3:16 a.m.
Hi,
My NPO uses FreeIPA internally on a couple of Oracle Linux 8 instances. I know this is a
Fedora ML, but since OL8 is derivated from EL8 (as CentOS is), I think it may not make any
difference anyway.
The FreeIPA instance was deployed 6-8 months ago, with the LDAP, CA DNS roles enabled on
both nodes. DNSSEC was never enabled. An AD trust was created with the AD domain.
It worked flawlessly until the latest batch of updates which upgraded both systems to OL
8.5 + FreeIPA 4.9.6-6.0.1. An IPA upgrade was automatically started to migrate from
version 4.9.2-4.0.2 to 4.9.6-6.0.1, but it failed in different ways on both systems,
leaving them in unusable states. Of course, no backup to restore.
**Node #02** (ros-ass-ipa-02) upgraded first. The failure happened at IPA CA DNS update,
because the named-pkcs11 service could not be restarted. Here are the last lines from the
log:
2021-11-17T05:59:11Z DEBUG stderr=
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z INFO dnssec-validation yes
2021-11-17T05:59:11Z INFO [Add missing CA DNS records]
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z INFO IPA CA DNS records already processed
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Starting external process
2021-11-17T05:59:11Z DEBUG args=['/bin/systemctl', 'is-active',
'named-pkcs11.service']
2021-11-17T05:59:11Z DEBUG Process finished, return code=3
2021-11-17T05:59:11Z DEBUG stdout=failed
2021-11-17T05:59:11Z DEBUG stderr=
2021-11-17T05:59:11Z DEBUG Starting external process
2021-11-17T05:59:11Z DEBUG args=['/bin/systemctl', 'start',
'named-pkcs11.service']
2021-11-17T05:59:12Z DEBUG Process finished, return code=1
2021-11-17T05:59:12Z DEBUG stdout=
2021-11-17T05:59:12Z DEBUG stderr=Job for named-pkcs11.service failed because the control
process exited with error code.
See "systemctl status named-pkcs11.service" and "journalctl -xe" for
details.
2021-11-17T05:59:12Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
run command ipa-server-upgrade manually.
2021-11-17T05:59:12Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1961, in upgrade
upgrade_configuration()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1791, in upgrade_configuration
upgrade_bind(fstore)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1453, in upgrade_bind
bind.start()
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
524, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
2021-11-17T05:59:12Z DEBUG The ipa-server-upgrade command failed, exception:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'named-pkcs11.service'] returned non-zero exit status 1: 'Job for
named-pkcs11.service failed because the control process exited with error code.\nSee
"systemctl status named-pkcs11.service" and "journalctl -xe" for
details.\n')
2021-11-17T05:59:12Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'named-pkcs11.service'] returned non-zero exit status 1: 'Job for
named-pkcs11.service failed because the control process exited with error code.\nSee
"systemctl status named-pkcs11.service" and "journalctl -xe" for
details.\n')
2021-11-17T05:59:12Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
**Node #01** (ros-ass-ipa-01) upgraded an hour after, and failed at step 5/9 when the
directory server could not be restarted after disabling Schema compat. Here are the last
log entries:
2021-11-17T06:45:38Z DEBUG stderr=
2021-11-17T06:45:38Z DEBUG Starting external process
2021-11-17T06:45:38Z DEBUG args=['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service']
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __enable_ds_global_write_lock 0.09 sec
2021-11-17T06:45:38Z DEBUG [4/9]: disabling Schema Compat
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __disable_schema_compat 0.14 sec
2021-11-17T06:45:38Z DEBUG [5/9]: starting directory server
2021-11-17T06:45:38Z DEBUG Starting external process
2021-11-17T06:45:38Z DEBUG args=['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service']
2021-11-17T06:45:38Z DEBUG Process finished, return code=1
2021-11-17T06:45:38Z DEBUG stdout=
2021-11-17T06:45:38Z DEBUG stderr=Job for dirsrv(a)IPA-PEP06-FR.service failed because the
control process exited with error code.
See "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.
2021-11-17T06:45:38Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
run command ipa-server-upgrade manually.
