5:14 a.m.
Hi All,
I've been using freeipa configured as a HA pair on Centos for about 12
months and I've been really impressed, however this morning it has
started pumping mud. Any suggestions appreciated.
I did a dnf update of the server which appears to have broken the
FreeIPA server and I see the following errors from the ipa start
ipactl start
IPA version error: data needs to be upgraded (expected version '4.8.7-
13.module_el8.3.0+606+1e8766d7', current version '4.8.7-
12.module_el8.3.0+511+8a502f20')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
...
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
Some information
The broken system.
CentOS Linux release 8.3.2011
ipa-server-4.8.7-13 (the updated server)
The still operational system
CentOS Linux release 8.3.2011
ipa-server-4.8.7-12
The certificate information based upon the following commands appear to
be good.
getcert list -f /var/lib/ipa/ra-agent.pem | grep expires
expires: 2021-12-17 14:43:54 AEDT
ldapsearch -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)"
openssl x509 -text -in /var/lib/ipa/ra-agent.pem
From the /var/log/ipaupgrade.log
2021-01-12T09:51:07Z DEBUG request GET
https://groats.ipa.bogus.com.au:8443/ca/rest/account/login
2021-01-12T09:51:07Z DEBUG request body ''
2021-01-12T09:51:07Z DEBUG response status 500
2021-01-12T09:51:07Z DEBUG response headers Content-Type:
text/html;charset=utf-8
From the ca debug logs /var/log/pki/pki-tomcat/ca/debug.2021-01-12.log
I'm not sure if the following are relevant
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINE: Event filters:
2021-01-12 20:50:49 [main] FINE: - CMC_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - CMC_USER_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - DELTA_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - FULL_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - OCSP_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - RANDOM_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - SELFTESTS_EXECUTION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINEST: Property
log.instance.SignedAudit.trace not found
However where it dies is
2021-01-12 20:50:50 [main] FINEST: Property internaldb.doCloning not
found
2021-01-12 20:50:50 [main] FINEST: Getting internaldb.doCloning=true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: doCloning: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: mininum: 3
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: maximum: 15
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: host:
oats.ipa.amnesium.com.au
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: port: 636
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: secure: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: authentication:
2
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory:
makeConnection(true)
2021-01-12 20:50:50 [main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
2021-01-12 20:50:50 [main] FINEST: Property tcp.keepAlive not found
2021-01-12 20:50:50 [main] FINEST: Getting tcp.keepAlive=true
2021-01-12 20:50:50 [main] FINE: TCP Keep-Alive: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnection: Connecting to
oats.ipa.amnesium.com.au:636 with client cert auth
2021-01-12 20:50:50 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2021-01-12 20:50:50 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketIm
pl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
88)
.....
4:21 a.m.
New subject: FreeIPA centos8 update Failed to authenticate to CA REST API
Hi All,
Any next steps in fixing the following issue.
The upgrade has failed as the tomcat CA server appears to be unable to
connect to the ldap server as the connection is refused. Is there any
way to collect more information from from ldap server to ascertain why
the connection has failed.
Is it possible to run the upgrade process manually rather than the
current automated process.
2021-01-14 09:21:28 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-14 09:21:28 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-14 09:21:28 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350)
Going through the information in
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
The certificates are and configuration are correct and valid however
the failure still occurs. Are there any suggestions which might assist
in isolating the issue.
Kind Regards
Ian
-----Original Message-----
From: Ian Willis via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
To: freeipa-users(a)lists.fedorahosted.org
Cc: Ian Willis <fedora(a)checksum.net.au>
Subject: [Freeipa-users] FreeIPA centos8 update Failed to authenticate
to CA REST API
Date: Tue, 12 Jan 2021 22:14:11 +1100
Hi All,
I've been using freeipa configured as a HA pair on Centos for about 12
months and I've been really impressed, however this morning it has
started pumping mud. Any suggestions appreciated.
