COM.UY20IPA20CA.pem >> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >> dse.ldif.ipa.1cf1fe204fd69494 >> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >> dse.ldif.ipa.1dd1d38cbd8d26ae >> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >> dse.ldif.ipa.21662457cb42c116 >> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >> dse.ldif.ipa.256a5d66e550a957 >> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >> dse.ldif.ipa.274744b10eed3d9b >> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >> dse.ldif.ipa.385fb48f5462219c >> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >> dse.ldif.ipa.6b71b47d73ca452a >> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >> dse.ldif.ipa.767aba4a82811822 >> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >> dse.ldif.ipa.814a4de587fc22ec >> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >> dse.ldif.ipa.889036fc0907e7de >> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >> dse.ldif.ipa.8fd2b7413b99dfa3 >> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >> dse.ldif.ipa.958ca3a96922f2fd >> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >> dse.ldif.ipa.bacd6d1d200348bf >> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >> dse.ldif.ipa.bfadc14f0e609072 >> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >> dse.ldif.ipa.f1e864261a119b6c >> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >> dse.ldif.ipa.fa918bf07c17e2e8 >> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out >> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf >> >> >> I can’t connect to the LDAP service: >> >> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > You have to escape the socket path: > ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket > >> # less /var/log/ipaupgrade.log >> >> Server built: Jun 29 2021 22:00:15 UTC >> Server number: 9.0.30.0 >> OS Name: Linux >> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >> Architecture: amd64 >> JVM Version: 1.8.0_322-b06 >> JVM Vendor: Red Hat, Inc. >> >> 2022-11-22T14:26:56Z DEBUG stderr= >> 2022-11-22T14:26:56Z DEBUG Starting external process >> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >> 'kra'] >> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >> 2022-11-22T14:26:56Z DEBUG stdout= >> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >> instance pki-tomcat. >> >> 2022-11-22T14:26:56Z DEBUG Starting external process >> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >> 'pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] >> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >> 2022-11-22T14:26:57Z DEBUG stdout= >> 2022-11-22T14:26:57Z DEBUG stderr=Job >> for pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service failed because the control >> process exited with error code. >> See "systemctl status pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for >> details. >> >> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2022-11-22T14:26:57Z DEBUG File >> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >> 180, in >> execute >> return_value = self.run() >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 54, in run >> server.upgrade() >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >> line 2055, in upgrade >> upgrade_configuration() >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >> line 1783, in upgrade_configuration >> ca.start('pki-tomcat') >> File >> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >> line 524, in start >> self.service.start(instance_name, capture_output=capture_output, >> wait=wait) >> File >> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >> line 306, in start >> skip_output=not capture_output) >> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line >> 600, in run >> p.returncode, arg_string, output_log, error_log >> >> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >> exception: CalledProcessError: CalledProcessError(Command >> ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >> status >> 1: 'Job for pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service failed because the control >> process exited with error code.\nSee "systemctl status >> pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >> and "journalctl -xe" for details.\n') >> 2022-11-22T14:26:57Z ERROR Unexpected error - see >> /var/log/ipaupgrade.log for details: >> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >> 'start', 'pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >> status >> 1: 'Job for pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service failed because the control >> process exited with error code.\nSee "systemctl status >> pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >> and "journalctl -xe" for details.\n') >> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> (END) > > The CA failed to start. This is often due to expired certificates that > get exposed when an upgrade is done. Check that out. > >> #ipactl status >> >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> named Service: STOPPED >> httpd Service: RUNNING >> ipa-custodia Service: RUNNING >> pki-tomcatd Service: STOPPED >> ipa-otpd Service: RUNNING >> ipa-dnskeysyncd Service: RUNNING >> 2 service(s) are not running >> >> >> Thanks >> >>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>> <rcritten@redhat.com mailto:rcritten@redhat.com >>> mailto:rcritten@redhat.com >>> mailto:rcritten@redhat.com >>> mailto:rcritten@redhat.com> escribió: >>> >>> Juan Pablo Lorier via FreeIPA-users wrote: >>>> Hi, >>>> >>>> I have a production server that was not maintained and I see >>>> that the >>>> HTTP certificate has expired long ago. I tried to renew it but I'm >>>> not being agle to get it right. >>>> >>>> The initial status was: >>>> >>>> Request ID '20191219011208': >>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>> stuck: yes >>>> key pair storage: >>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>> >>>> Then following this thread >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>> >>>> I got it to this state: >>>> >>>> Request ID '20191219011208': >>>> status: MONITORING >>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>> libcurl failed even to execute the HTTP transaction, explaining: >>>> SSL certificate problem: certificate has expired). >>>> stuck: no >>>> key pair storage: >>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>> >>>> The post indicates that I have to put an old date in the server to >>>> get it renewed, but as the server is in production, it means >>>> that all >>>> clients will fail to log to the server. Evenmore, what time >>>> should I >>>> return to, before the certificate expiration or right after? >>>> Thanks in advanc >>> >>> I'd guess that this affects a lot more than just the web server >>> cert. >>> getcert list will tell you. >>> >>> Depending on that outcome affect the suggested remediation. >>> >>> As for going back in time, you'd need a server outage to do this >>> and it >>> only would be backwards in time for a short time. Just long >>> enough so >>> the services could start with non-expired certificates to get them >>> renewed. But there are other ways to do this that don't require >>> fiddling >>> with time. >>> >>> rob
Juan Pablo Lorier wrote:
The only expired cert was the HTTP in the dc1 server, dc2 had all the certs valid:
This does not show all of the tracked certificates. Use plain getcert which will show for for all CA helpers.
rob
*Dc1:*
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20191218181440': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:14:49 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20191219011104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:13:39 -03 dns: dc1.tnu.com.uy principal name: ldap/dc1.tnu.com.uy@TNU.COM.UY mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20211217030046': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-12-18 00:01:22 -03 dns: dc1.tnu.com.uy principal name: HTTP/dc1.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
*Dc2*:
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221130160326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221130160327': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
El 30 nov. 2022, a las 18:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Ok, with the skip-version-check flag it starts correctly, but if I try to restart the service without the flag, it fails in the same point. The error is related to the upgrade process then. I’m upgrading from 4.7 to 4.9 as I didn’t find any restriction in the documentation. Is it possible that there’s an issue with that upgrade path?