2021-11-17T06:45:38Z DEBUG Process finished, return code=1
2021-11-17T06:45:38Z DEBUG stdout=
2021-11-17T06:45:38Z DEBUG stderr=Job for dirsrv(a)IPA-PEP06-FR.service failed because the
control process exited with error code.
See "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.
2021-11-17T06:45:38Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1961, in upgrade
upgrade_configuration()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1584, in upgrade_configuration
ds.start(ds.serverid)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line
652, in start
instance_name, capture_output=capture_output, wait=wait
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
524, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line
138, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
2021-11-17T06:45:38Z DEBUG The ipa-server-upgrade command failed, exception:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1: 'Job for
dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with error
code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.\n')
2021-11-17T06:45:38Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1: 'Job for
dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with error
code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.\n')
2021-11-17T06:45:38Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
2021-11-17T06:45:38Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/upgradeinstance.py",
line 104, in __start
srv.start(self.serverid, ldapi=True)
File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line
138, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command
['/bin/systemctl', 'start', 'dirsrv(a)IPA-PEP06-FR.service']
returned non-zero exit status 1: 'Job for dirsrv(a)IPA-PEP06-FR.service failed because
the control process exited with error code.\nSee "systemctl status
dirsrv(a)IPA-PEP06-FR.service" and "journalctl -xe" for details.\n')
2021-11-17T06:45:38Z DEBUG [error] CalledProcessError: CalledProcessError(Command
['/bin/systemctl', 'start', 'dirsrv(a)IPA-PEP06-FR.service']
returned non-zero exit status 1: 'Job for dirsrv(a)IPA-PEP06-FR.service failed because
the control process exited with error code.\nSee "systemctl status
dirsrv(a)IPA-PEP06-FR.service" and "journalctl -xe" for details.\n')
2021-11-17T06:45:38Z DEBUG [cleanup]: stopping directory server
2021-11-17T06:45:38Z DEBUG Starting external process
2021-11-17T06:45:38Z DEBUG args=['/bin/systemctl', 'stop',
'dirsrv(a)IPA-PEP06-FR.service']
2021-11-17T06:45:38Z DEBUG Process finished, return code=0
2021-11-17T06:45:38Z DEBUG stdout=
2021-11-17T06:45:38Z DEBUG stderr=
2021-11-17T06:45:38Z DEBUG Stop of dirsrv(a)IPA-PEP06-FR.service complete
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __stop_instance 0.02 sec
2021-11-17T06:45:38Z DEBUG [cleanup]: restoring configuration
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __restore_config 0.09 sec
2021-11-17T06:45:38Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
run command ipa-server-upgrade manually.
2021-11-17T06:45:38Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1946, in upgrade
data_upgrade.create_instance()
File "/usr/lib/python3.6/site-packages/ipaserver/install/upgradeinstance.py",
line 134, in create_instance
runtime=90)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/upgradeinstance.py",
line 104, in __start
srv.start(self.serverid, ldapi=True)
File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line
138, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
2021-11-17T06:45:38Z DEBUG The ipa-server-upgrade command failed, exception:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1: 'Job for
dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with error
code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.\n')
2021-11-17T06:45:38Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1: 'Job for
dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with error
code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.\n')
2021-11-17T06:45:38Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
On both nodes, several IPA services such as named-pkcs11, ipa-custodia, krb5kdc and kdamin
are now disabled in systemd. Of course, they were enabled before the update, since both
nodes were serving DNS and kerberos requests. I can re-enable and start most of those
services without an error except:
- dirsv@PEP06-IPA-FR, which seems OK on node #02 (ros-ass-ipa-02), but refuses to start on
node #01 (ros-ass-ipa-01):
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]: Starting 389
Directory Server IPA-PEP06-FR....
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.220419556 +0100] - WARN - str2entry_dupcheckEntry (%s), ignoring
invalid line "%s"...
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]: -
[17/Nov/2021:09:17:17.572658255 +0100] - NOTICE - config_set_port - Non-Secure Port
Disabled
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.637702405 +0100] - WARN - str2entry_dupcheckEntry (%s), ignoring
invalid line "%s"...