I did a dnf update of the server which appears to have broken the
FreeIPA server and I see the following errors from the ipa start
ipactl start
IPA version error: data needs to be upgraded (expected version '4.8.7-
13.module_el8.3.0+606+1e8766d7', current version '4.8.7-
12.module_el8.3.0+511+8a502f20')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
...
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
Some information
The broken system.
CentOS Linux release 8.3.2011
ipa-server-4.8.7-13 (the updated server)
The still operational system
CentOS Linux release 8.3.2011
ipa-server-4.8.7-12
The certificate information based upon the following commands appear to
be good.
getcert list -f /var/lib/ipa/ra-agent.pem | grep expires
expires: 2021-12-17 14:43:54 AEDT
ldapsearch -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)"
openssl x509 -text -in /var/lib/ipa/ra-agent.pem
From the /var/log/ipaupgrade.log
2021-01-12T09:51:07Z DEBUG request GET
https://groats.ipa.bogus.com.au:8443/ca/rest/account/login
2021-01-12T09:51:07Z DEBUG request body ''
2021-01-12T09:51:07Z DEBUG response status 500
2021-01-12T09:51:07Z DEBUG response headers Content-Type:
text/html;charset=utf-8
From the ca debug logs /var/log/pki/pki-tomcat/ca/debug.2021-01-12.log
I'm not sure if the following are relevant
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINE: Event filters:
2021-01-12 20:50:49 [main] FINE: - CMC_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - CMC_USER_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - DELTA_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - FULL_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - OCSP_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - RANDOM_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - SELFTESTS_EXECUTION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINEST: Property
log.instance.SignedAudit.trace not found
However where it dies is
2021-01-12 20:50:50 [main] FINEST: Property internaldb.doCloning not
found
2021-01-12 20:50:50 [main] FINEST: Getting internaldb.doCloning=true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: doCloning: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: mininum: 3
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: maximum: 15
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: host:
oats.ipa.amnesium.com.au
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: port: 636
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: secure: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: authentication:
2
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory:
makeConnection(true)
2021-01-12 20:50:50 [main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
2021-01-12 20:50:50 [main] FINEST: Property tcp.keepAlive not found
2021-01-12 20:50:50 [main] FINEST: Getting tcp.keepAlive=true
2021-01-12 20:50:50 [main] FINE: TCP Keep-Alive: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnection: Connecting to
oats.ipa.amnesium.com.au:636 with client cert auth
2021-01-12 20:50:50 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2021-01-12 20:50:50 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketIm
pl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
88)
.....
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
9:41 p.m.
New subject: FreeIPA centos8 update Failed to authenticate to CA REST API
Hi All,
Given the fact that there haven't been any responses to this issue it
would appear that the options are limited to the following approach.
Given the current state and the fact that the CA master is the one with
the issues. Would the best approach be to
1 Build a new replica with the current patchset
2 Promote the existing replica to be the CA master
3 Rebuild the original problematic server.
Should steps 1 or 2 above be performed in a particular sequence or
doesn't it matter.
Based upon the current documentation
Clean deployment from the lost server by removing all replication
agreements with it.
Choose another FreeIPA Server with CA installed to become the first
master
Nominate this master to be the one in charge or renewing certs and
publishing CRLS. This is a manual procedure at the moment (I believe
this is documented here
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Follow standard installation procedure to deploy a new master on a
hardware/VM of your choice
Kind Regards
-----Original Message-----
From: Ian Willis via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
To: freeipa-users(a)lists.fedorahosted.org
Cc: Ian Willis <fedora(a)checksum.net.au>
Subject: [Freeipa-users] Re: FreeIPA centos8 update Failed to
authenticate to CA REST API
Date: Thu, 14 Jan 2021 21:21:36 +1100
Hi All,
Any next steps in fixing the following issue.
The upgrade has failed as the tomcat CA server appears to be unable to
connect to the ldap server as the connection is refused. Is there any
way to collect more information from from ldap server to ascertain why
the connection has failed.
