Juan Pablo Lorier wrote: > Hi Rob, > > Thanks for the reply. As I didn’t know other way but to go back in time, > I just did it and now the server is running 100%. > > This was all part of an update from 4.7 to 4.9. According to the > documentation, it was just a matter to def update but it seems that is > not such a happy path.> > I updated the second server but it’s not able to finalize the update > process. DNS is failing to start: > > # systemctl status ipa-dnskeysyncd.service > > > *●*ipa-dnskeysyncd.service - IPA key daemon > Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; > disabled; vendor preset: disabled) > Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago > Main PID: 250496 (ipa-dnskeysyncd) > Tasks: 1 (limit: 23652) > Memory: 68.4M > CGroup: /system.slice/ipa-dnskeysyncd.service > └─250496 /usr/libexec/platform-python -I > /usr/libexec/ipa/ipa-dnskeysyncd > > Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 > Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 > Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: > INFO Commencing sync process > Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: > ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, > sychronizing with ODS and BIND > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(96): Missing log.level in configuration. Using > default value: INFO* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using > default value: ALL* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(124): Missing slots.removable in configuration. Using > default value: false* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > > > > GSSAPI client step 1 > [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service > > > -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 > 12:40:17 -03. -- > Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing all plugin modules in ipaserver.plugins... > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.aci > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.automember > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.automount > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.baseldap > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG ipaserver.plugins.baseldap is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.baseuser > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.batch > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.ca > <http://ipaserver.plugins.ca> > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.caacl > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.cert > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.certmap > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.certprofile > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.config > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.delegation > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dns > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dnsserver > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dogtag > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.domainlevel > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.group > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbac > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG ipaserver.plugins.hbac is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacrule > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacsvc > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbactest > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.host > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hostgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.idrange > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.idviews > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.internal > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.join > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.krbtpolicy > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.ldap2 > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.location > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.migration > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.misc > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.netgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otp > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG ipaserver.plugins.otp is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otpconfig > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otptoken > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.passwd
There should be quite a bit more after that. > > #less /var/log/dirsrv/slapd-*/access > > [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 > nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 > [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH > base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewab > leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" > [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 > nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 > [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 > nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL > bind in progress > [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 > nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL > bind in progress > [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 > nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 > dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= > com,dc=uy" > [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH > base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" > attrs="objectClass cn fqdn serverHostN > ame memberOf ipaSshPubKey ipaUniqueID" > [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 > nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH > base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" > scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU > niqueID" > [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 > nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH > base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" > attrs="objectClass ipaUniqueID cn memb > er entryusn" > [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 > nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH > base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC > ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro > ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" > attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs > ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU > ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory > userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory > ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e > xternalUser entryusn" > [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 > nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 > tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 > [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 > tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 > [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 > tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 > [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 > tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 > [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 > tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 > [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 > tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 > [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 > tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108 > > > I see that after the update, the files were changed: > > > [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* > /etc/dirsrv/slapd-TNU-COM-UY: > total 4208 > -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem > -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem > -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem > -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db > -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig > -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf > -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif > -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak > -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 > dse.ldif.ipa.1cf1fe204fd69494 > -rw-------. 