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]: -
[17/Nov/2021:09:17:17.641830897 +0100] - ERR - slapi_entry_schema_check_ext - Entry
"cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config" required attribute
"objectclass" missing
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.644760642 +0100] - ERR - init_dse_file - Could not load config file
[dse.ldif]
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.647669444 +0100] - ERR - setup_internal_backends - Please edit the
file to correct the reported problems and then restart the server.
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
dirsrv(a)IPA-PEP06-FR.service: Main process exited, code=exited, status=1/FAILURE
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
dirsrv(a)IPA-PEP06-FR.service: Failed with result 'exit-code'.
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]: Failed to start 389
Directory Server IPA-PEP06-FR..
- named-pkcs11, which throws an "initializing DST: PKCS#11 initialization
failed" error, on both nodes:
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: running as:
named-pkcs11 -u named -c /etc/named.conf
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled by
GCC 8.5.0 20210514 (Red Hat 8.5.0-3.0.1)
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled
with libxml2 version: 2.9.7
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: linked to
libxml2 version: 20907
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled
with libjson-c version: 0.13.1
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: linked to
libjson-c version: 0.13.1
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled
with zlib version: 1.2.11
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: linked to
zlib version: 1.2.11
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: threads
support is enabled
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]:
----------------------------------------------------
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: BIND 9 is
maintained by Internet Systems Consortium,
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: Inc. (ISC),
a non-profit 501(c)(3) public-benefit
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: corporation.
Support and training for BIND 9 are
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: available at
https://www.isc.org/support
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]:
----------------------------------------------------
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: adjusted
limit on open files from 262144 to 1048576
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: found 4
CPUs, using 4 worker threads
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: using 3 UDP
listeners per interface
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: using up to
21000 sockets
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: initializing
DST: PKCS#11 initialization failed
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: exiting (due
to fatal error)
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
named-pkcs11.service: Control process exited, code=exited status=1
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
named-pkcs11.service: Failed with result 'exit-code'.
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]: Failed to start
Berkeley Internet Name Domain (DNS) with native PKCS#11.
I could not find much info about the BIND error. It is usually related to HSM
configuration errors, but I couldn't find what's wrong:
[root@ros-ass-ipa-01 ~]# grep SOFTHSM2_CONF /etc/sysconfig/named
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
[root@ros-ass-ipa-01 ~]# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
--show-slots
Available slots:
Slot 1594851657
Slot info:
Description: SoftHSM slot ID 0x5f0f8149
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: 4a9fc4075f0f8149
Initialized: yes
User PIN init.: yes
Label: ipaDNSSEC
Slot 1
Slot info:
Description: SoftHSM slot ID 0x1
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number:
Initialized: no
User PIN init.: no
Label:
I tried re-running the IPA upgrade manually, and it failed on both nodes at the exact same
step as during the automatic upgrade. While node #02 seems mostly OK (dirsrv and KDC are
running, kinit does work; only named-pkcs11 is down), node #01 was more damaged as the
directory server does not even start anymore.
Full upgrade logs:
- Node #01 (ros-ass-ipa-01):
https://gist.github.com/marinbernard-pep06/548c4aea3006e18b5f86cda6f935f2c5
- Node #02 (ros-ass-ipa-02):
https://gist.github.com/marinbernard-pep06/7e5a76712cc4b23101f1fab39315f870
I would be **very** grateful to anyone sharing insight about this situation.
Thank you!
3:47 a.m.
Hi,
Try downgrading Java to the last known good version that worked for
your and report please.
Regards,
François
On Wed, Nov 17, 2021 at 10:17 AM Marin BERNARD via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
My NPO uses FreeIPA internally on a couple of Oracle Linux 8 instances. I know this is a
Fedora ML, but since OL8 is derivated from EL8 (as CentOS is), I think it may not make any
difference anyway.
The FreeIPA instance was deployed 6-8 months ago, with the LDAP, CA DNS roles enabled on
both nodes. DNSSEC was never enabled. An AD trust was created with the AD domain.