Is it possible to run the upgrade process manually rather than the
current automated process.
2021-01-14 09:21:28 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-14 09:21:28 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-14 09:21:28 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350)
Going through the information in
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
The certificates are and configuration are correct and valid however
the failure still occurs. Are there any suggestions which might assist
in isolating the issue.
Kind Regards
Ian
-----Original Message-----
From: Ian Willis via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
To: freeipa-users(a)lists.fedorahosted.org
Cc: Ian Willis <fedora(a)checksum.net.au>
Subject: [Freeipa-users] FreeIPA centos8 update Failed to authenticate
to CA REST API
Date: Tue, 12 Jan 2021 22:14:11 +1100
Hi All,
I've been using freeipa configured as a HA pair on Centos for about 12
months and I've been really impressed, however this morning it has
started pumping mud. Any suggestions appreciated.
I did a dnf update of the server which appears to have broken the
FreeIPA server and I see the following errors from the ipa start
ipactl start
IPA version error: data needs to be upgraded (expected version '4.8.7-
13.module_el8.3.0+606+1e8766d7', current version '4.8.7-
12.module_el8.3.0+511+8a502f20')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
...
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
Some information
The broken system.
CentOS Linux release 8.3.2011
ipa-server-4.8.7-13 (the updated server)
The still operational system
CentOS Linux release 8.3.2011
ipa-server-4.8.7-12
The certificate information based upon the following commands appear to
be good.
getcert list -f /var/lib/ipa/ra-agent.pem | grep expires
expires: 2021-12-17 14:43:54 AEDT
ldapsearch -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)"
openssl x509 -text -in /var/lib/ipa/ra-agent.pem
From the /var/log/ipaupgrade.log
2021-01-12T09:51:07Z DEBUG request GET
https://groats.ipa.bogus.com.au:8443/ca/rest/account/login
2021-01-12T09:51:07Z DEBUG request body ''
2021-01-12T09:51:07Z DEBUG response status 500
2021-01-12T09:51:07Z DEBUG response headers Content-Type:
text/html;charset=utf-8
From the ca debug logs /var/log/pki/pki-tomcat/ca/debug.2021-01-12.log
I'm not sure if the following are relevant
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION
2021-01-12 20:50:49 [main] FINE: Event filters:
2021-01-12 20:50:49 [main] FINE: - CMC_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - CMC_USER_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - DELTA_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - FULL_CRL_GENERATION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - OCSP_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - RANDOM_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - SELFTESTS_EXECUTION:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINEST: Property
log.instance.SignedAudit.trace not found
However where it dies is
2021-01-12 20:50:50 [main] FINEST: Property internaldb.doCloning not
found
2021-01-12 20:50:50 [main] FINEST: Getting internaldb.doCloning=true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: doCloning: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: mininum: 3
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: maximum: 15
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: host:
oats.ipa.amnesium.com.au
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: port: 636
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: secure: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: authentication:
2
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory:
makeConnection(true)
2021-01-12 20:50:50 [main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
2021-01-12 20:50:50 [main] FINEST: Property tcp.keepAlive not found
2021-01-12 20:50:50 [main] FINEST: Getting tcp.keepAlive=true
2021-01-12 20:50:50 [main] FINE: TCP Keep-Alive: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnection: Connecting to
oats.ipa.amnesium.com.au:636 with client cert auth
2021-01-12 20:50:50 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2021-01-12 20:50:50 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketIm
pl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
88)
.....
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:08 p.m.
New subject: FreeIPA centos8 update Failed to authenticate to CA REST API
Hi All,
I've created an additional new freeipa replica. The main difficulty was
that I rebuilt an existing system and there were remnants of the
previous build in the exist ipa replica and this was reported as
insufficient acccess rights even through the keys could be manually
created using the same commands. After initially assuming that it was a
file permissions error and blowing out the permissions using acls I
eventually found the link below.