If is likely related to your expired certificates. Did you look to see if others besides the HTTP cert expired?
rob
Thanks
El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob
Juan Pablo Lorier wrote: > Hi again, > > I used the ldapi from /etc/ipa/default.conf and I was able to get a > different reply: > > ldapsearch -Y GSSAPI -H > ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket > ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket > > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket > expired) > > But if I try to renew the ticket, it fails: > > kinit admin > kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting > initial credentials > > The running DC is in 4.7 and it should reply to the kinit requests > > > I added the debug option to see if I can ge further information. > > ipactl restart > IPA version error: data needs to be upgraded (expected version > '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version > '4.7.1-11.module_el8.0.0+79+bbd20d7b') > Automatically running upgrade, for details see > /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Error caught updating > nsDS5ReplicatedAttributeList: Server is unwilling to perform: > Entry and > attributes are managed by topology plugin.No direct modifications > allowed. > Error caught updating nsDS5ReplicatedAttributeListTotal: Server is > unwilling to perform: Entry and attributes are managed by topology > plugin.No direct modifications allowed. > Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > CalledProcessError: CalledProcessError(Command ['/bin/systemctl', > 'start', 'pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit > status > 1: 'Job for pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service failed because the control > process exited with error code.\nSee "systemctl status > pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service > mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" > and "journalctl -xe" for details.\n') > The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for > more information > > See the upgrade log for more details and/or run > /usr/sbin/ipa-server-upgrade again > Stopping ipa-dnskeysyncd Service > Stopping ipa-otpd Service > Stopping pki-tomcatd Service > Stopping ipa-custodia Service > Stopping httpd Service > Stopping named Service > Stopping kadmin Service > Stopping krb5kdc Service > Stopping Directory Service > Aborting ipactl > > Regards > > >> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com >> mailto:rcritten@redhat.com >> mailto:rcritten@redhat.com >> mailto:rcritten@redhat.com> escribió: >> >> Juan Pablo Lorier wrote: >>> Hi Rob, >>> >>> Thanks for the reply. As I didn’t know other way but to go back in >>> time, >>> I just did it and now the server is running 100%. >>> >>> This was all part of an update from 4.7 to 4.9. According to the >>> documentation, it was just a matter to def update but it seems >>> that is >>> not such a happy path.> >>> I updated the second server but it’s not able to finalize the >>> update >>> process. DNS is failing to start: >>> >>> # systemctl status ipa-dnskeysyncd.service >>> >>> >>> *●*ipa-dnskeysyncd.service - IPA key daemon >>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>> disabled; vendor preset: disabled) >>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>> 14min ago >>> Main PID: 250496 (ipa-dnskeysyncd) >>> Tasks: 1 (limit: 23652) >>> Memory: 68.4M >>> CGroup: /system.slice/ipa-dnskeysyncd.service >>> └─250496 /usr/libexec/platform-python -I >>> /usr/libexec/ipa/ipa-dnskeysyncd >>> >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>> client >>> step 1 >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>> client >>> step 2 >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>> ipa-dnskeysyncd: >>> INFO Commencing sync process >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>> sychronizing with ODS and BIND >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing log.level in configuration. Using >>> default value: INFO* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>> Using >>> default value: ALL* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(124): Missing slots.removable in configuration. >>> Using >>> default value: false* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>> client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>> client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> >>> >>> >>> GSSAPI client step 1 >>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>> >>> >>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>> 12:40:17 -03. -- >>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing all plugin modules in ipaserver.plugins... >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.aci >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automember >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automount >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseldap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseuser >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.batch >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ca >>> http://ipaserver.plugins.ca/ >>> http://ipaserver.plugins.ca/ >>> http://ipaserver.plugins.ca >> http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >>> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ >>> http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.caacl >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.cert >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certmap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certprofile >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.config >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.delegation >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dns >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dogtag >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.group >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbac >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbactest >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.host >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idrange >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idviews >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.internal >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.join >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.location >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.migration >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.misc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.netgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otp >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otptoken >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>> ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.passwd >> >> There should be quite a bit more after that. >> >>> >>> #less /var/log/dirsrv/slapd-*/access >>> >>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>> krbMaxRenewab >>> leAge krbTicketFlags krbAuthIndMaxTicketLife >>> krbAuthIndMaxRenewableAge" >>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>> tag=97 >>> nentries=0 wtime=0.000071973 optime=0.002531582 >>> etime=0.002602416, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>> tag=97 >>> nentries=0 wtime=0.000058962 optime=0.001451477 >>> etime=0.001509337, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >>> tag=97 >>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>> com,dc=uy" >>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>> attrs="objectClass cn fqdn serverHostN >>> ame memberOf ipaSshPubKey ipaUniqueID" >>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf >>> ipaU >>> niqueID" >>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>> tag=101 >>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>> attrs="objectClass ipaUniqueID cn memb >>> er entryusn" >>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>> tag=101 >>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>> ipaSudoRunAs >>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>> xternalUser entryusn" >>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>> tag=101 >>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>> etime=0.000956734 >>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>> etime=0.001489204 >>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>> etime=0.003098843 >>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>> etime=0.002897696 >>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>> etime=0.001372435 >>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>> etime=0.001748601 >>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>> etime=0.015402108 >>> >>> >>> I see that after the update, the files were changed: >>> >>> >>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>> /etc/dirsrv/slapd-TNU-COM-UY: >>> total 4208 >>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >>> TNU.COM.UY20IPA20CA.pem >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>> dse.ldif.ipa.1cf1fe204fd69494 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>> dse.ldif.ipa.1dd1d38cbd8d26ae >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>> dse.ldif.ipa.21662457cb42c116 >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>> dse.ldif.ipa.256a5d66e550a957 >>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>> dse.ldif.ipa.274744b10eed3d9b >>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>> dse.ldif.ipa.385fb48f5462219c >>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>> dse.ldif.ipa.6b71b47d73ca452a >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>> dse.ldif.ipa.767aba4a82811822 >>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>> dse.ldif.ipa.814a4de587fc22ec >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>> dse.ldif.ipa.889036fc0907e7de >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>> dse.ldif.ipa.8fd2b7413b99dfa3 >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>> dse.ldif.ipa.958ca3a96922f2fd >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>> dse.ldif.ipa.bacd6d1d200348bf >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>> dse.ldif.ipa.bfadc14f0e609072 