I ran 'ipactl status' ------------------------- # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful -------------------------
then 'ipactl restart' ------------------------- # ipactl restart IPA version error: data needs to be upgraded (expected version '4.8.6-1.fc31', current version '4.8.3-1.fc30') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service Aborting ipactl ------------------------- The error in /var/log/ipaupgrade.log is the same as in my first post. Since all services stopped, I ran them manually: ------------------------- # systemctl restart [email protected] # systemctl restart krb5kdc.service # systemctl restart kadmin.service # systemctl restart named-pkcs11.service # systemctl restart httpd.service # systemctl restart ipa-custodia.service # systemctl restart [email protected] # systemctl restart ipa-otpd.socket # systemctl restart ipa-dnskeysyncd.service ------------------------- then 'ipactl status' again: ------------------------- # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful ------------------------- How can I solve that error I get when running 'ipactl restart' or 'ipa-server-update'? On Tue, Aug 4, 2020 at 4:38 PM Fujisan <[email protected]> wrote: > The IPA version I use is > > # ipa --version > VERSION: 4.8.6, API_VERSION: 2.236 > > So what's the error about? > > > On Tue, Aug 4, 2020 at 4:35 PM Alexander Bokovoy <[email protected]> > wrote: > >> On ti, 04 elo 2020, Fujisan via FreeIPA-users wrote: >> >I noticed that there is only one file in /etc/httpd/alias, therefore >> giving the error message "certutil: function failed: >> SEC_ERROR_BAD_DATABASE: security library: bad database" >> > >> ># ll /etc/httpd/alias >> >total 4 >> >-rw------- 1 root root 32 Apr 16 2019 ipasession.key >> >> It is what it should be, the output is correct. FreeIPA 4.7+ uses >> mod_ssl and does not need NSS database in /etc/httpd anymore, so your >> instructions are for older (pre-4.7+) versions. >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