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Manually deleting the entity after a failed install appears to rectify
this issue.
I will now promote the original replica to be the master CA server. If
anyone is aware of any deficiencies in the process documented
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
it would be appreciated.
Cheers
-----Original Message-----From: Ian Willis <fedora(a)checksum.net.au>To:
FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>Subject: Re:
[Freeipa-users] Re: FreeIPA centos8 update Failed to authenticate to CA
REST APIDate: Sat, 16 Jan 2021 14:41:42 +1100
Hi All,
Given the fact that there haven't been any responses to this issue it
would appear that the options are limited to the following approach.
Given the current state and the fact that the CA master is the one with
the issues. Would the best approach be to 1 Build a new replica with
the current patchset2 Promote the existing replica to be the CA master3
Rebuild the original problematic server.
Should steps 1 or 2 above be performed in a particular sequence or
doesn't it matter.
Based upon the current documentation
Clean deployment from the lost server by removing all replication
agreements with it.
Choose another FreeIPA Server with CA installed to become the first
master
Nominate this master to be the one in charge or renewing certs and
publishing CRLS. This is a manual procedure at the moment (I believe
this is documented here
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Follow standard installation procedure to deploy a new master on a
hardware/VM of your choice
Kind Regards
-----Original Message-----From: Ian Willis via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>Reply-To: FreeIPA users list <
freeipa-users(a)lists.fedorahosted.org>To:
freeipa-users(a)lists.fedorahosted.orgCc: Ian Willis <
fedora(a)checksum.net.au>Subject: [Freeipa-users] Re: FreeIPA centos8
update Failed to authenticate to CA REST APIDate: Thu, 14 Jan 2021
21:21:36 +1100
Hi All,
Any next steps in fixing the following issue.
The upgrade has failed as the tomcat CA server appears to be unable to
connect to the ldap server as the connection is refused. Is there any
way to collect more information from from ldap server to ascertain why
the connection has failed.
Is it possible to run the upgrade process manually rather than the
current automated process.
2021-01-14 09:21:28 [main] FINEST: Getting
pidDir=/var/run/pki/tomcat2021-01-14 09:21:28 [main] FINEST: Getting
pidDir=/var/run/pki/tomcat2021-01-14 09:21:28 [main] SEVERE: Unable to
create socket: java.net.ConnectException: Connection refused
(Connection refused)java.net.ConnectException: Connection refused
(Connection refused) at
java.net.PlainSocketImpl.socketConnect(Native Method) at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350)
Going through the information in
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
The certificates are and configuration are correct and valid however
the failure still occurs. Are there any suggestions which might assist
in isolating the issue.
Kind Regards
Ian
-----Original Message-----From: Ian Willis via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>Reply-To: FreeIPA users list <
freeipa-users(a)lists.fedorahosted.org>To:
freeipa-users(a)lists.fedorahosted.orgCc: Ian Willis <
fedora(a)checksum.net.au>Subject: [Freeipa-users] FreeIPA centos8 update
Failed to authenticate to CA REST APIDate: Tue, 12 Jan 2021 22:14:11
+1100
Hi All,
I've been using freeipa configured as a HA pair on Centos for about 12
months and I've been really impressed, however this morning it has
started pumping mud. Any suggestions appreciated.
I did a dnf update of the server which appears to have broken the
FreeIPA server and I see the following errors from the ipa start
ipactl start IPA version error: data needs to be upgraded (expected
version '4.8.7-13.module_el8.3.0+606+1e8766d7', current version '4.8.7-
12.module_el8.3.0+511+8a502f20')Automatically running upgrade, for
details see /var/log/ipaupgrade.log...[Disabling cert
publishing][Ensuring CA is using LDAPProfileSubsystem][Migrating
certificate profiles to LDAP]IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.Unexpected error - see /var/log/ipaupgrade.log for
details:RemoteRetrieveError: Failed to authenticate to CA REST APIThe
ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
Some informationThe broken system. CentOS Linux release 8.3.2011ipa-
server-4.8.7-13 (the updated server)
The still operational system CentOS Linux release 8.3.2011ipa-server-
4.8.7-12
The certificate information based upon the following commands appear to
be good.