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>> dse.ldif.ipa.f1e864261a119b6c >>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>> dse.ldif.ipa.fa918bf07c17e2e8 >>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 >>> dse.ldif.modified.out >>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 >>> slapd-collations.conf >>> >>> >>> I can’t connect to the LDAP service: >>> >>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >> >> You have to escape the socket path: >> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket >> >>> # less /var/log/ipaupgrade.log >>> >>> Server built: Jun 29 2021 22:00:15 UTC >>> Server number: 9.0.30.0 >>> OS Name: Linux >>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>> Architecture: amd64 >>> JVM Version: 1.8.0_322-b06 >>> JVM Vendor: Red Hat, Inc. >>> >>> 2022-11-22T14:26:56Z DEBUG stderr= >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >>> 'kra'] >>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:56Z DEBUG stdout= >>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>> instance pki-tomcat. >>> >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>> 'pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] >>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:57Z DEBUG stdout= >>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>> for pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>> process exited with error code. >>> See "systemctl status pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for >>> details. >>> >>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log and run command ipa-server-upgrade >>> manually. >>> 2022-11-22T14:26:57Z DEBUG File >>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >>> 180, in >>> execute >>> return_value = self.run() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 54, in run >>> server.upgrade() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 2055, in upgrade >>> upgrade_configuration() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 1783, in upgrade_configuration >>> ca.start('pki-tomcat') >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 524, in start >>> self.service.start(instance_name, >>> capture_output=capture_output, >>> wait=wait) >>> File >>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>> line 306, in start >>> skip_output=not capture_output) >>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", >>> line >>> 600, in run >>> p.returncode, arg_string, output_log, error_log >>> >>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>> exception: CalledProcessError: CalledProcessError(Command >>> ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >>> status >>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>> process exited with error code.\nSee "systemctl status >>> pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>> /var/log/ipaupgrade.log for details: >>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>> 'start', 'pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >>> status >>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>> process exited with error code.\nSee "systemctl status >>> pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command >>> failed. See >>> /var/log/ipaupgrade.log for more information >>> (END) >> >> The CA failed to start. This is often due to expired >> certificates that >> get exposed when an upgrade is done. Check that out. >> >>> #ipactl status >>> >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: STOPPED >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> pki-tomcatd Service: STOPPED >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> 2 service(s) are not running >>> >>> >>> Thanks >>> >>>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>>> <rcritten@redhat.com mailto:rcritten@redhat.com >>>> mailto:rcritten@redhat.com >>>> mailto:rcritten@redhat.com >>>> mailto:rcritten@redhat.com> escribió: >>>> >>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> I have a production server that was not maintained and I see >>>>> that the >>>>> HTTP certificate has expired long ago. I tried to renew it >>>>> but I'm >>>>> not being agle to get it right. >>>>> >>>>> The initial status was: >>>>> >>>>> Request ID '20191219011208': >>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>> stuck: yes >>>>> key pair storage: >>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> Then following this thread >>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>> >>>>> I got it to this state: >>>>> >>>>> Request ID '20191219011208': >>>>> status: MONITORING >>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed >>>>> request, >>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>> SSL certificate problem: certificate has expired). >>>>> stuck: no >>>>> key pair storage: >>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> The post indicates that I have to put an old date in the >>>>> server to >>>>> get it renewed, but as the server is in production, it means >>>>> that all >>>>> clients will fail to log to the server. Evenmore, what time >>>>> should I >>>>> return to, before the certificate expiration or right after? >>>>> Thanks in advanc >>>> >>>> I'd guess that this affects a lot more than just the web server >>>> cert. >>>> getcert list will tell you. >>>> >>>> Depending on that outcome affect the suggested remediation. >>>> >>>> As for going back in time, you'd need a server outage to do this >>>> and it >>>> only would be backwards in time for a short time. Just long >>>> enough so >>>> the services could start with non-expired certificates to get them >>>> renewed. But there are other ways to do this that don't require >>>> fiddling >>>> with time. >>>> >>>> rob
You are right, there are several certificates stuck in dc2:
getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130160321': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130160322': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130160323': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130160324': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130160325': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130160326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221130160327': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Can I ask you how do I provide the required information to unstuck the certs?
El 30 nov. 2022, a las 19:55, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
The only expired cert was the HTTP in the dc1 server, dc2 had all the certs valid:
This does not show all of the tracked certificates. Use plain getcert which will show for for all CA helpers.
rob
*Dc1:*
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20191218181440': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:14:49 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20191219011104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:13:39 -03 dns: dc1.tnu.com.uy principal name: ldap/dc1.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20211217030046': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-12-18 00:01:22 -03 dns: dc1.tnu.com.uy principal name: HTTP/dc1.tnu.com.uy@TNU.COM.UY <mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
*Dc2*:
ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221130160326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221130160327': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY <mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
El 30 nov. 2022, a las 18:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier wrote:
Ok, with the skip-version-check flag it starts correctly, but if I try to restart the service without the flag, it fails in the same point. The error is related to the upgrade process then. I’m upgrading from 4.7 to 4.9 as I didn’t find any restriction in the documentation. Is it possible that there’s an issue with that upgrade path?
If is likely related to your expired certificates. Did you look to see if others besides the HTTP cert expired?
rob
Thanks
El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com> mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Hi,
Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
$ man 8 ipactl
--skip-version-check Skip version check
rob
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards
*/var/log/ipaupgrade.log*
022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
*dirsrv/slapd-TNU-COM-UY/errors*
[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)
*localhost_access_log.2022-11-30.txt*
127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669
> El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com > mailto:rcritten@redhat.com > mailto:rcritten@redhat.com> escribió: > > Run "ipactl --ignore-service-failures" and it should bring up all the > services it can. > > rob > > Juan Pablo Lorier wrote: >> Hi again, >> >> I used the ldapi from /etc/ipa/default.conf and I was able to get a >> different reply: >> >> ldapsearch -Y GSSAPI -H >> ldapi://%2fvar%2frun%2fslapd-TNU-COM-UY.socket >> ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket >> >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Local error (-2) >> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (Ticket >> expired) >> >> But if I try to renew the ticket, it fails: >> >> kinit admin >> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting >> initial credentials >> >> The running DC is in 4.7 and it should reply to the kinit requests >> >> >> I added the debug option to see if I can ge further information. >> >> ipactl restart >> IPA version error: data needs to be upgraded (expected version >> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version >> '4.7.1-11.module_el8.0.0+79+bbd20d7b') >> Automatically running upgrade, for details see >> /var/log/ipaupgrade.log >> Be patient, this may take a few minutes. >> Automatic upgrade failed: Error caught updating >> nsDS5ReplicatedAttributeList: Server is unwilling to perform: >> Entry and >> attributes are managed by topology plugin.No direct modifications >> allowed. >> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is >> unwilling to perform: Entry and attributes are managed by topology >> plugin.No direct modifications allowed. >> Update complete >> Upgrading the configuration of the IPA services >> [Verifying that root certificate is published] >> [Migrate CRL publish directory] >> CRL tree already moved >> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >> command ipa-server-upgrade manually. >> Unexpected error - see /var/log/ipaupgrade.log for details: >> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >> 'start', 'pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >> status >> 1: 'Job for pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service failed because the control >> process exited with error code.