1 dirsrv root 202234 Nov 21 14:01 > dse.ldif.ipa.1dd1d38cbd8d26ae > -rw-------. 1 dirsrv root 208355 Nov 22 11:26 > dse.ldif.ipa.21662457cb42c116 > -rw-------. 1 dirsrv root 208355 Nov 22 10:47 > dse.ldif.ipa.256a5d66e550a957 > -rw-------. 1 dirsrv root 195350 Nov 21 13:35 > dse.ldif.ipa.274744b10eed3d9b > -rw-------. 1 dirsrv root 203050 Nov 21 19:09 > dse.ldif.ipa.385fb48f5462219c > -rw-------. 1 dirsrv root 156705 Jan 9 2020 > dse.ldif.ipa.6b71b47d73ca452a > -rw-------. 1 dirsrv root 202234 Nov 21 13:38 > dse.ldif.ipa.767aba4a82811822 > -rw-------. 1 dirsrv root 208355 Nov 21 21:07 > dse.ldif.ipa.814a4de587fc22ec > -rw-------. 1 dirsrv root 208355 Nov 22 10:49 > dse.ldif.ipa.889036fc0907e7de > -rw-------. 1 dirsrv root 202234 Nov 21 13:47 > dse.ldif.ipa.8fd2b7413b99dfa3 > -rw-------. 1 dirsrv root 202234 Nov 21 13:42 > dse.ldif.ipa.958ca3a96922f2fd > -rw-------. 1 dirsrv root 202234 Nov 21 14:48 > dse.ldif.ipa.bacd6d1d200348bf > -rw-------. 1 dirsrv root 208355 Nov 22 11:24 > dse.ldif.ipa.bfadc14f0e609072 > -rw-------. 1 dirsrv root 202234 Nov 21 14:23 > dse.ldif.ipa.f1e864261a119b6c > -rw-------. 1 dirsrv root 202234 Nov 21 15:42 > dse.ldif.ipa.fa918bf07c17e2e8 > -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out > -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK > -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif > -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db > -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig > -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt > -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt > -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig > -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt > -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig > drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema > drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak > -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf > > > I can’t connect to the LDAP service: > > # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket > # less /var/log/ipaupgrade.log > > Server built: Jun 29 2021 22:00:15 UTC > Server number: 9.0.30.0 > OS Name: Linux > OS Version: 4.18.0-348.7.1.el8_5.x86_64 > Architecture: amd64 > JVM Version: 1.8.0_322-b06 > JVM Vendor: Red Hat, Inc. > > 2022-11-22T14:26:56Z DEBUG stderr= > 2022-11-22T14:26:56Z DEBUG Starting external process > 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] > 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 > 2022-11-22T14:26:56Z DEBUG stdout= > 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in > instance pki-tomcat. > > 2022-11-22T14:26:56Z DEBUG Starting external process > 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', > '[email protected] <mailto:[email protected]>'] > 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 > 2022-11-22T14:26:57Z DEBUG stdout= > 2022-11-22T14:26:57Z DEBUG stderr=Job for [email protected] > <mailto:[email protected]> failed because the control > process exited with error code. > See "systemctl status [email protected] > <mailto:[email protected]>" and "journalctl -xe" for details. > > 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2022-11-22T14:26:57Z DEBUG File > "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in > execute > return_value = self.run() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 2055, in upgrade > upgrade_configuration() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 1783, in upgrade_configuration > ca.start('pki-tomcat') > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 524, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", > line 306, in start > skip_output=not capture_output) > File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line > 600, in run > p.returncode, arg_string, output_log, error_log > > 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, > exception: CalledProcessError: CalledProcessError(Command > ['/bin/systemctl', 'start', '[email protected] > <mailto:[email protected]>'] returned non-zero exit status > 1: 'Job for [email protected] > <mailto:[email protected]> failed because the control > process exited with error code.\nSee "systemctl status > [email protected] <mailto:[email protected]>" > and "journalctl -xe" for details.\n') > 2022-11-22T14:26:57Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > CalledProcessError: CalledProcessError(Command ['/bin/systemctl', > 'start', '[email protected] > <mailto:[email protected]>'] returned non-zero exit status > 1: 'Job for [email protected] > <mailto:[email protected]> failed because the control > process exited with error code.\nSee "systemctl status > [email protected] <mailto:[email protected]>" > and "journalctl -xe" for details.\n') > 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > (END) The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out. > #ipactl status > > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: STOPPED > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > 2 service(s) are not running > > > Thanks > >> El 22 nov. 2022, a las 11:43, Rob Crittenden <[email protected] >> <mailto:[email protected]>> escribió: >> >> Juan Pablo Lorier via FreeIPA-users wrote: >>> Hi, >>> >>> I have a production server that was not maintained and I see that the >>> HTTP certificate has expired long ago. I tried to renew it but I'm >>> not being agle to get it right. >>> >>> The initial status was: >>> >>> Request ID '20191219011208': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>> >>> Then following this thread >>> https://lists.fedorahosted.org/archives/list/[email protected]/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/ >>> >>> I got it to this state: >>> >>> Request ID '20191219011208': >>> status: MONITORING >>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>> libcurl failed even to execute the HTTP transaction, explaining: >>> SSL certificate problem: certificate has expired). >>> stuck: no >>> key pair storage: >>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>> >>> The post indicates that I have to put an old date in the server to >>> get it renewed, but as the server is in production, it means that all >>> clients will fail to log to the server. Evenmore, what time should I >>> return to, before the certificate expiration or right after? >>> Thanks in advanc >> >> I'd guess that this affects a lot more than just the web server cert. >> getcert list will tell you. >> >> Depending on that outcome affect the suggested remediation. >> >> As for going back in time, you'd need a server outage to do this and it >> only would be backwards in time for a short time. Just long enough so >> the services could start with non-expired certificates to get them >> renewed. But there are other ways to do this that don't require fiddling >> with time. >> >> rob >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
