Ian Kumlien via FreeIPA-users wrote: > Hi, > > I have two freeipa servers that failed after the upgrade. > > On one, i managed to fix it with ipa-cert-fix since they had expired > again, but i'm now left with: > ipa-backup > Preparing backup on freeipa1.... > Error: Local roles CA, DNS, DNSKeySync do not match globally used > roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not > be complete enough to restore a fully functional, identical cluster. > The ipa-backup command failed. See /var/log/ipabackup.log for more information > > And on the other pki-tomcat doesn't start without ca_signing.csr which > it never had according to backups... > > Any clues? >
Several others have posted similar issues today so I'll cut and paste bits and pieces from them. I suspect that you're hitting bz2350322, https://bugzilla.redhat.com/show_bug.cgi?id=2350322 If you follow the steps from comment 3 it should allow PKI endpoints to be accessible. Two things are needed: - link to the rewrite file - <valve> in tomcat configuration file Then you can run ipactl start which should run the upgrade again. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