It worked flawlessly until the latest batch of updates which upgraded both systems to OL
8.5 + FreeIPA 4.9.6-6.0.1. An IPA upgrade was automatically started to migrate from
version 4.9.2-4.0.2 to 4.9.6-6.0.1, but it failed in different ways on both systems,
leaving them in unusable states. Of course, no backup to restore.
**Node #02** (ros-ass-ipa-02) upgraded first. The failure happened at IPA CA DNS update,
because the named-pkcs11 service could not be restarted. Here are the last lines from the
log:
2021-11-17T05:59:11Z DEBUG stderr=
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z INFO dnssec-validation yes
2021-11-17T05:59:11Z INFO [Add missing CA DNS records]
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z INFO IPA CA DNS records already processed
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2021-11-17T05:59:11Z DEBUG Starting external process
2021-11-17T05:59:11Z DEBUG args=['/bin/systemctl', 'is-active',
'named-pkcs11.service']
2021-11-17T05:59:11Z DEBUG Process finished, return code=3
2021-11-17T05:59:11Z DEBUG stdout=failed
2021-11-17T05:59:11Z DEBUG stderr=
2021-11-17T05:59:11Z DEBUG Starting external process
2021-11-17T05:59:11Z DEBUG args=['/bin/systemctl', 'start',
'named-pkcs11.service']
2021-11-17T05:59:12Z DEBUG Process finished, return code=1
2021-11-17T05:59:12Z DEBUG stdout=
2021-11-17T05:59:12Z DEBUG stderr=Job for named-pkcs11.service failed because the control
process exited with error code.
See "systemctl status named-pkcs11.service" and "journalctl -xe" for
details.
2021-11-17T05:59:12Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
run command ipa-server-upgrade manually.
2021-11-17T05:59:12Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1961, in upgrade
upgrade_configuration()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1791, in upgrade_configuration
upgrade_bind(fstore)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1453, in upgrade_bind
bind.start()
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
524, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
2021-11-17T05:59:12Z DEBUG The ipa-server-upgrade command failed, exception:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'named-pkcs11.service'] returned non-zero exit status 1: 'Job for
named-pkcs11.service failed because the control process exited with error code.\nSee
"systemctl status named-pkcs11.service" and "journalctl -xe" for
details.\n')
2021-11-17T05:59:12Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'named-pkcs11.service'] returned non-zero exit status 1: 'Job
for named-pkcs11.service failed because the control process exited with error code.\nSee
"systemctl status named-pkcs11.service" and "journalctl -xe" for
details.\n')
2021-11-17T05:59:12Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
**Node #01** (ros-ass-ipa-01) upgraded an hour after, and failed at step 5/9 when the
directory server could not be restarted after disabling Schema compat. Here are the last
log entries:
2021-11-17T06:45:38Z DEBUG stderr=
2021-11-17T06:45:38Z DEBUG Starting external process
2021-11-17T06:45:38Z DEBUG args=['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service']
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __enable_ds_global_write_lock 0.09 sec
2021-11-17T06:45:38Z DEBUG [4/9]: disabling Schema Compat
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __disable_schema_compat 0.14 sec
2021-11-17T06:45:38Z DEBUG [5/9]: starting directory server
2021-11-17T06:45:38Z DEBUG Starting external process
2021-11-17T06:45:38Z DEBUG args=['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service']
2021-11-17T06:45:38Z DEBUG Process finished, return code=1
2021-11-17T06:45:38Z DEBUG stdout=
2021-11-17T06:45:38Z DEBUG stderr=Job for dirsrv(a)IPA-PEP06-FR.service failed because the
control process exited with error code.
See "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.
2021-11-17T06:45:38Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
run command ipa-server-upgrade manually.
2021-11-17T06:45:38Z DEBUG Process finished, return code=1
2021-11-17T06:45:38Z DEBUG stdout=
2021-11-17T06:45:38Z DEBUG stderr=Job for dirsrv(a)IPA-PEP06-FR.service failed because the
control process exited with error code.
See "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.
