Hello, I've encountered issues when upgrading FreeIPA from version 4.11.0 to 4.12.2 using a Docker installation. The problem appears similarly on both older and fresh installations, and the error messages are the same.
```docker logs Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: saving configuration [2/9]: disabling listeners [3/9]: enabling DS global lock [4/9]: disabling Schema Compat [5/9]: starting directory server [6/9]: updating schema [7/9]: upgrading server [8/9]: stopping directory server [9/9]: restoring configuration Done. Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification] [Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/data/etc/named/ipa-ext.conf' already exists named user config '/data/etc/named/ipa-options-ext.conf' already exists named user config '/data/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Enabling LWCA monitor] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Upgrading IPA services Disabled p11-kit-proxy ``` ```/var/log/ipaupgrade.log 2025-01-17T09:45:24Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2025-01-17T09:45:24Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2025-01-17T09:45:24Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2025-01-17T09:45:24Z DEBUG request POST http://hz-test-ldap-node-01.sl.local:8080/ca/admin/ca/getStatus 2025-01-17T09:45:24Z DEBUG request body '' 2025-01-17T09:45:24Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipapython/dogtag.py", line 271, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.9/http/client.py", line 1285, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.9/http/client.py", line 1331, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.9/http/client.py", line 1280, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.9/http/client.py", line 1040, in _send_output self.send(msg) File "/usr/lib64/python3.9/http/client.py", line 980, in send self.connect() File "/usr/lib64/python3.9/http/client.py", line 946, in connect self.sock = self._create_connection( File "/usr/lib64/python3.9/socket.py", line 844, in create_connection raise err File "/usr/lib64/python3.9/socket.py", line 832, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused 2025-01-17T09:45:24Z DEBUG Failed to check CA status: cannot connect to 'http://hz-test-ldap-node-01.sl.local:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused 2025-01-17T09:45:24Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2025-01-17T09:45:24Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2025-01-17T09:45:24Z DEBUG Ensuring that service pki-tomcatd@pki-tomcat is not running while the next set of commands is being executed. 2025-01-17T09:45:24Z DEBUG Starting external process 2025-01-17T09:45:24Z DEBUG args=['/bin/systemctl', 'is-active', '[email protected]'] 2025-01-17T09:45:24Z DEBUG Process finished, return code=3 2025-01-17T09:45:24Z DEBUG stdout=inactive -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
