Roberto Cornacchia via FreeIPA-users wrote: > Hi there, > > I appear to be stuck in a failing upgrade. > > On Rocky Linux 8.6. The server is one of 2 replicas, both CA and DNS > servers. > > It all started with pki-tomcat being down on a running server > (ipa02.hq.spinque.com <http://ipa02.hq.spinque.com>): > > ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > 1 service(s) are not running > > and unable to go up again, with these errors: > > ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error: > for url: http://ipa02.hq.spinque.com:8080/ca/admin/ca/getStatus > > SEVERE: LdapBoundConnFactory: Unable to connect to LDAP server: > Authentication failed > netscape.ldap.LDAPException: Authentication failed (48) > > Having read something about a similar issue being caused by nss 3.67 > (the one installed in the system), I ran a dnf update (4.9.8-8 installed). > > This actually complicated things, because now it still fails, but also > it tries to upgrade every time it starts, failing the upgrade. As far as > I can see in the upgrade log, The actual upgrade succeeds, but starting > the services at the end fails, which makes the whole procedure fail. > > So running ipactl restart --ignore-service-failures does not help, > because the automatic upgrade fails and that stops all the services as a > last step. > > I'm not sure how I could continue, some pointer would be appreciated. > > Errors I see now: > > ERR - set_krb5_creds - Could not get initial credentials for principal > [ldap/[email protected] > <mailto:[email protected]>] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > > ldap_child[2130]: Failed to initialize credentials using keytab > [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm > 'HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>'. Unable to create > GSSAPI-encrypted LDAP connection.
Add --skip-version-check to not force an upgrade. You need to determine why the CA won't start. See the journal and/or /var/log/pki/pki-tomcat/ca/debug*. The trick with the CA debug log is to start looking where the last server start is and move downwards in the file. Starting at the tail usually isn't fruitful. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