getcert list -f /var/lib/ipa/ra-agent.pem | grep expiresexpires: 2021-
12-17 14:43:54 AEDT
ldapsearch -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)"
openssl x509 -text -in /var/lib/ipa/ra-agent.pem
From the /var/log/ipaupgrade.log
2021-01-12T09:51:07Z DEBUG request GET
https://groats.ipa.bogus.com.au:8443/ca/rest/account/login2021-01-12T09:5...
DEBUG request body ''2021-01-12T09:51:07Z DEBUG response status
5002021-01-12T09:51:07Z DEBUG response headers Content-Type:
text/html;charset=utf-8
From the ca debug logs /var/log/pki/pki-tomcat/ca/debug.2021-01-12.log
I'm not sure if the following are relevant
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION
_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQU
EST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CL
IENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQU
EST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_S
IGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CON
FIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG
_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KE
Y,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CH
ANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_PO
SSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS
_EXECUTION2021-01-12 20:50:49 [main] FINE: Event filters:2021-01-12
20:50:49 [main] FINE: - CMC_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)2021-01-12 20:50:49 [main] FINE: -
CMC_USER_SIGNED_REQUEST_SIG_VERIFY: (Outcome=Failure)2021-01-12
20:50:49 [main] FINE: - DELTA_CRL_GENERATION: (Outcome=Failure)2021-01-
12 20:50:49 [main] FINE: - FULL_CRL_GENERATION: (Outcome=Failure)2021-
01-12 20:50:49 [main] FINE: - OCSP_GENERATION: (Outcome=Failure)2021-
01-12 20:50:49 [main] FINE: - RANDOM_GENERATION: (Outcome=Failure)2021-
01-12 20:50:49 [main] FINE: - SELFTESTS_EXECUTION:
(Outcome=Failure)2021-01-12 20:50:49 [main] FINEST: Property
log.instance.SignedAudit.trace not found
However where it dies is 2021-01-12 20:50:50 [main] FINEST: Property
internaldb.doCloning not found2021-01-12 20:50:50 [main] FINEST:
Getting internaldb.doCloning=true2021-01-12 20:50:50 [main] FINE:
LdapBoundConnFactory: doCloning: true2021-01-12 20:50:50 [main] FINE:
LdapBoundConnFactory: mininum: 32021-01-12 20:50:50 [main] FINE:
LdapBoundConnFactory: maximum: 152021-01-12 20:50:50 [main] FINE:
LdapBoundConnFactory: host: oats.ipa.amnesium.com.au2021-01-12 20:50:50
[main] FINE: LdapBoundConnFactory: port: 6362021-01-12 20:50:50 [main]
FINE: LdapBoundConnFactory: secure: true2021-01-12 20:50:50 [main]
FINE: LdapBoundConnFactory: authentication: 22021-01-12 20:50:50 [main]
FINE: LdapBoundConnFactory: makeConnection(true)2021-01-12 20:50:50
[main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca2021-
01-12 20:50:50 [main] FINEST: Property tcp.keepAlive not found2021-01-
12 20:50:50 [main] FINEST: Getting tcp.keepAlive=true2021-01-12
20:50:50 [main] FINE: TCP Keep-Alive: true2021-01-12 20:50:50 [main]
FINE: LdapBoundConnection: Connecting to oats.ipa.amnesium.com.au:636
with client cert auth2021-01-12 20:50:50 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins2021-01-12 20:50:50
[main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH2021-01-12 20:50:50 [main] FINEST:
Getting pidDir=/var/run/pki/tomcat2021-01-12 20:50:50 [main] FINEST:
Getting pidDir=/var/run/pki/tomcat2021-01-12 20:50:50 [main] SEVERE:
Unable to create socket: java.net.ConnectException: Connection refused
(Connection refused)java.net.ConnectException: Connection refused
(Connection refused) at
java.net.PlainSocketImpl.socketConnect(Native Method) at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java
:350) at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketIm
pl.java:206) at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:1
88).....