\nSee "systemctl status >> pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service >> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >> and "journalctl -xe" for details.\n') >> The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for >> more information >> >> See the upgrade log for more details and/or run >> /usr/sbin/ipa-server-upgrade again >> Stopping ipa-dnskeysyncd Service >> Stopping ipa-otpd Service >> Stopping pki-tomcatd Service >> Stopping ipa-custodia Service >> Stopping httpd Service >> Stopping named Service >> Stopping kadmin Service >> Stopping krb5kdc Service >> Stopping Directory Service >> Aborting ipactl >> >> Regards >> >> >>> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com >>> mailto:rcritten@redhat.com >>> mailto:rcritten@redhat.com >>> mailto:rcritten@redhat.com> escribió: >>> >>> Juan Pablo Lorier wrote: >>>> Hi Rob, >>>> >>>> Thanks for the reply. As I didn’t know other way but to go back in >>>> time, >>>> I just did it and now the server is running 100%. >>>> >>>> This was all part of an update from 4.7 to 4.9. According to the >>>> documentation, it was just a matter to def update but it seems >>>> that is >>>> not such a happy path.> >>>> I updated the second server but it’s not able to finalize the >>>> update >>>> process. DNS is failing to start: >>>> >>>> # systemctl status ipa-dnskeysyncd.service >>>> >>>> >>>> *●*ipa-dnskeysyncd.service - IPA key daemon >>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>>> disabled; vendor preset: disabled) >>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>>> 14min ago >>>> Main PID: 250496 (ipa-dnskeysyncd) >>>> Tasks: 1 (limit: 23652) >>>> Memory: 68.4M >>>> CGroup: /system.slice/ipa-dnskeysyncd.service >>>> └─250496 /usr/libexec/platform-python -I >>>> /usr/libexec/ipa/ipa-dnskeysyncd >>>> >>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>>> client >>>> step 1 >>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>>> client >>>> step 2 >>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>> ipa-dnskeysyncd: >>>> INFO Commencing sync process >>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>>> sychronizing with ODS and BIND >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> *Configuration.cpp(96): Missing log.level in configuration. Using >>>> default value: INFO* >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>>> Using >>>> default value: ALL* >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> *Configuration.cpp(124): Missing slots.removable in configuration. >>>> Using >>>> default value: false* >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>>> client >>>> step 1 >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>>> client >>>> step 1 >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> >>>> >>>> >>>> GSSAPI client step 1 >>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>>> >>>> >>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>>> 12:40:17 -03. -- >>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing all plugin modules in ipaserver.plugins... >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.aci >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.automember >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.automount >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.baseldap >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.baseuser >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.batch >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.ca >>>> http://ipaserver.plugins.ca/ >>>> http://ipaserver.plugins.ca/ >>>> http://ipaserver.plugins.ca >>> http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >>>> <http://ipaserver.plugins.ca http://ipaserver.plugins.ca/ >>>> http://ipaserver.plugins.ca/ http://ipaserver.plugins.ca/> >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.caacl >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.cert >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.certmap >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.certprofile >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.config >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.delegation >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.dns >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.dogtag >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.group >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbac >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbactest >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.host >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.idrange >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.idviews >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.internal >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.join >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.location >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.migration >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.misc >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.netgroup >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.otp >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.otptoken >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>> ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.passwd >>> >>> There should be quite a bit more after that. >>> >>>> >>>> #less /var/log/dirsrv/slapd-*/access >>>> >>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>>> tag=101 >>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>>> krbMaxRenewab >>>> leAge krbTicketFlags krbAuthIndMaxTicketLife >>>> krbAuthIndMaxRenewableAge" >>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>>> tag=101 >>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>>> method=sasl version=3 mech=GSSAPI >>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>>> tag=97 >>>> nentries=0 wtime=0.000071973 optime=0.002531582 >>>> etime=0.002602416, SASL >>>> bind in progress >>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>>> method=sasl version=3 mech=GSSAPI >>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>>> tag=97 >>>> nentries=0 wtime=0.000058962 optime=0.001451477 >>>> etime=0.001509337, SASL >>>> bind in progress >>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>>> method=sasl version=3 mech=GSSAPI >>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >>>> tag=97 >>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>>> com,dc=uy" >>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>>> attrs="objectClass cn fqdn serverHostN >>>> ame memberOf ipaSshPubKey ipaUniqueID" >>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>>> tag=101 >>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf >>>> ipaU >>>> niqueID" >>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>>> tag=101 >>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>>> attrs="objectClass ipaUniqueID cn memb >>>> er entryusn" >>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>>> tag=101 >>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>>> ipaSudoRunAs >>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>>> xternalUser entryusn" >>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>>> tag=101 >>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>>> etime=0.000956734 >>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>>> etime=0.001489204 >>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>>> etime=0.003098843 >>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>>> etime=0.002897696 >>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>>> etime=0.001372435 >>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>>> etime=0.001748601 >>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>>> etime=0.015402108 >>>> >>>> >>>> I see that after the update, the files were changed: >>>> >>>> >>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>>> /etc/dirsrv/slapd-TNU-COM-UY: >>>> total 4208 >>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >>>> TNU.COM.UY20IPA20CA.pem >>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>>> dse.ldif.ipa.1cf1fe204fd69494 >>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>>> dse.ldif.ipa.1dd1d38cbd8d26ae >>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>>> dse.ldif.ipa.21662457cb42c116 >>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>>> dse.ldif.ipa.256a5d66e550a957 >>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>>> dse.ldif.ipa.274744b10eed3d9b >>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>>> dse.ldif.ipa.385fb48f5462219c >>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>>> dse.ldif.ipa.6b71b47d73ca452a >>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>>> dse.ldif.ipa.767aba4a82811822 >>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>>> dse.ldif.ipa.814a4de587fc22ec >>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>>> dse.ldif.ipa.889036fc0907e7de >>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>>> dse.ldif.ipa.8fd2b7413b99dfa3 >>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>>> dse.ldif.ipa.958ca3a96922f2fd >>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>>> dse.ldif.ipa.bacd6d1d200348bf >>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>>> dse.ldif.ipa.bfadc14f0e609072 >>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>>> dse.ldif.ipa.f1e864261a119b6c >>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>>> dse.ldif.ipa.fa918bf07c17e2e8 >>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 >>>> dse.ldif.modified.out >>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 >>>> slapd-collations.conf >>>> >>>> >>>> I can’t connect to the LDAP service: >>>> >>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >>> >>> You have to escape the socket path: >>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-TEST.socket >>> >>>> # less /var/log/ipaupgrade.log >>>> >>>> Server built: Jun 29 2021 22:00:15 UTC >>>> Server number: 9.0.30.0 >>>> OS Name: Linux >>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>>> Architecture: amd64 >>>> JVM Version: 1.8.0_322-b06 >>>> JVM Vendor: Red Hat, Inc. >>>> >>>> 2022-11-22T14:26:56Z DEBUG stderr= >>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >>>> 'kra'] >>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>>> 2022-11-22T14:26:56Z DEBUG stdout= >>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>>> instance pki-tomcat. >>>> >>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>>> 'pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] >>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>>> 2022-11-22T14:26:57Z DEBUG stdout= >>>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>>> for pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>>> process exited with error code. >>>> See "systemctl status pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for >>>> details. >>>> >>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade >>>> manually. >>>> 2022-11-22T14:26:57Z DEBUG File >>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >>>> 180, in >>>> execute >>>> return_value = self.run() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>> line 54, in run >>>> server.upgrade() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>> line 2055, in upgrade >>>> upgrade_configuration() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>> line 1783, in upgrade_configuration >>>> ca.start('pki-tomcat') >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>>> line 524, in start >>>> self.service.start(instance_name, >>>> capture_output=capture_output, >>>> wait=wait) >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>>> line 306, in start >>>> skip_output=not capture_output) >>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", >>>> line >>>> 600, in run >>>> p.returncode, arg_string, output_log, error_log >>>> >>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>>> exception: CalledProcessError: CalledProcessError(Command >>>> ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >>>> status >>>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>>> process exited with error code.\nSee "systemctl status >>>> pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >>>> and "journalctl -xe" for details.\n') >>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>>> /var/log/ipaupgrade.log for details: >>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>> 'start', 'pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit >>>> status >>>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service failed because the control >>>> process exited with error code.\nSee "systemctl status >>>> pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service >>>> mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" >>>> and "journalctl -xe" for details.\n') >>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command >>>> failed. See >>>> /var/log/ipaupgrade.log for more information >>>> (END) >>> >>> The CA failed to start. This is often due to expired >>> certificates that >>> get exposed when an upgrade is done. Check that out. >>> >>>> #ipactl status >>>> >>>> Directory Service: RUNNING >>>> krb5kdc Service: RUNNING >>>> kadmin Service: RUNNING >>>> named Service: STOPPED >>>> httpd Service: RUNNING >>>> ipa-custodia Service: RUNNING >>>> pki-tomcatd Service: STOPPED >>>> ipa-otpd Service: RUNNING >>>> ipa-dnskeysyncd Service: RUNNING >>>> 2 service(s) are not running >>>> >>>> >>>> Thanks >>>> >>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>>>> <rcritten@redhat.com mailto:rcritten@redhat.com >>>>> mailto:rcritten@redhat.com >>>>> mailto:rcritten@redhat.com >>>>> mailto:rcritten@redhat.com> escribió: >>>>> >>>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>>> Hi, >>>>>> >>>>>> I have a production server that was not maintained and I see >>>>>> that the >>>>>> HTTP certificate has expired long ago. I tried to renew it >>>>>> but I'm >>>>>> not being agle to get it right. >>>>>> >>>>>> The initial status was: >>>>>> >>>>>> Request ID '20191219011208': >>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>> stuck: yes >>>>>> key pair storage: >>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>> >>>>>> Then following this thread >>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>> >>>>>> I got it to this state: >>>>>> >>>>>> Request ID '20191219011208': >>>>>> status: MONITORING >>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed >>>>>> request, >>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>>> SSL certificate problem: certificate has expired). >>>>>> stuck: no >>>>>> key pair storage: >>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>> >>>>>> The post indicates that I have to put an old date in the >>>>>> server to >>>>>> get it renewed, but as the server is in production, it means >>>>>> that all >>>>>> clients will fail to log to the server. Evenmore, what time >>>>>> should I >>>>>> return to, before the certificate expiration or right after? >>>>>> Thanks in advanc >>>>> >>>>> I'd guess that this affects a lot more than just the web server >>>>> cert. >>>>> getcert list will tell you. >>>>> >>>>> Depending on that outcome affect the suggested remediation. >>>>> >>>>> As for going back in time, you'd need a server outage to do this >>>>> and it >>>>> only would be backwards in time for a short time. Just long >>>>> enough so >>>>> the services could start with non-expired certificates to get them >>>>> renewed. But there are other ways to do this that don't require >>>>> fiddling >>>>> with time. >>>>> >>>>> rob
Hello Juan,
Juan Pablo Lorier via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
You are right, there are several certificates stuck in dc2:
getcert list
...
Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
Thanks Jochen,
I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.
I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information) It looks like I will need a way to unstuck those certs for the upgrade to continue. All suggestions are Wellcome :-) Regards
El 1 dic. 2022, a las 01:30, Jochen Kellner jochen@jochen.org escribió:
Hello Juan,
Juan Pablo Lorier via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
You are right, there are several certificates stuck in dc2:
getcert list
...
Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
-- This space is intentionally left blank.
Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result:
ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt
But it seems that the spa-server-upgrade brakes them again:
named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
El 1 dic. 2022, a las 12:47, Juan Pablo Lorier jplorier@gmail.com escribió:
Thanks Jochen,
I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.
I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information) It looks like I will need a way to unstuck those certs for the upgrade to continue. All suggestions are Wellcome :-) Regards
El 1 dic. 2022, a las 01:30, Jochen Kellner jochen@jochen.org escribió:
Hello Juan,
Juan Pablo Lorier via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
You are right, there are several certificates stuck in dc2:
getcert list
...
Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
-- This space is intentionally left blank.
Juan Pablo Lorier wrote:
Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result:
ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt
I don't know what request 20221201163932 is but you need to add the pin file to all of the CA-related trackers.
rob
But it seems that the spa-server-upgrade brakes them again:
named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier@gmail.com mailto:jplorier@gmail.com> escribió:
Thanks Jochen,
I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.
I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information) It looks like I will need a way to unstuck those certs for the upgrade to continue. All suggestions are Wellcome :-) Regards
El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen@jochen.org mailto:jochen@jochen.org> escribió:
Hello Juan,
Juan Pablo Lorier via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> writes:
You are right, there are several certificates stuck in dc2:
getcert list
...
Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
-- This space is intentionally left blank.
Hi Rob,
I do manually add the pin and they get in MONITORING state, but the IPA server is not consistent because the upgrade never completes. If I try to run the upgrade, the process renews the certs and they go back to stuck state. Look at the upgrade output I sent and then you can see that those certs get into stuck because of the missing pin:
[Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
El 1 dic. 2022, a las 13:52, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result:
ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt
I don't know what request 20221201163932 is but you need to add the pin file to all of the CA-related trackers.
rob
But it seems that the spa-server-upgrade brakes them again:
named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier@gmail.com <mailto:jplorier@gmail.com mailto:jplorier@gmail.com>> escribió:
Thanks Jochen,
I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.
I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information) It looks like I will need a way to unstuck those certs for the upgrade to continue. All suggestions are Wellcome :-) Regards
El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen@jochen.org mailto:jochen@jochen.org <mailto:jochen@jochen.org mailto:jochen@jochen.org>> escribió:
Hello Juan,
Juan Pablo Lorier via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>> writes:
You are right, there are several certificates stuck in dc2:
getcert list
...
Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
-- This space is intentionally left blank.
Juan Pablo Lorier wrote:
Hi Rob,
I do manually add the pin and they get in MONITORING state, but the IPA server is not consistent because the upgrade never completes. If I try to run the upgrade, the process renews the certs and they go back to stuck state. Look at the upgrade output I sent and then you can see that those certs get into stuck because of the missing pin:
This doesn't renew the certs, it is attempting to fix the broken tracking, and failing I assume.
MONITORING doesn't mean the certificates are still valid. You need to look at the expires date to determine that.
rob
[Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
El 1 dic. 2022, a las 13:52, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> escribió:
Juan Pablo Lorier wrote:
Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result:
ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt
I don't know what request 20221201163932 is but you need to add the pin file to all of the CA-related trackers.
rob
But it seems that the spa-server-upgrade brakes them again:
named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier@gmail.com mailto:jplorier@gmail.com mailto:jplorier@gmail.com> escribió:
Thanks Jochen,
I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.
I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information) It looks like I will need a way to unstuck those certs for the upgrade to continue. All suggestions are Wellcome :-) Regards
El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen@jochen.org mailto:jochen@jochen.org mailto:jochen@jochen.org> escribió:
Hello Juan,
Juan Pablo Lorier via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> writes:
You are right, there are several certificates stuck in dc2:
getcert list
...
Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
-- This space is intentionally left blank.
Hi Rob,
All dates are good once I add the pin manually. The only problem is the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I don’t know what is not right with the certs. Maybe you can point me in a direction to look at the logs. Let me share the getcert list once I manually fixed the pin:
getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221201164512': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Audit,O=TNU.COM.UY issued: 2021-11-09 15:11:14 -03 expires: 2023-10-30 15:11:14 -03 key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=OCSP Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:12:03 -03 expires: 2023-10-30 15:12:03 -03 eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:11:13 -03 expires: 2023-10-30 15:11:13 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=Certificate Authority,O=TNU.COM.UY issued: 2022-08-26 14:25:16 -03 expires: 2042-08-26 14:25:16 -03 key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164516': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164517': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221201164518': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221201164519': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
After running ipa-server-upgrade
getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221201205524': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201205525': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201205526': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201205527': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201205528': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201205529': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221201205530': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221201205531': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
El 1 dic. 2022, a las 16:04, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Hi Rob,
I do manually add the pin and they get in MONITORING state, but the IPA server is not consistent because the upgrade never completes. If I try to run the upgrade, the process renews the certs and they go back to stuck state. Look at the upgrade output I sent and then you can see that those certs get into stuck because of the missing pin:
This doesn't renew the certs, it is attempting to fix the broken tracking, and failing I assume.
MONITORING doesn't mean the certificates are still valid. You need to look at the expires date to determine that.
rob
[Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
El 1 dic. 2022, a las 13:52, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com <mailto:rcritten@redhat.com mailto:rcritten@redhat.com>> escribió:
Juan Pablo Lorier wrote:
Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result:
ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt
I don't know what request 20221201163932 is but you need to add the pin file to all of the CA-related trackers.
rob
But it seems that the spa-server-upgrade brakes them again:
named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier@gmail.com mailto:jplorier@gmail.com <mailto:jplorier@gmail.com mailto:jplorier@gmail.com> mailto:jplorier@gmail.com> escribió:
Thanks Jochen,
I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.
I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information) It looks like I will need a way to unstuck those certs for the upgrade to continue. All suggestions are Wellcome :-) Regards
El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen@jochen.org mailto:jochen@jochen.org <mailto:jochen@jochen.org mailto:jochen@jochen.org> <mailto:jochen@jochen.org mailto:jochen@jochen.org>> escribió:
Hello Juan,
Juan Pablo Lorier via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> mailto:freeipa-users@lists.fedorahosted.org> writes:
> You are right, there are several certificates stuck in dc2: > > getcert list ... > Request ID '20221130160320': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
-- This space is intentionally left blank.
Juan Pablo Lorier via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Rob,
All dates are good once I add the pin manually. The only problem is the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I don’t know what is not right with the certs. Maybe you can point me in a direction to look at the logs. Let me share the getcert list once I manually fixed the pin:
Can you perhaps compare the requests for one certificate before and after the upgrade? The requests are stored in /var/lib/certmonger/requests. Let's focus on one certificate first, for example: key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
I'd try something like that: - save /var/lib/certmonger/requests somewhere - try the upgrade once again - save /var/lib/certmonger/requests again, somwhere else - compare and see what the differences really are
Depending on the differences - and needs some creative thinking: - reset the system to the state before the upgrade - stop certmonger - replace /var/lib/certmonger/requests with the second copy (from after the upgrade) - We need to get certmonger and ipa-server-upgrade be happy with these requests, so the request don't get changed during the next upgrade.
I've had a look at the logs of the last ipaupgrade.log. For each certificcate I see: 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal configuration] ... 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration already up-to-date
I guess the second line for you says something like "...config updated". We need to see, if the lines between have some clues for us.
In a post upthread you posted the console output: Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
Also upthread you posted:
2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
In my upgrade log this is after updating/checing the certmonger requests. So my guess is there's something strange with your configuration in /var/lib/certmonger/requests.
So, can you provide more of your ipaupgrade.log where the certmonger requests are checked/updated and one request before/after?
Jochen
Hi Jochen and thanks for your reply.
My knowledge in CA is not much so I will try to follow as much as I can. The only error I don’t know if is ok to be there is the kra error mentioned in the logs.
What I did was comparing the files in the request directory before and after the upgrade with the 4 certs in stuck state and the files were the same. I then removed the files in the directory and run the upgrade again which created new files and the new 4 certs again in stuck state. At last, I fixed the certs and run again the upgrade.
