Hi, On Thu, Apr 17, 2025 at 11:09 PM Eric Ashley via FreeIPA-users < [email protected]> wrote:
> Hello, > > I'm running the following new versions: > > Installed packages > freeipa-client.x86_64 > 4.12.2-13.fc42 updates > freeipa-client-common.noarch > 4.12.2-13.fc42 updates > freeipa-common.noarch > 4.12.2-13.fc42 updates > freeipa-healthcheck.noarch > 0.17-6.fc42 fedora > freeipa-healthcheck-core.noarch > 0.17-6.fc42 fedora > freeipa-selinux.noarch > 4.12.2-13.fc42 updates > freeipa-server.x86_64 > 4.12.2-13.fc42 updates > freeipa-server-common.noarch > 4.12.2-13.fc42 updates > freeipa-server-dns.noarch > 4.12.2-13.fc42 updates > libcamera-ipa.x86_64 > 0.4.0-4.fc42 fedora > libipa_hbac.x86_64 > 2.10.2-3.fc42 fedora > python3-ipaclient.noarch > 4.12.2-13.fc42 updates > python3-ipalib.noarch > 4.12.2-13.fc42 updates > > ipactl status reports the following: > > Directory Service: RUNNING > krb5kdc Service: STOPPED > kadmin Service: STOPPED > named Service: STOPPED > httpd Service: RUNNING > ipa-custodia Service: STOPPED > pki-tomcatd Service: RUNNING > ipa-otpd Service: STOPPED > ipa-ods-exporter Service: STOPPED > ods-enforcerd Service: STOPPED > ipa-dnskeysyncd Service: RUNNING > 5 service(s) are not running > can you try ipactl restart --ignore-service-failures then check which services failed with ipactl status and report the output here? In your current output the KDC is stopped and any service using kerberos for authentication will fail as a consequence. flo > On initial boot, the system started the FreeIPA upgrade, which got through > all the certificate checks with no issues, then reports the following > errors (with retry): > > 2025-04-17T18:43:18Z INFO [Ensuring presence of included profiles] > 2025-04-17T18:43:18Z DEBUG Discovery: available servers for service 'CA' > are phobos.ipa.ab-data.us > 2025-04-17T18:43:18Z DEBUG Discovery: using phobos.ipa.ab-data.us for > 'CA' service > 2025-04-17T18:43:18Z DEBUG request GET > https://phobos.ipa.ab-data.us:443/ca/rest/account/login > 2025-04-17T18:43:18Z DEBUG request body '' > 2025-04-17T18:43:18Z DEBUG response status 404 > 2025-04-17T18:43:18Z DEBUG response headers Date: Thu, 17 Apr 2025 > 18:43:18 GMT > Server: Apache/2.4.63 (Fedora Linux) OpenSSL/3.2.4 mod_wsgi/5.0.2 > Python/3.13 mod_auth_gssapi/1.6.5 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Transfer-Encoding: chunked > > > 2025-04-17T18:43:18Z DEBUG response body (decoded): b'<!doctype html><html > lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style > type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 { > font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} > .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Message</b> The requested resource > [/ca/rest/account/login] is not > available</p><p><b>Description</b> The origin server did not find a current > representation for the target resource or is not willing to disclose that > one exists.</p><hr class="line" /><h3>Apache > Tomcat/9.0.98</h3></body></html>' > 2025-04-17T18:43:18Z DEBUG Overriding CA port: Failed to authenticate to > CA REST API > 2025-04-17T18:43:18Z DEBUG Profile 'KDCs_PKINIT_Certs' is already in LDAP; > skipping > 2025-04-17T18:43:18Z DEBUG Profile 'caIPAserviceCert' is already in LDAP; > skipping > 2025-04-17T18:43:18Z DEBUG Profile 'acmeIPAServerCert' is already in LDAP; > skipping > 2025-04-17T18:43:18Z DEBUG Profile 'IECUserRoles' is already in LDAP; > skipping > 2025-04-17T18:43:18Z INFO [Add default CA ACL] > 2025-04-17T18:43:18Z DEBUG Loading StateFile from > '/var/lib/ipa/sysupgrade/sysupgrade.state' > 2025-04-17T18:43:18Z INFO Default CA ACL already added > 2025-04-17T18:43:18Z DEBUG Loading StateFile from > '/var/lib/ipa/sysupgrade/sysupgrade.state' > 2025-04-17T18:43:18Z DEBUG Discovery: available servers for service 'CA' > are phobos.ipa.ab-data.us > 2025-04-17T18:43:18Z DEBUG Discovery: using phobos.ipa.ab-data.us for > 'CA' service > 2025-04-17T18:43:18Z DEBUG request GET > https://phobos.ipa.ab-data.us:8443/ca/rest/account/login > 2025-04-17T18:43:18Z DEBUG request body '' > 2025-04-17T18:43:18Z DEBUG response status 404 > 2025-04-17T18:43:18Z DEBUG response headers Content-Type: > text/html;charset=utf-8 > Content-Language: en > Content-Length: 784 > Date: Thu, 17 Apr 2025 18:43:18 GMT > > > 2025-04-17T18:43:18Z DEBUG response body (decoded): b'<!doctype html><html > lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style > type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 { > font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} > .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Message</b> The requested resource > [/ca/rest/account/login] is not > available</p><p><b>Description</b> The origin server did not find a current > representation for the target resource or is not willing to disclose that > one exists.</p><hr class="line" /><h3>Apache > Tomcat/9.0.98</h3></body></html>' > 2025-04-17T18:43:18Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2025-04-17T18:43:18Z DEBUG File > "/usr/lib/python3.13/site-packages/ipapython/admintool.py", line 219, in > execute > return_value = self.run() > File > "/usr/lib/python3.13/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > ~~~~~~~~~~~~~~^^ > File > "/usr/lib/python3.13/site-packages/ipaserver/install/server/upgrade.py", > line 2097, in upgrade > upgrade_configuration() > ~~~~~~~~~~~~~~~~~~~~~^^ > File > "/usr/lib/python3.13/site-packages/ipaserver/install/server/upgrade.py", > line 1958, in upgrade_configuration > cainstance.repair_profile_caIPAserviceCert() > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^ > File > "/usr/lib/python3.13/site-packages/ipaserver/install/cainstance.py", line > 2166, in repair_profile_caIPAserviceCert > with api.Backend.ra_certprofile as profile_api: > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3.13/site-packages/ipaserver/plugins/dogtag.py", > line 610, in __enter__ > raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to > CA REST API')) > > 2025-04-17T18:43:18Z DEBUG The ipa-server-upgrade command failed, > exception: RemoteRetrieveError: Failed to authenticate to CA REST API > 2025-04-17T18:43:18Z ERROR Unexpected error - see /var/log/ipaupgrade.log > for details: > RemoteRetrieveError: Failed to authenticate to CA REST API > 2025-04-17T18:43:18Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > > Tomcat is active, all the certificates are current and in LDAP. I was > unable to find anything similar in the archive. How to I go about getting > this update to finish? > > Best regards, > > Eric > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
