Hi flo, `ipa cert-show 1` works on both IPA hosts and returns correct data, from what I can tell.
`ipa config-show` gies the following: IPA masters: ipa1.redacted, ipa2.redacted IPA master capable of PKINIT: ipa2.redacted IPA CA servers: ipa1.redacted IPA CA renewal master: ipa1.redacted IPA DNS servers: ipa1.redacted, ipa2.redacted regarding the named crashes: I think the problem might be related to ldap. The last time the named daemons were in a restart/crash loop I restarted the ipa2 host which immediately resolved the problem. ipa1: bind-9.18.19-1.fc37.x86_64 bind-dyndb-ldap-11.10-17.fc37.x86_64 ipa2: bind-9.16.28-1.fc35.x86_64 bind-dyndb-ldap-11.9-12.fc35.x86_64 for the coredump I would need your guidance what to do, because I am not that firm with named debugging. Here are the last couple of line from the /var/log/ipaupgrade.log file. The update seems to go through, but it fails when it needs to authenticate with the CA REST API 2025-01-21T20:24:14Z DEBUG stderr= 2025-01-21T20:24:14Z DEBUG Starting external process 2025-01-21T20:24:14Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 2025-01-21T20:24:15Z DEBUG stdout= 2025-01-21T20:24:15Z DEBUG stderr= 2025-01-21T20:24:15Z DEBUG Starting external process 2025-01-21T20:24:15Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 2025-01-21T20:24:15Z DEBUG stdout=active 2025-01-21T20:24:15Z DEBUG stderr= 2025-01-21T20:24:15Z DEBUG Start of certmonger.service complete 2025-01-21T20:24:15Z DEBUG Starting external process 2025-01-21T20:24:15Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2025-01-21T20:24:15Z DEBUG Process finished, return code=1 2025-01-21T20:24:15Z DEBUG stdout= 2025-01-21T20:24:15Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat. 2025-01-21T20:24:15Z INFO [Update certmonger certificate renewal configuration] 2025-01-21T20:24:15Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2025-01-21T20:24:15Z DEBUG Starting external process 2025-01-21T20:24:15Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-redacted/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-redacted/pwdfile.txt'] 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 2025-01-21T20:24:15Z DEBUG stdout=-----BEGIN CERTIFICATE----- redacted -----END CERTIFICATE----- 2025-01-21T20:24:15Z DEBUG stderr= 2025-01-21T20:24:15Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2025-01-21T20:24:15Z DEBUG Starting external process 2025-01-21T20:24:15Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 2025-01-21T20:24:15Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu caSigningCert cert-pki-ca 6148bb27-6bd6-4a0a-b607-6ba538a6c401 u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u 2025-01-21T20:24:15Z DEBUG stderr= 2025-01-21T20:24:15Z INFO Certmonger certificate renewal configuration already up-to-date 2025-01-21T20:24:15Z INFO [Enable PKIX certificate path discovery and validation] 2025-01-21T20:24:15Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2025-01-21T20:24:15Z INFO PKIX already enabled 2025-01-21T20:24:15Z INFO [Authorizing RA Agent to modify profiles] 2025-01-21T20:24:15Z INFO [Authorizing RA Agent to manage lightweight CAs] 2025-01-21T20:24:15Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2025-01-21T20:24:15Z INFO [Adding default OCSP URI configuration] 2025-01-21T20:24:15Z INFO [Disabling cert publishing] 2025-01-21T20:24:15Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2025-01-21T20:24:15Z INFO [Migrating certificate profiles to LDAP] 2025-01-21T20:24:15Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'acmeServerCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caAdminCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caAgentFileSigning' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caAgentServerCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caAuditSigningCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caCACert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caCMCECUserCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caCMCECserverCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caCMCECsubsystemCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caCMCUserCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caCrossSignedCACert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caDirBasedDualCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caDirPinUserCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caDirUserCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caDirUserRenewal' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caDualCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caDualRAuserCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caECAdminCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caECAgentServerCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caECDirPinUserCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caECDirUserCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z DEBUG Profile 'caECDualCert' is already in LDAP and enabled; skipping 2025-01-21T20:24:15Z INFO Migrating