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:41 a.m.
New subject: FreeIPA centos8 update Failed to authenticate to CA REST API
Ian Willis via FreeIPA-users wrote:
Hi All,
I've created an additional new freeipa replica.
The main difficulty was that I rebuilt an existing system and there were
remnants of the previous build in the exist ipa replica and this was
reported as insufficient acccess rights even through the keys could be
manually created using the same commands. After initially assuming that
it was a file permissions error and blowing out the permissions using
acls I eventually found the link below.
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Manually deleting the entity after a failed install appears to rectify
this issue.
I will now promote the original replica to be the master CA server. If
anyone is aware of any deficiencies in the process documented
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
it would be appreciated.
Apologies for this slipping through the cracks. I guess I'd have asked
if pki-tomcatd would start outside the upgrade process.
The things to consider when dropping a server:
1. CA renewal master
2. CRL generation master
3. DNA ranges
4. Optional services (CA, KRA, DNS)
5. replication topology (avoid bottlenecks, split brain)
rob
Cheers
-----Original Message-----
*From*: Ian Willis <fedora(a)checksum.net.au
<mailto:Ian%20Willis%20%3cfedora@checksum.net.au%3e>>
*To*: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
<mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
*Subject*: Re: [Freeipa-users] Re: FreeIPA centos8 update Failed to
authenticate to CA REST API
*Date*: Sat, 16 Jan 2021 14:41:42 +1100
Hi All,
Given the fact that there haven't been any responses to this issue it
would appear that the options are limited to the following approach.
Given the current state and the fact that the CA master is the one with
the issues. Would the best approach be to
1 Build a new replica with the current patchset
2 Promote the existing replica to be the CA master
3 Rebuild the original problematic server.
Should steps 1 or 2 above be performed in a particular sequence or
doesn't it matter.
Based upon the current documentation
1. Clean deployment from the lost server by removing all replication
agreements
<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin...
with it.
2. Choose another FreeIPA Server with CA
<https://www.freeipa.org/page/PKI> installed to become the first master
3. Nominate this master to be the one in charge or renewing certs and
publishing CRLS. This is a manual procedure at the moment (I believe
this is documented here
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
4. Follow standard installation procedure
<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin...
to deploy a new master on a hardware/VM of your choice
Kind Regards
-----Original Message-----
*From*: Ian Willis via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:Ian%20Willis%20via%20FreeIPA-users%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
*Reply-To*: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
<mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
*To*: freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
*Cc*: Ian Willis <fedora(a)checksum.net.au
<mailto:Ian%20Willis%20%3cfedora@checksum.net.au%3e>>
*Subject*: [Freeipa-users] Re: FreeIPA centos8 update Failed to
authenticate to CA REST API
*Date*: Thu, 14 Jan 2021 21:21:36 +1100
Hi All,
Any next steps in fixing the following issue.
The upgrade has failed as the tomcat CA server appears to be unable to
connect to the ldap server as the connection is refused. Is there any
way to collect more information from from ldap server to ascertain why
the connection has failed.
Is it possible to run the upgrade process manually rather than the
current automated process.
2021-01-14 09:21:28 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-14 09:21:28 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-14 09:21:28 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
Going through the information in
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
The certificates are and configuration are correct and valid however the
failure still occurs. Are there any suggestions which might assist in
isolating the issue.