Here are the fixed certs, dir content, etc for the last try:
getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202140756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Audit,O=TNU.COM.UY issued: 2021-11-09 15:11:14 -03 expires: 2023-10-30 15:11:14 -03 key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=OCSP Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:12:03 -03 expires: 2023-10-30 15:12:03 -03 eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:11:13 -03 expires: 2023-10-30 15:11:13 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=Certificate Authority,O=TNU.COM.UY issued: 2022-08-26 14:25:16 -03 expires: 2042-08-26 14:25:16 -03 key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140801': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202140802': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202140803': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
# ll /var/lib/certmonger/requests total 64 -rw------- 1 root root 4598 Dec 2 11:27 20221202140756 -rw------- 1 root root 4785 Dec 2 11:27 20221202140757 -rw------- 1 root root 4798 Dec 2 11:27 20221202140758 -rw------- 1 root root 4851 Dec 2 11:27 20221202140759 -rw------- 1 root root 4983 Dec 2 11:08 20221202140800 -rw------- 1 root root 4610 Dec 2 11:08 20221202140801 -rw------- 1 root root 5373 Dec 2 11:08 20221202140802 -rw------- 1 root root 5272 Dec 2 11:08 20221202140803
# cat req_temp/requests/20221202140756 id=20221202140756 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_token=NSS Certificate DB key_nickname=auditSigningCert cert-pki-ca key_pin_file=/etc/pki/pki-tomcat/alias/pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_token=NSS Certificate DB cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_issuer_der=303531133011060355040A0C0A544E552E434F4D2E5559311E301C06035504030C15436572746966696361746520417574686F72697479 cert_issuer=CN=Certificate Authority,O=TNU.COM.UY cert_serial=14 cert_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 cert_subject=CN=CA Audit,O=TNU.COM.UY cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 cert_not_before=20211109181114 cert_not_after=20231030181114 cert_ku=11 cert_is_ca=0 cert_ca_path_length=-1 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 template_subject=CN=CA Audit,O=TNU.COM.UY template_ku=11 template_is_ca=0 template_ca_path_length=-1 template_profile=caSignedLogCert template_no_ocsp_check=0 state=MONITORING autorenew=1 monitor=1 ca_name=IPA submitted=19700101000000 cert=-----BEGIN CERTIFICATE----- MIIDKjCCAhKgAwIBAgIBFDANBgkqhkiG9w0BAQsFAD
# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
# getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202175657': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175658': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175659': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175700': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175701': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175702': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202175703': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202175704': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
# ll /var/lib/certmonger/requests total 48 -rw------- 1 root root 1029 Dec 2 14:56 20221202175658 -rw------- 1 root root 1021 Dec 2 14:57 20221202175658-1 -rw------- 1 root root 1020 Dec 2 14:57 20221202175659 -rw------- 1 root root 1013 Dec 2 14:57 20221202175700 -rw------- 1 root root 4983 Dec 2 14:57 20221202175701 -rw------- 1 root root 4610 Dec 2 14:57 20221202175702 -rw------- 1 root root 5373 Dec 2 14:57 20221202175703 -rw------- 1 root root 5272 Dec 2 14:57 20221202175704
cat /var/lib/certmonger/requests/20221202175658 id=20221202175657 key_type=UNSPECIFIED key_gen_type=RSA key_size=0 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_nickname=auditSigningCert cert-pki-ca key_perms=0 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_is_ca=0 template_ca_path_length=0 template_profile=caSignedLogCert template_no_ocsp_check=0 state=NEWLY_ADDED_NEED_KEYINFO_READ_PIN autorenew=1 monitor=1 ca_name=dogtag-ipa-ca-renew-agent submitted=19700101000000 pre_certsave_command=/usr/libexec/ipa/certmonger/stop_pkicad pre_certsave_uid=0 post_certsave_command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" post_certsave_uid=0
UPGRADELOG:
2022-11-30T16:03:16Z DEBUG stderr= 2022-11-30T16:03:16Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:16Z DEBUG Starting external process 2022-11-30T16:03:16Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=1 2022-11-30T16:03:17Z DEBUG stdout= 2022-11-30T16:03:17Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-30T16:03:17Z INFO [Update certmonger certificate renewal configuration] 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TNU-COM-UY/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout=-----BEGIN CERTIFICATE-----
Xxxx
-----END CERTIFICATE-----
2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu TNU.COM.UY IPA CA CTu,Cu,Cu TNU.COM.UY IPA CA CTu,Cu,Cu
2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:19Z INFO Missing or incorrect tracking request for certificates: 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:Server-Cert cert-pki-ca 2022-11-30T16:03:19Z INFO /var/lib/ipa/ra-agent.pem 2022-11-30T16:03:19Z INFO /var/lib/ipa/certs/httpd.crt 2022-11-30T16:03:19Z DEBUG Configuring certmonger to stop tracking system certificates for CA 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'dbus.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout= 2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:20Z DEBUG Starting external process 2022-11-30T16:03:20Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:20Z DEBUG Process finished, return code=1 2022-11-30T16:03:20Z DEBUG stdout= 2022-11-30T16:03:20Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
El 1 dic. 2022, a las 20:14, Jochen Kellner jochen@jochen.org escribió:
Juan Pablo Lorier via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Rob,
All dates are good once I add the pin manually. The only problem is the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I don’t know what is not right with the certs. Maybe you can point me in a direction to look at the logs. Let me share the getcert list once I manually fixed the pin:
Can you perhaps compare the requests for one certificate before and after the upgrade? The requests are stored in /var/lib/certmonger/requests. Let's focus on one certificate first, for example: key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
I'd try something like that:
- save /var/lib/certmonger/requests somewhere
- try the upgrade once again
- save /var/lib/certmonger/requests again, somwhere else
- compare and see what the differences really are
Depending on the differences - and needs some creative thinking:
- reset the system to the state before the upgrade
- stop certmonger
- replace /var/lib/certmonger/requests with the second copy (from after
the upgrade)
- We need to get certmonger and ipa-server-upgrade be happy with these
requests, so the request don't get changed during the next upgrade.
I've had a look at the logs of the last ipaupgrade.log. For each certificcate I see: 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal configuration] ... 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration already up-to-date
I guess the second line for you says something like "...config updated". We need to see, if the lines between have some clues for us.
In a post upthread you posted the console output: Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
Also upthread you posted:
2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
In my upgrade log this is after updating/checing the certmonger requests. So my guess is there's something strange with your configuration in /var/lib/certmonger/requests.
So, can you provide more of your ipaupgrade.log where the certmonger requests are checked/updated and one request before/after?
Jochen
-- This space is intentionally left blank.
Juan Pablo Lorier wrote:
Hi Jochen and thanks for your reply.
My knowledge in CA is not much so I will try to follow as much as I can. The only error I don’t know if is ok to be there is the kra error mentioned in the logs.
What I did was comparing the files in the request directory before and after the upgrade with the 4 certs in stuck state and the files were the same. I then removed the files in the directory and run the upgrade again which created new files and the new 4 certs again in stuck state. At last, I fixed the certs and run again the upgrade.
Here are the fixed certs, dir content, etc for the last try:
A couple of comments.
I don't recommend directly removing the certmonger tracking files unless you do it with certmonger stopped. It retains a copy in memory while running.
certmonger tracking has nothing to do with the CA state. A bad tracking request can prevent renewal but it won't affect operations of the CA unless the failure to renew allows the certificates to expire which is not true in this case.