2021-11-17T06:45:38Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1961, in upgrade
upgrade_configuration()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1584, in upgrade_configuration
ds.start(ds.serverid)
File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line
652, in start
instance_name, capture_output=capture_output, wait=wait
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
524, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line
138, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
2021-11-17T06:45:38Z DEBUG The ipa-server-upgrade command failed, exception:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1: 'Job for
dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with error
code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.\n')
2021-11-17T06:45:38Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1:
'Job for dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with
error code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and
"journalctl -xe" for details.\n')
2021-11-17T06:45:38Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
2021-11-17T06:45:38Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/upgradeinstance.py",
line 104, in __start
srv.start(self.serverid, ldapi=True)
File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line
138, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command
['/bin/systemctl', 'start', 'dirsrv(a)IPA-PEP06-FR.service']
returned non-zero exit status 1: 'Job for dirsrv(a)IPA-PEP06-FR.service failed because
the control process exited with error code.\nSee "systemctl status
dirsrv(a)IPA-PEP06-FR.service" and "journalctl -xe" for details.\n')
2021-11-17T06:45:38Z DEBUG [error] CalledProcessError: CalledProcessError(Command
['/bin/systemctl', 'start', 'dirsrv(a)IPA-PEP06-FR.service']
returned non-zero exit status 1: 'Job for dirsrv(a)IPA-PEP06-FR.service failed because
the control process exited with error code.\nSee "systemctl status
dirsrv(a)IPA-PEP06-FR.service" and "journalctl -xe" for details.\n')
2021-11-17T06:45:38Z DEBUG [cleanup]: stopping directory server
2021-11-17T06:45:38Z DEBUG Starting external process
2021-11-17T06:45:38Z DEBUG args=['/bin/systemctl', 'stop',
'dirsrv(a)IPA-PEP06-FR.service']
2021-11-17T06:45:38Z DEBUG Process finished, return code=0
2021-11-17T06:45:38Z DEBUG stdout=
2021-11-17T06:45:38Z DEBUG stderr=
2021-11-17T06:45:38Z DEBUG Stop of dirsrv(a)IPA-PEP06-FR.service complete
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __stop_instance 0.02 sec
2021-11-17T06:45:38Z DEBUG [cleanup]: restoring configuration
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2021-11-17T06:45:38Z DEBUG step duration: dirsrv __restore_config 0.09 sec
2021-11-17T06:45:38Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and
run command ipa-server-upgrade manually.
2021-11-17T06:45:38Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line
54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1946, in upgrade
data_upgrade.create_instance()
File "/usr/lib/python3.6/site-packages/ipaserver/install/upgradeinstance.py",
line 134, in create_instance
runtime=90)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/upgradeinstance.py",
line 104, in __start
srv.start(self.serverid, ldapi=True)
File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line
138, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line
311, in start
skip_output=not capture_output)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 599, in
run
p.returncode, arg_string, output_log, error_log
2021-11-17T06:45:38Z DEBUG The ipa-server-upgrade command failed, exception:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start',
'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1: 'Job for
dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with error
code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and "journalctl
-xe" for details.\n')
2021-11-17T06:45:38Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'dirsrv(a)IPA-PEP06-FR.service'] returned non-zero exit status 1:
'Job for dirsrv(a)IPA-PEP06-FR.service failed because the control process exited with
error code.\nSee "systemctl status dirsrv(a)IPA-PEP06-FR.service" and
"journalctl -xe" for details.\n')
2021-11-17T06:45:38Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
On both nodes, several IPA services such as named-pkcs11, ipa-custodia, krb5kdc and
kdamin are now disabled in systemd. Of course, they were enabled before the update, since
both nodes were serving DNS and kerberos requests. I can re-enable and start most of those
services without an error except:
- dirsv@PEP06-IPA-FR, which seems OK on node #02 (ros-ass-ipa-02), but refuses to start
on node #01 (ros-ass-ipa-01):
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]: Starting 389
Directory Server IPA-PEP06-FR....
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.220419556 +0100] - WARN - str2entry_dupcheckEntry (%s), ignoring
invalid line "%s"...
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]: -
[17/Nov/2021:09:17:17.572658255 +0100] - NOTICE - config_set_port - Non-Secure Port
Disabled
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.637702405 +0100] - WARN - str2entry_dupcheckEntry (%s), ignoring
invalid line "%s"...