profile 'caECFullCMCSharedTokenCert' 2025-01-21T20:24:15Z DEBUG request GET https://ipa1.redacted:8443/ca/rest/account/login 2025-01-21T20:24:15Z DEBUG request body '' 2025-01-21T20:24:16Z DEBUG response status 404 2025-01-21T20:24:16Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 784 Date: Tue, 21 Jan 2025 20:24:16 GMT 2025-01-21T20:24:16Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/ca/rest/account/login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.82</h3></body></html>' 2025-01-21T20:24:16Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2025-01-21T20:24:16Z DEBUG File "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() ^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 2061, in upgrade upgrade_configuration() File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 1914, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", line 2155, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", line 2209, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py", line 1211, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) 2025-01-21T20:24:16Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2025-01-21T20:24:16Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2025-01-21T20:24:16Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Am Mi., 19. Feb. 2025 um 10:56 Uhr schrieb Florence Blanc-Renaud < [email protected]>: > Hi, > > in a previous message you mentioned that the directory manager password is > lost. You can follow this article to reset the DM password: > https://access.redhat.com/solutions/203473 > > Named crashes could be related to multiple issues: > - inconsistent versions between bind and bind-dyndb-ldap. Which versions > do you have? > - an insufficient number of threads > - an issue when reloading the zones > If you can gather a coredump and install the debug packages it could help > identify if you're hitting a known issue. > > You mentioned that ipa1 needs to be started with --force, can you tell > which service is failing and provide the logs? There should be also more > information in /var/log/ipaupgrade.log. > > In order to check the CA state, a useful command is 'ipa cert-show 1' as > it communicates with the CA to gather the certificate details. If this > command is failing (likely with "Failed to Authenticate to CA rest API") > you need to understand where the config is broken. > Start by checking which system is the CA renewal master: > ipa config-show > > The CA renewal master will be your priority. > > flo > > On Wed, Feb 19, 2025 at 10:25 AM Boris via FreeIPA-users < > [email protected]> wrote: > >> I think the CA is working, but I don't know for sure and how to verify >> it. At least there are no expired certs on both ipa hosts >> >> [root@ipa1 ~]# getcert list | grep expires >> expires: 2025-11-29 13:19:40 CET >> expires: 2025-04-15 16:27:34 CEST >> expires: 2025-04-15 16:26:44 CEST >> expires: 2025-04-15 16:27:14 CEST >> expires: 2037-08-19 16:11:12 CEST >> expires: 2025-04-15 16:27:54 CEST >> expires: 2025-04-15 16:27:04 CEST >> expires: 2040-02-12 12:46:50 CET >> expires: 2025-05-29 16:12:51 CEST >> expires: 2026-01-26 13:48:23 CET >> >> [root@ipa2 ~]# getcert list | grep expires >> expires: 2027-02-16 10:42:29 CET >> expires: 2027-02-16 10:42:51 CET >> expires: 2025-04-15 16:27:04 CEST >> expires: 2027-02-16 10:43:26 CET >> >> The healthcheck showed some "group is not correct" and "files are to >> permissive" which I resolved. >> Now I have these to checks which do not tell me anything >> "msg": "certmonger tracking request {key} found and is not expected >> on an IPA master." >> "msg": "No KDC workers defined in {sysconfig}" >> >> Am Di., 18. Feb. 2025 um 15:22 Uhr schrieb Rob Crittenden via >> FreeIPA-users <[email protected]>: >> >>> Boris wrote: >>> > Hi Rob, >>> > >>> > I have two hosts: ipa1 and ipa2 >>> > >>> > ipa1: >>> > Fedora 37 >>> > freeipa-server-4.10.1-1.fc37.x86_64 >>> > Managed suffixes: domain, ca >>> > running with ipactl start --force because the update is not working >>> (The >>> > ipa-server-upgrade command failed, exception: RemoteRetrieveError: >>> > Failed to authenticate to CA REST API). >>> > I tried to upgrade, but the upgrade did not go through. >>> >>> Your existing CA is having issues. I'd start by checking that your CA >>> certificates are still valid: getcert list | grep expires >>> >>> You might also try installing the freeipa-healthcheck package and >>> running ipa-healthcheck. Expect a lot of errors since it won't be able >>> to connect to the CA but it will also check the validity dates, etc. >>> >>> > ipa2: >>> > Fedora 35 >>> > freeipa-server-4.9.11-1.fc35.x86_64 >>> > Managed suffixes: domain >>> > >>> > So my thought process was: if it can not authenticate against the CA >>> > REST API, I need to add the CA capability to ipa2 >>> >>> You need to authenticate to the CA to create a clone of it. You can't >>> install another CA until you get your existing one working. >>> >>> rob >>> >>> >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
