Hi, Rob, the problem with ipactl --ignore-service-failures is that it always try to upgrade from 4.7 to 4.9 first and it fails for that reason.
I were able to move forward and get poi-tomcat running but I still can’t finish the upgrade process. Here are some more logs to see if you can see a lead to help me. Regards /var/log/ipaupgrade.log 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1273, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 982, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1441, in connect server_hostname=server_hostname) File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket _context=self, _session=session) File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ self.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() OSError: [Errno 0] Error 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-30T16:07:54Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1908, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1207, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, in _httplib_request raise NetworkError(uri=uri, error=str(e)) 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information dirsrv/slapd-TNU-COM-UY/errors [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to 'off' [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - Finished plugin initialization. [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) localhost_access_log.2022-11-30.txt 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus HTTP/1.1" 200 193 XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login HTTP/1.1" 401 669 > El 23 nov. 2022, a las 18:42, Rob Crittenden <[email protected]> escribió: > > Run "ipactl --ignore-service-failures" and it should bring up all the > services it can. > > rob > > Juan Pablo Lorier wrote: >> Hi again, >> >> I used the ldapi from /etc/ipa/default.conf and I was able to get a >> different reply: >> >> ldapsearch -Y GSSAPI -H >> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket >> <ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket> >> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket >> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>> >> >> SASL/GSSAPI authentication started >> ldap_sasl_interactive_bind_s: Local error (-2) >> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (Ticket expired) >> >> But if I try to renew the ticket, it fails: >> >> kinit admin >> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting >> initial credentials >> >> The running DC is in 4.7 and it should reply to the kinit requests >> >> >> I added the debug option to see if I can ge further information. >> >> ipactl restart >> IPA version error: data needs to be upgraded (expected version >> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version >> '4.7.1-11.module_el8.0.0+79+bbd20d7b') >> Automatically running upgrade, for details see /var/log/ipaupgrade.log >> Be patient, this may take a few minutes. >> Automatic upgrade failed: Error caught updating >> nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and >> attributes are managed by topology plugin.No direct modifications allowed. >> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is >> unwilling to perform: Entry and attributes are managed by topology >> plugin.No direct modifications allowed. >> Update complete >> Upgrading the configuration of the IPA services >> [Verifying that root certificate is published] >> [Migrate CRL publish directory] >> CRL tree already moved >> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >> command ipa-server-upgrade manually. >> Unexpected error - see /var/log/ipaupgrade.log for details: >> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >> 'start', '[email protected] >> <mailto:[email protected] >> <mailto:[email protected]>>'] returned non-zero exit status >> 1: 'Job for [email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> failed because the control >> process exited with error code.\nSee "systemctl status >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>>" >> and "journalctl -xe" for details.\n') >> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >> more information >> >> See the upgrade log for more details and/or run >> /usr/sbin/ipa-server-upgrade again >> Stopping ipa-dnskeysyncd Service >> Stopping ipa-otpd Service >> Stopping pki-tomcatd Service >> Stopping ipa-custodia Service >> Stopping httpd Service >> Stopping named Service >> Stopping kadmin Service >> Stopping krb5kdc Service >> Stopping Directory Service >> Aborting ipactl >> >> Regards >> >> >>> El 23 nov. 2022, a las 11:50, Rob Crittenden <[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> escribió: >>> >>> Juan Pablo Lorier wrote: >>>> Hi Rob, >>>> >>>> Thanks for the reply. As I didn’t know other way but to go back in time, >>>> I just did it and now the server is running 100%. >>>> >>>> This was all part of an update from 4.7 to 4.9. According to the >>>> documentation, it was just a matter to def update but it seems that is >>>> not such a happy path.> >>>> I updated the second server but it’s not able to finalize the update >>>> process. DNS is failing to start: >>>> >>>> # systemctl status ipa-dnskeysyncd.service >>>> >>>> >>>> *●*ipa-dnskeysyncd.service - IPA key daemon >>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>>> disabled; vendor preset: disabled) >>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>>> 14min ago >>>> Main PID: 250496 (ipa-dnskeysyncd) >>>> Tasks: 1 (limit: 23652) >>>> Memory: 68.4M >>>> CGroup: /system.slice/ipa-dnskeysyncd.service >>>> └─250496 /usr/libexec/platform-python -I >>>> /usr/libexec/ipa/ipa-dnskeysyncd >>>> >>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>> step 1 >>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>> step 2 >>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: >>>> INFO Commencing sync process >>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>>> sychronizing with ODS and BIND >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> *Configuration.cpp(96): Missing log.level in configuration. Using >>>> default value: INFO* >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using >>>> default value: ALL* >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> *Configuration.cpp(124): Missing slots.removable in configuration. Using >>>> default value: false* >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>> step 1 >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>> step 1 >>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>> >>>> >>>> >>>> GSSAPI client step 1 >>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>>> >>>> >>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>>> 12:40:17 -03. -- >>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing all plugin modules in ipaserver.plugins... >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.aci >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.automember >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.automount >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.baseldap >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.baseuser >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.batch >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.ca >>>> <http://ipaserver.plugins.ca/> >>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/>> >>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>>> <http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/>>> >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.caacl >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.cert >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.certmap >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.certprofile >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.config >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.delegation >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.dns >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.dogtag >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.group >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbac >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hbactest >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.host >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.idrange >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.idviews >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.internal >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.join >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.location >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.migration >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.misc >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.netgroup >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.otp >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.otptoken >>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>> DEBUG importing plugin module ipaserver.plugins.passwd >>> >>> There should be quite a bit more after that. >>> >>>> >>>> #less /var/log/dirsrv/slapd-*/access >>>> >>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 >>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>>> krbMaxRenewab >>>> leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" >>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 >>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>>> method=sasl version=3 mech=GSSAPI >>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 >>>> nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL >>>> bind in progress >>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>>> method=sasl version=3 mech=GSSAPI >>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 >>>> nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL >>>> bind in progress >>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>>> method=sasl version=3 mech=GSSAPI >>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 >>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>>> com,dc=uy" >>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>>> attrs="objectClass cn fqdn serverHostN >>>> ame memberOf ipaSshPubKey ipaUniqueID" >>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 >>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU >>>> niqueID" >>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 >>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>>> attrs="objectClass ipaUniqueID cn memb >>>> er entryusn" >>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 >>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs >>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>>> xternalUser entryusn" >>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 >>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 >>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 >>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 >>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 >>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 >>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 >>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108 >>>> >>>> >>>> I see that after the update, the files were changed: >>>> >>>> >>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>>> /etc/dirsrv/slapd-TNU-COM-UY: >>>> total 4208 >>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem >>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>>> dse.ldif.ipa.1cf1fe204fd69494 >>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>>> dse.ldif.ipa.1dd1d38cbd8d26ae >>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>>> dse.ldif.ipa.21662457cb42c116 >>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>>> dse.ldif.ipa.256a5d66e550a957 >>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>>> dse.ldif.ipa.274744b10eed3d9b >>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>>> dse.ldif.ipa.385fb48f5462219c >>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>>> dse.ldif.ipa.6b71b47d73ca452a >>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>>> dse.ldif.ipa.767aba4a82811822 >>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>>> dse.ldif.ipa.814a4de587fc22ec >>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>>> dse.ldif.ipa.889036fc0907e7de >>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>>> dse.ldif.ipa.8fd2b7413b99dfa3 >>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>>> dse.ldif.ipa.958ca3a96922f2fd >>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>>> dse.ldif.ipa.bacd6d1d200348bf >>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>>> dse.ldif.ipa.bfadc14f0e609072 >>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>>> dse.ldif.ipa.f1e864261a119b6c >>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>>> dse.ldif.ipa.fa918bf07c17e2e8 >>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out >>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf >>>> >>>> >>>> I can’t connect to the LDAP service: >>>> >>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>>> <ldapi://var/run/slapd-TNU-COM-UY.socket> >>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >>> >>> You have to escape the socket path: >>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket >>> <ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket> >>> >>>> # less /var/log/ipaupgrade.log >>>> >>>> Server built: Jun 29 2021 22:00:15 UTC >>>> Server number: 9.0.30.0 >>>> OS Name: Linux >>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>>> Architecture: amd64 >>>> JVM Version: 1.8.0_322-b06 >>>> JVM Vendor: Red Hat, Inc. >>>> >>>> 2022-11-22T14:26:56Z DEBUG stderr= >>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] >>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>>> 2022-11-22T14:26:56Z DEBUG stdout= >>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>>> instance pki-tomcat. >>>> >>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>>> '[email protected] <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>>'] >>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>>> 2022-11-22T14:26:57Z DEBUG stdout= >>>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>>> for [email protected] <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> failed because the control >>>> process exited with error code. >>>> See "systemctl status [email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>>" and "journalctl -xe" for >>>> details. >>>> >>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>> 2022-11-22T14:26:57Z DEBUG File >>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>>> execute >>>> return_value = self.run() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>> line 54, in run >>>> server.upgrade() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>> line 2055, in upgrade >>>> upgrade_configuration() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>> line 1783, in upgrade_configuration >>>> ca.start('pki-tomcat') >>>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>>> line 524, in start >>>> self.service.start(instance_name, capture_output=capture_output, >>>> wait=wait) >>>> File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>>> line 306, in start >>>> skip_output=not capture_output) >>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line >>>> 600, in run >>>> p.returncode, arg_string, output_log, error_log >>>> >>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>>> exception: CalledProcessError: CalledProcessError(Command >>>> ['/bin/systemctl', 'start', '[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>>'] returned non-zero exit status >>>> 1: 'Job for [email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> failed because the control >>>> process exited with error code.\nSee "systemctl status >>>> [email protected] <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>>" >>>> and "journalctl -xe" for details.\n') >>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>>> /var/log/ipaupgrade.log for details: >>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>> 'start', '[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>>'] returned non-zero exit status >>>> 1: 'Job for [email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> failed because the control >>>> process exited with error code.\nSee "systemctl status >>>> [email protected] <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>>" >>>> and "journalctl -xe" for details.\n') >>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See >>>> /var/log/ipaupgrade.log for more information >>>> (END) >>> >>> The CA failed to start. This is often due to expired certificates that >>> get exposed when an upgrade is done. Check that out. >>> >>>> #ipactl status >>>> >>>> Directory Service: RUNNING >>>> krb5kdc Service: RUNNING >>>> kadmin Service: RUNNING >>>> named Service: STOPPED >>>> httpd Service: RUNNING >>>> ipa-custodia Service: RUNNING >>>> pki-tomcatd Service: STOPPED >>>> ipa-otpd Service: RUNNING >>>> ipa-dnskeysyncd Service: RUNNING >>>> 2 service(s) are not running >>>> >>>> >>>> Thanks >>>> >>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden <[email protected] >>>>> <mailto:[email protected]> >>>>> <mailto:[email protected] <mailto:[email protected]>> >>>>> <mailto:[email protected]>> escribió: >>>>> >>>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>>> Hi, >>>>>> >>>>>> I have a production server that was not maintained and I see that the >>>>>> HTTP certificate has expired long ago. I tried to renew it but I'm >>>>>> not being agle to get it right. >>>>>> >>>>>> The initial status was: >>>>>> >>>>>> Request ID '20191219011208': >>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>> stuck: yes >>>>>> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>> >>>>>> Then following this thread >>>>>> https://lists.fedorahosted.org/archives/list/[email protected]/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/ >>>>>> >>>>>> I got it to this state: >>>>>> >>>>>> Request ID '20191219011208': >>>>>> status: MONITORING >>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>>> SSL certificate problem: certificate has expired). >>>>>> stuck: no >>>>>> key pair storage: >>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>> >>>>>> The post indicates that I have to put an old date in the server to >>>>>> get it renewed, but as the server is in production, it means that all >>>>>> clients will fail to log to the server. Evenmore, what time should I >>>>>> return to, before the certificate expiration or right after? >>>>>> Thanks in advanc >>>>> >>>>> I'd guess that this affects a lot more than just the web server cert. >>>>> getcert list will tell you. >>>>> >>>>> Depending on that outcome affect the suggested remediation. >>>>> >>>>> As for going back in time, you'd need a server outage to do this and it >>>>> only would be backwards in time for a short time. Just long enough so >>>>> the services could start with non-expired certificates to get them >>>>> renewed. But there are other ways to do this that don't require fiddling >>>>> with time. >>>>> >>>>> rob
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