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]: -
[17/Nov/2021:09:17:17.641830897 +0100] - ERR - slapi_entry_schema_check_ext - Entry
"cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config" required attribute
"objectclass" missing
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.644760642 +0100] - ERR - init_dse_file - Could not load config file
[dse.ldif]
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr ns-slapd[5880]:
[17/Nov/2021:09:17:17.647669444 +0100] - ERR - setup_internal_backends - Please edit the
file to correct the reported problems and then restart the server.
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
dirsrv(a)IPA-PEP06-FR.service: Main process exited, code=exited, status=1/FAILURE
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
dirsrv(a)IPA-PEP06-FR.service: Failed with result 'exit-code'.
nov. 17 09:17:17 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]: Failed to start 389
Directory Server IPA-PEP06-FR..
- named-pkcs11, which throws an "initializing DST: PKCS#11 initialization
failed" error, on both nodes:
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: running as:
named-pkcs11 -u named -c /etc/named.conf
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled by
GCC 8.5.0 20210514 (Red Hat 8.5.0-3.0.1)
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled
with libxml2 version: 2.9.7
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: linked to
libxml2 version: 20907
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled
with libjson-c version: 0.13.1
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: linked to
libjson-c version: 0.13.1
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: compiled
with zlib version: 1.2.11
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: linked to
zlib version: 1.2.11
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: threads
support is enabled
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]:
----------------------------------------------------
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: BIND 9 is
maintained by Internet Systems Consortium,
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: Inc. (ISC),
a non-profit 501(c)(3) public-benefit
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]:
corporation. Support and training for BIND 9 are
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: available
at https://www.isc.org/support
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]:
----------------------------------------------------
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: adjusted
limit on open files from 262144 to 1048576
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: found 4
CPUs, using 4 worker threads
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: using 3 UDP
listeners per interface
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: using up to
21000 sockets
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]:
initializing DST: PKCS#11 initialization failed
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr named-pkcs11[5910]: exiting
(due to fatal error)
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
named-pkcs11.service: Control process exited, code=exited status=1
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]:
named-pkcs11.service: Failed with result 'exit-code'.
nov. 17 09:30:05 ros-ass-ipa-01.core.ass.ros.ipa.pep06.fr systemd[1]: Failed to start
Berkeley Internet Name Domain (DNS) with native PKCS#11.
I could not find much info about the BIND error. It is usually related to HSM
configuration errors, but I couldn't find what's wrong:
[root@ros-ass-ipa-01 ~]# grep SOFTHSM2_CONF /etc/sysconfig/named
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
[root@ros-ass-ipa-01 ~]# SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
--show-slots
Available slots:
Slot 1594851657
Slot info:
Description: SoftHSM slot ID 0x5f0f8149
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: 4a9fc4075f0f8149
Initialized: yes
User PIN init.: yes
Label: ipaDNSSEC
Slot 1
Slot info:
Description: SoftHSM slot ID 0x1
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number:
Initialized: no
User PIN init.: no
Label:
I tried re-running the IPA upgrade manually, and it failed on both nodes at the exact
same step as during the automatic upgrade. While node #02 seems mostly OK (dirsrv and KDC
are running, kinit does work; only named-pkcs11 is down), node #01 was more damaged as the
directory server does not even start anymore.
Full upgrade logs:
- Node #01 (ros-ass-ipa-01):
https://gist.github.com/marinbernard-pep06/548c4aea3006e18b5f86cda6f935f2c5
- Node #02 (ros-ass-ipa-02):
https://gist.github.com/marinbernard-pep06/7e5a76712cc4b23101f1fab39315f870
I would be **very** grateful to anyone sharing insight about this situation.
Thank you!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
4:04 a.m.