You should shift focus to the CA debug log to see where the first failure(s) occur during startup. That is most likely to tell you what is going on.
rob
getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202140756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Audit,O=TNU.COM.UY issued: 2021-11-09 15:11:14 -03 expires: 2023-10-30 15:11:14 -03 key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=OCSP Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:12:03 -03 expires: 2023-10-30 15:12:03 -03 eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:11:13 -03 expires: 2023-10-30 15:11:13 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=Certificate Authority,O=TNU.COM.UY issued: 2022-08-26 14:25:16 -03 expires: 2042-08-26 14:25:16 -03 key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140801': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202140802': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202140803': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
# ll /var/lib/certmonger/requests total 64 -rw------- 1 root root 4598 Dec 2 11:27 20221202140756 -rw------- 1 root root 4785 Dec 2 11:27 20221202140757 -rw------- 1 root root 4798 Dec 2 11:27 20221202140758 -rw------- 1 root root 4851 Dec 2 11:27 20221202140759 -rw------- 1 root root 4983 Dec 2 11:08 20221202140800 -rw------- 1 root root 4610 Dec 2 11:08 20221202140801 -rw------- 1 root root 5373 Dec 2 11:08 20221202140802 -rw------- 1 root root 5272 Dec 2 11:08 20221202140803
# cat req_temp/requests/20221202140756 id=20221202140756 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_token=NSS Certificate DB key_nickname=auditSigningCert cert-pki-ca key_pin_file=/etc/pki/pki-tomcat/alias/pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_token=NSS Certificate DB cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_issuer_der=303531133011060355040A0C0A544E552E434F4D2E5559311E301C06035504030C15436572746966696361746520417574686F72697479 cert_issuer=CN=Certificate Authority,O=TNU.COM.UY cert_serial=14 cert_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 cert_subject=CN=CA Audit,O=TNU.COM.UY cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 cert_not_before=20211109181114 cert_not_after=20231030181114 cert_ku=11 cert_is_ca=0 cert_ca_path_length=-1 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 template_subject=CN=CA Audit,O=TNU.COM.UY template_ku=11 template_is_ca=0 template_ca_path_length=-1 template_profile=caSignedLogCert template_no_ocsp_check=0 state=MONITORING autorenew=1 monitor=1 ca_name=IPA submitted=19700101000000 cert=-----BEGIN CERTIFICATE----- MIIDKjCCAhKgAwIBAgIBFDANBgkqhkiG9w0BAQsFAD
# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
# getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY mailto:krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202175657': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175658': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175659': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175700': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175701': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175702': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202175703': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202175704': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
# ll /var/lib/certmonger/requests total 48 -rw------- 1 root root 1029 Dec 2 14:56 20221202175658 -rw------- 1 root root 1021 Dec 2 14:57 20221202175658-1 -rw------- 1 root root 1020 Dec 2 14:57 20221202175659 -rw------- 1 root root 1013 Dec 2 14:57 20221202175700 -rw------- 1 root root 4983 Dec 2 14:57 20221202175701 -rw------- 1 root root 4610 Dec 2 14:57 20221202175702 -rw------- 1 root root 5373 Dec 2 14:57 20221202175703 -rw------- 1 root root 5272 Dec 2 14:57 20221202175704
cat /var/lib/certmonger/requests/20221202175658 id=20221202175657 key_type=UNSPECIFIED key_gen_type=RSA key_size=0 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_nickname=auditSigningCert cert-pki-ca key_perms=0 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_is_ca=0 template_ca_path_length=0 template_profile=caSignedLogCert template_no_ocsp_check=0 state=NEWLY_ADDED_NEED_KEYINFO_READ_PIN autorenew=1 monitor=1 ca_name=dogtag-ipa-ca-renew-agent submitted=19700101000000 pre_certsave_command=/usr/libexec/ipa/certmonger/stop_pkicad pre_certsave_uid=0 post_certsave_command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" post_certsave_uid=0
UPGRADELOG:
2022-11-30T16:03:16Z DEBUG stderr= 2022-11-30T16:03:16Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:16Z DEBUG Starting external process 2022-11-30T16:03:16Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=1 2022-11-30T16:03:17Z DEBUG stdout= 2022-11-30T16:03:17Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-30T16:03:17Z INFO [Update certmonger certificate renewal configuration] 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TNU-COM-UY/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout=-----BEGIN CERTIFICATE-----
Xxxx
-----END CERTIFICATE-----
2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu TNU.COM.UY IPA CA CTu,Cu,Cu TNU.COM.UY IPA CA CTu,Cu,Cu
2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:19Z INFO Missing or incorrect tracking request for certificates: 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:Server-Cert cert-pki-ca 2022-11-30T16:03:19Z INFO /var/lib/ipa/ra-agent.pem 2022-11-30T16:03:19Z INFO /var/lib/ipa/certs/httpd.crt 2022-11-30T16:03:19Z DEBUG Configuring certmonger to stop tracking system certificates for CA 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'dbus.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout= 2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:20Z DEBUG Starting external process 2022-11-30T16:03:20Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:20Z DEBUG Process finished, return code=1 2022-11-30T16:03:20Z DEBUG stdout= 2022-11-30T16:03:20Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
El 1 dic. 2022, a las 20:14, Jochen Kellner <jochen@jochen.org mailto:jochen@jochen.org> escribió:
Juan Pablo Lorier via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> writes:
Hi Rob,
All dates are good once I add the pin manually. The only problem is the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I don’t know what is not right with the certs. Maybe you can point me in a direction to look at the logs. Let me share the getcert list once I manually fixed the pin:
Can you perhaps compare the requests for one certificate before and after the upgrade? The requests are stored in /var/lib/certmonger/requests. Let's focus on one certificate first, for example: key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
I'd try something like that:
- save /var/lib/certmonger/requests somewhere
- try the upgrade once again
- save /var/lib/certmonger/requests again, somwhere else
- compare and see what the differences really are
Depending on the differences - and needs some creative thinking:
- reset the system to the state before the upgrade
- stop certmonger
- replace /var/lib/certmonger/requests with the second copy (from after
the upgrade)
- We need to get certmonger and ipa-server-upgrade be happy with these
requests, so the request don't get changed during the next upgrade.
I've had a look at the logs of the last ipaupgrade.log. For each certificcate I see: 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal configuration] ... 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration already up-to-date
I guess the second line for you says something like "...config updated". We need to see, if the lines between have some clues for us.
In a post upthread you posted the console output: Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
Also upthread you posted:
> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in > LDAP and > enabled; skipping > 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' > 2022-11-30T16:07:49Z DEBUG request GET > https://dc2.tnu.com.uy:8443/ca/rest/account/login > 2022-11-30T16:07:49Z DEBUG request body '' > 2022-11-30T16:07:54Z DEBUG httplib request failed: > Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
In my upgrade log this is after updating/checing the certmonger requests. So my guess is there's something strange with your configuration in /var/lib/certmonger/requests.
So, can you provide more of your ipaupgrade.log where the certmonger requests are checked/updated and one request before/after?
Jochen
-- This space is intentionally left blank.
freeipa-users@lists.fedorahosted.org