Run "ipactl --ignore-service-failures" and it should bring up all the services it can.
rob Juan Pablo Lorier wrote: > Hi again, > > I used the ldapi from /etc/ipa/default.conf and I was able to get a > different reply: > > ldapsearch -Y GSSAPI -H > ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket > <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket> > > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired) > > But if I try to renew the ticket, it fails: > > kinit admin > kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting > initial credentials > > The running DC is in 4.7 and it should reply to the kinit requests > > > I added the debug option to see if I can ge further information. > > ipactl restart > IPA version error: data needs to be upgraded (expected version > '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version > '4.7.1-11.module_el8.0.0+79+bbd20d7b') > Automatically running upgrade, for details see /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Error caught updating > nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and > attributes are managed by topology plugin.No direct modifications allowed. > Error caught updating nsDS5ReplicatedAttributeListTotal: Server is > unwilling to perform: Entry and attributes are managed by topology > plugin.No direct modifications allowed. > Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > CalledProcessError: CalledProcessError(Command ['/bin/systemctl', > 'start', '[email protected] > <mailto:[email protected]>'] returned non-zero exit status > 1: 'Job for [email protected] > <mailto:[email protected]> failed because the control > process exited with error code.\nSee "systemctl status > [email protected] <mailto:[email protected]>" > and "journalctl -xe" for details.\n') > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > > See the upgrade log for more details and/or run > /usr/sbin/ipa-server-upgrade again > Stopping ipa-dnskeysyncd Service > Stopping ipa-otpd Service > Stopping pki-tomcatd Service > Stopping ipa-custodia Service > Stopping httpd Service > Stopping named Service > Stopping kadmin Service > Stopping krb5kdc Service > Stopping Directory Service > Aborting ipactl > > Regards > > >> El 23 nov. 2022, a las 11:50, Rob Crittenden <[email protected] >> <mailto:[email protected]>> escribió: >> >> Juan Pablo Lorier wrote: >>> Hi Rob, >>> >>> Thanks for the reply. As I didn’t know other way but to go back in time, >>> I just did it and now the server is running 100%. >>> >>> This was all part of an update from 4.7 to 4.9. According to the >>> documentation, it was just a matter to def update but it seems that is >>> not such a happy path.> >>> I updated the second server but it’s not able to finalize the update >>> process. DNS is failing to start: >>> >>> # systemctl status ipa-dnskeysyncd.service >>> >>> >>> *●*ipa-dnskeysyncd.service - IPA key daemon >>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>> disabled; vendor preset: disabled) >>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>> 14min ago >>> Main PID: 250496 (ipa-dnskeysyncd) >>> Tasks: 1 (limit: 23652) >>> Memory: 68.4M >>> CGroup: /system.slice/ipa-dnskeysyncd.service >>> └─250496 /usr/libexec/platform-python -I >>> /usr/libexec/ipa/ipa-dnskeysyncd >>> >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>> step 1 >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>> step 2 >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: >>> INFO Commencing sync process >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>> sychronizing with ODS and BIND >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing log.level in configuration. Using >>> default value: INFO* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using >>> default value: ALL* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(124): Missing slots.removable in configuration. Using >>> default value: false* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> >>> >>> >>> GSSAPI client step 1 >>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>> >>> >>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>> 12:40:17 -03. -- >>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing all plugin modules in ipaserver.plugins... >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.aci >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automember >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automount >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseldap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseuser >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.batch >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ca >>> <http://ipaserver.plugins.ca> >>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/>> >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.caacl >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.cert >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certmap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certprofile >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.config >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.delegation >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dns >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dogtag >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.group >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbac >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbactest >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.host >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idrange >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idviews >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.internal >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.join >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.location >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.migration >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.misc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.netgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otp >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otptoken >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.passwd >> >> There should be quite a bit more after that. >> >>> >>> #less /var/log/dirsrv/slapd-*/access >>> >>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>> krbMaxRenewab >>> leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" >>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 >>> nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 >>> nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 >>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>> com,dc=uy" >>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>> attrs="objectClass cn fqdn serverHostN >>> ame memberOf ipaSshPubKey ipaUniqueID" >>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU >>> niqueID" >>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>> attrs="objectClass ipaUniqueID cn memb >>> er entryusn" >>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 >>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs >>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>> xternalUser entryusn" >>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 >>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 >>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 >>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 >>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 >>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 >>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 >>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108 >>> >>> >>> I see that after the update, the files were changed: >>> >>> >>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>> /etc/dirsrv/slapd-TNU-COM-UY: >>> total 4208 >>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>> dse.ldif.ipa.1cf1fe204fd69494 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>> dse.ldif.ipa.1dd1d38cbd8d26ae >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>> dse.ldif.ipa.21662457cb42c116 >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>> dse.ldif.ipa.256a5d66e550a957 >>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>> dse.ldif.ipa.274744b10eed3d9b >>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>> dse.ldif.ipa.385fb48f5462219c >>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>> dse.ldif.ipa.6b71b47d73ca452a >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>> dse.ldif.ipa.767aba4a82811822 >>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>> dse.ldif.ipa.814a4de587fc22ec >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>> dse.ldif.ipa.889036fc0907e7de >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>> dse.ldif.ipa.8fd2b7413b99dfa3 >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>> dse.ldif.ipa.958ca3a96922f2fd >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>> dse.ldif.ipa.bacd6d1d200348bf >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>> dse.ldif.ipa.bfadc14f0e609072 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>> dse.ldif.ipa.f1e864261a119b6c >>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>> dse.ldif.ipa.fa918bf07c17e2e8 >>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out >>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf >>> >>> >>> I can’t connect to the LDAP service: >>> >>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >> >> You have to escape the socket path: >> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket >> >>> # less /var/log/ipaupgrade.log >>> >>> Server built: Jun 29 2021 22:00:15 UTC >>> Server number: 9.0.30.0 >>> OS Name: Linux >>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>> Architecture: amd64 >>> JVM Version: 1.8.0_322-b06 >>> JVM Vendor: Red Hat, Inc. >>> >>> 2022-11-22T14:26:56Z DEBUG stderr= >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] >>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:56Z DEBUG stdout= >>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>> instance pki-tomcat. >>> >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>> '[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]>'] >>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:57Z DEBUG stdout= >>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>> for [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]> failed because the control >>> process exited with error code. >>> See "systemctl status [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]>" and "journalctl -xe" for >>> details. >>> >>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>> 2022-11-22T14:26:57Z DEBUG File >>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>> execute >>> return_value = self.run() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 54, in run >>> server.upgrade() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 2055, in upgrade >>> upgrade_configuration() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 1783, in upgrade_configuration >>> ca.start('pki-tomcat') >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 524, in start >>> self.service.start(instance_name, capture_output=capture_output, >>> wait=wait) >>> File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>> line 306, in start >>> skip_output=not capture_output) >>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line >>> 600, in run >>> p.returncode, arg_string, output_log, error_log >>> >>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>> exception: CalledProcessError: CalledProcessError(Command >>> ['/bin/systemctl', 'start', '[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]>'] returned non-zero exit status >>> 1: 'Job for [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]> failed because the control >>> process exited with error code.\nSee "systemctl status >>> [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]>" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>> /var/log/ipaupgrade.log for details: >>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>> 'start', '[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]>'] returned non-zero exit status >>> 1: 'Job for [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]> failed because the control >>> process exited with error code.\nSee "systemctl status >>> [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected]>" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See >>> /var/log/ipaupgrade.log for more information >>> (END) >> >> The CA failed to start. This is often due to expired certificates that >> get exposed when an upgrade is done. Check that out. >> >>> #ipactl status >>> >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: STOPPED >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> pki-tomcatd Service: STOPPED >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> 2 service(s) are not running >>> >>> >>> Thanks >>> >>>> El 22 nov. 2022, a las 11:43, Rob Crittenden <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected]>> escribió: >>>> >>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> I have a production server that was not maintained and I see that the >>>>> HTTP certificate has expired long ago. I tried to renew it but I'm >>>>> not being agle to get it right. >>>>> >>>>> The initial status was: >>>>> >>>>> Request ID '20191219011208': >>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>> stuck: yes >>>>> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> Then following this thread >>>>> https://lists.fedorahosted.org/archives/list/[email protected]/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/ >>>>> >>>>> I got it to this state: >>>>> >>>>> Request ID '20191219011208': >>>>> status: MONITORING >>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>> SSL certificate problem: certificate has expired). >>>>> stuck: no >>>>> key pair storage: >>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> The post indicates that I have to put an old date in the server to >>>>> get it renewed, but as the server is in production, it means that all >>>>> clients will fail to log to the server. Evenmore, what time should I >>>>> return to, before the certificate expiration or right after? >>>>> Thanks in advanc >>>> >>>> I'd guess that this affects a lot more than just the web server cert. >>>> getcert list will tell you. >>>> >>>> Depending on that outcome affect the suggested remediation. >>>> >>>> As for going back in time, you'd need a server outage to do this and it >>>> only would be backwards in time for a short time. Just long enough so >>>> the services could start with non-expired certificates to get them >>>> renewed. But there are other ways to do this that don't require fiddling >>>> with time. >>>> >>>> rob > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