Hi François,
Both systems are using Java 1.8.0.312.b07, installed on 2021-10-21:
[root@ros-ass-ipa-02 ~]# dnf list installed java-*
Paquets installés
java-1.8.0-openjdk.x86_64 1:1.8.0.312.b07-1.el8_4
@ol8_appstream
java-1.8.0-openjdk-devel.x86_64 1:1.8.0.312.b07-1.el8_4
@ol8_appstream
java-1.8.0-openjdk-headless.x86_64 1:1.8.0.312.b07-1.el8_4
@ol8_appstream
[root@ros-ass-ipa-02 ~]# rpm -qa --last | grep java-1.8.0-openjdk-
java-1.8.0-openjdk-devel-1.8.0.312.b07-1.el8_4.x86_64 jeu. 21 oct. 2021 06:15:20 CEST
java-1.8.0-openjdk-1.8.0.312.b07-1.el8_4.x86_64 jeu. 21 oct. 2021 06:15:17 CEST
java-1.8.0-openjdk-headless-1.8.0.312.b07-1.el8_4.x86_64 jeu. 21 oct. 2021 06:15:16 CEST
At least one IPA upgrade completed successfully on both nodes with the current Java
version (I have logs for a successful upgrade on 2021-11-12), so the current Java version
seems OK.
Thank you,
--
Marin
7:57 a.m.
Hi again,
It seems named-pkcs11 fails to start because it cannot read PKCS11 objects from the HSM.
Yet, user 'named' is able to access the HSM, at least interactively:
[root@ros-ass-ipa-02 ~]# sudo -u named bash
bash-4.4$ cd
bash-4.4$ export SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
bash-4.4$ export SOFTHSM2_PIN="$(cat /var/lib/ipa/dnssec/softhsm_pin)"
bash-4.4$ softhsm2-util --show-slots
Available slots:
Slot 1007503753
Slot info:
Description: SoftHSM slot ID 0x3c0d4989
Manufacturer ID: SoftHSM project
Hardware version: 2.4
Firmware version: 2.4
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.4
Firmware version: 2.4
Serial number: 226b9cd63c0d4989
Initialized: yes
User PIN init.: yes
Label: ipaDNSSEC
Slot 1
Slot info:
Description: SoftHSM slot ID 0x1
Manufacturer ID: SoftHSM project
Hardware version: 2.4
Firmware version: 2.4
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.4
Firmware version: 2.4
Serial number:
Initialized: no
User PIN init.: no
Label:
bash-4.4$ pkcs11-list -p "${SOFTHSM2_PIN}" -s 1007503753
slot 1007503753
object[0]: handle 2 class 3 label[56]
'dnssec-replica:ros-ass-ipa-02.core.ass.ros.ipa.pep06.fr.' id[16]
0xb1fab57b623bf846... E:never
object[1]: handle 3 class 2 label[56]
'dnssec-replica:ros-ass-ipa-02.core.ass.ros.ipa.pep06.fr.' id[16]
0xb1fab57b623bf846...
Of course, specifying a non-existent slot ID returns a terminating error:
bash-4.4$ pkcs11-list -p "${SOFTHSM2_PIN}" -s 0
Unrecoverable error initializing PKCS#11: not found
Unrecoverable error initializing PKCS#11: not found
We can also list PKCS11 tokens:
bash-4.4$ pkcs11-tokens
DEFAULTS
rand_token=0x55ae13fa0180
best_rsa_token=0x55ae13fa0180
best_dsa_token=0x55ae13fa0180
best_dh_token=0x55ae13fa0180
digest_token=0x55ae13fa0180
best_ec_token=0x55ae13fa0180
best_gost_token=(nil)
aes_token=0x55ae13fa0180
TOKEN
address=0x55ae13fa0180
slotID=1007503753
label=ipaDNSSEC
manufacturerID=SoftHSM project
model=SoftHSM v2
serialNumber=226b9cd63c0d4989
supported operations=0x17e (RANDRSA,DSA,DH,DIGEST,EC,AES)
TOKEN
address=0x55ae13fa0320
slotID=1
label=
manufacturerID=SoftHSM project
model=SoftHSM v2
serialNumber=
supported operations=0x17e (RANDRSA,DSA,DH,DIGEST,EC,AES)
File permissions seem OK. Putting SELinux in permissive mode did not help.
What else could prevent BIND from accessing the HSM ?
901
days inactive
901
days old
freeipa-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
François Cami -
Marin BERNARD