I upgraded my FreeIPA server to F31 and when running ipa-server-update, I get
and error message:
# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited
SMBLoris attack amplification]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with
automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
The end of file /var/log/ipaupgrade.log shows the following:
[...]
2020-08-04T08:46:11Z DEBUG request body ''
2020-08-04T08:46:12Z DEBUG response status 500
2020-08-04T08:46:12Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: en
Content-Length: 2234
Date: Tue, 04 Aug 2020 08:46:12 GMT
Connection: close
2020-08-04T08:46:12Z DEBUG response body (decoded): b'<!doctype html><html
lang="en"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server
Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;}
h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;}
.line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line"
/><p><b>Type</b> Exception Report</p><p><b>Message</b> CA subsystem
unavailable. Check CA debug log.</p><p><b>Description</b> The server
encountered an unexpected condition that prevented it from fulfilling the
request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
CA subsystem unavailable. Check CA debug
log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstrai
nts(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.T
hreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b>
The full stack trace of the root cause is available in the server logs.</p><hr
class="line" /><h3>Apache Tomcat/9.0.36</h3></body></html>'
2020-08-04T08:46:12Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2020-08-04T08:46:12Z DEBUG File
"/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute
return_value = self.run()
File
"/usr/lib/python3.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
line 2280, in upgrade
upgrade_configuration()
File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
line 2149, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File "/usr/lib/python3.7/site-packages/ipaserver/install/server/upgrade.py",
line 414, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", line
1943, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python3.7/site-packages/ipaserver/install/cainstance.py", line
1949, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.7/site-packages/ipaserver/plugins/dogtag.py", line
1315, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA
REST API'))
2020-08-04T08:46:12Z DEBUG The ipa-server-upgrade command failed, exception:
RemoteRetrieveError: Failed to authenticate to CA REST API
2020-08-04T08:46:12Z ERROR Unexpected error - see /var/log/ipaupgrade.log for
details:
RemoteRetrieveError: Failed to authenticate to CA REST API
2020-08-04T08:46:12Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
I check the certificate in the NSS database (as I've seen in this thread
https://lists.fedorahosted.org/archives/list/[email protected]/thread/J6WTQQFCQ6VPR66UWTT4QBUTE26OZWUG/#J6WTQQFCQ6VPR66UWTT4QBUTE26OZWUG)
but got an error as well.
# certutil -L -d /etc/httpd/alias -n ipaCert
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad
database.
And retrieving the certificate with ldapsearch gives the following (redacted):
# ldapsearch -D "cn=directory manager" -W -b o=ipaca -LLL -o ldif-wrap=no
"(uid=ipara)" usercertificate description
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
usercertificate:: MIIDazCCAlOgAwIBAgIBBzANBgkqhkiG9w0...
description: 2;7;CN=Certificate Authority,O=MYDOMAIN.LOCAL;CN=IPA
RA,O=MYDOMAIN.LOCAL
Is the ipa-server-update error message linked to the certutil error?
How can I import the correct certificate in the /etc/httpd/alias NSS database?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