Kind Regards
Ian
-----Original Message-----
*From*: Ian Willis via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:Ian%20Willis%20via%20FreeIPA-users%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
*Reply-To*: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org
<mailto:FreeIPA%20users%20list%20%3cfreeipa-users@lists.fedorahosted.org%3e>>
*To*: freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
*Cc*: Ian Willis <fedora(a)checksum.net.au
<mailto:Ian%20Willis%20%3cfedora@checksum.net.au%3e>>
*Subject*: [Freeipa-users] FreeIPA centos8 update Failed to authenticate
to CA REST API
*Date*: Tue, 12 Jan 2021 22:14:11 +1100
Hi All,
I've been using freeipa configured as a HA pair on Centos for about 12
months and I've been really impressed, however this morning it has
started pumping mud. Any suggestions appreciated.
I did a dnf update of the server which appears to have broken the
FreeIPA server and I see the following errors from the ipa start
ipactl start
IPA version error: data needs to be upgraded (expected version
'4.8.7-13.module_el8.3.0+606+1e8766d7', current version
'4.8.7-12.module_el8.3.0+511+8a502f20')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
...
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
Some information
The broken system.
CentOS Linux release 8.3.2011
ipa-server-4.8.7-13 (the updated server)
The still operational system
CentOS Linux release 8.3.2011
ipa-server-4.8.7-12
The certificate information based upon the following commands appear to
be good.
getcert list -f /var/lib/ipa/ra-agent.pem | grep expires
expires: 2021-12-17 14:43:54 AEDT
ldapsearch -D "cn=directory manager" -W -b o=ipaca "(uid=ipara)"
openssl x509 -text -in /var/lib/ipa/ra-agent.pem
From the /var/log/ipaupgrade.log
2021-01-12T09:51:07Z DEBUG request GET
https://groats.ipa.bogus.com.au:8443/ca/rest/account/login
<https://oats.ipa.amnesium.com.au:8443/ca/rest/account/login>
2021-01-12T09:51:07Z DEBUG request body ''
2021-01-12T09:51:07Z DEBUG response status 500
2021-01-12T09:51:07Z DEBUG response headers Content-Type:
text/html;charset=utf-8
From the ca debug logs /var/log/pki/pki-tomcat/ca/debug.2021-01-12.log
I'm not sure if the following are relevant
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
2021-01-12 20:50:49 [main] FINEST: Getting
log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
2021-01-12 20:50:49 [main] FINE: Event filters:
2021-01-12 20:50:49 [main] FINE: - CMC_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - CMC_USER_SIGNED_REQUEST_SIG_VERIFY:
(Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - DELTA_CRL_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - FULL_CRL_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - OCSP_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - RANDOM_GENERATION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINE: - SELFTESTS_EXECUTION: (Outcome=Failure)
2021-01-12 20:50:49 [main] FINEST: Property
log.instance.SignedAudit.trace not found
However where it dies is
2021-01-12 20:50:50 [main] FINEST: Property internaldb.doCloning not found
2021-01-12 20:50:50 [main] FINEST: Getting internaldb.doCloning=true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: doCloning: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: mininum: 3
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: maximum: 15
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: host:
oats.ipa.amnesium.com.au
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: port: 636
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: secure: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: authentication: 2
2021-01-12 20:50:50 [main] FINE: LdapBoundConnFactory: makeConnection(true)
2021-01-12 20:50:50 [main] FINEST: Getting
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
2021-01-12 20:50:50 [main] FINEST: Property tcp.keepAlive not found
2021-01-12 20:50:50 [main] FINEST: Getting tcp.keepAlive=true
2021-01-12 20:50:50 [main] FINE: TCP Keep-Alive: true
2021-01-12 20:50:50 [main] FINE: LdapBoundConnection: Connecting to
oats.ipa.amnesium.com.au:636 with client cert auth
2021-01-12 20:50:50 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2021-01-12 20:50:50 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] FINEST: Getting pidDir=/var/run/pki/tomcat
2021-01-12 20:50:50 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused)
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
.....
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1186
days inactive
1193
days old
freeipa-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
Ian Willis -
Rob Crittenden