From lists at fahrendorf.de Wed Dec 21 16:10:51 2022
Content-Type: multipart/mixed; boundary="===============6584033144408807393=="
MIME-Version: 1.0
From: Martin (Lists) <lists at fahrendorf.de>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] ipa upgrade failed
Date: Wed, 21 Dec 2022 17:10:34 +0100
Message-ID: <e917b610-4259-a903-f4ee-f26e6cbdf943@fahrendorf.de>

--===============6584033144408807393==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hallo all

I have a strange issue with one of my ipa servers. after an upgrade from =

fedora 35 to fedora 37 the ipa-server-upgrade failed on the pki-tomcat =

part. The ipaupgrade.log says:

2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET =

https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type: =

text/html;charset=3Dutf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT


2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype =

html><html lang=3D"de"><head><title>HTTP Status 404 \xe2\x80\x93 nicht =

gefunden</title><style
type=3D"text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, =

b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 =

{font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line =

{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>=
HTTP =

Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class=3D"line" /><p><b>Type</b> =

Status Report</p><p><b>Message</b> The requested resource =

[&#47;ca&#47;rest&#47;account
&#47;login] is not available</p><p><b>Beschreibung</b> The origin server =

did not find a current representation for the target resource or is not =

willing to
disclose that one exists.</p><hr class=3D"line" /><h3>Apache =

Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect =

/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-21T15:27:52Z DEBUG =C2=A0=C2=A0File =

"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in =

execute
 =C2=A0=C2=A0=C2=A0return_value =3D self.run()
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0^^^^^^^^^^
 =C2=A0File =

"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py"=
, =

line 54, in run =C2=A0=C2=A0 server.upgrade()
 =C2=A0File =

"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", =

line 2061, in upgrade =C2=A0=C2=A0 upgrade_configuration()
 =C2=A0File =

"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", =

line 1914, in upgrade_configuration =C2=A0=C2=A0 ca_enable_ldap_profile_sub=
system(ca)
 =C2=A0File =

"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", =

line 458, in ca_enable_ldap_profile_subsystem =C2=A0=C2=A0 =

cainstance.migrate_profiles_to_ldap()
 =C2=A0File =

"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", =

line 2155, in migrate_profiles_to_ldap =C2=A0=C2=A0 =

_create_dogtag_profile(profile_id, profile_data, overwrite=3DFalse)
 =C2=A0File =

"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", =

line 2209, in _create_dogtag_profile =C2=A0=C2=A0 with api.Backend.ra_certp=
rofile =

as profile_api:
 =C2=A0File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py"=
, =

line 1211, in __enter__ =C2=A0=C2=A0 raise =

errors.RemoteRetrieveError(reason=3D_('Failed to authenticate to CA REST =

API'))

2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed, =

exception: RemoteRetrieveError: Failed to authenticate to CA REST API

The catalina logfile says:

21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main] =

org.apache.catalina.core.StandardContext.startInternal One or more =

listeners failed to start. Full details will be found in the appropriate =

container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main] =

org.apache.catalina.core.StandardContext.startInternal Context [/ca] =

startup failed due to previous errors

the CA debug log file says:

2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to =

ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE: =

ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event =

CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket: =

java.net.ConnectException: Verbindungsaufbau abgelehnt

with many java traceback errors following. directory server is running =

at this time and there is no connection reported at the given time. =

ipa-healthceck does not give anny errors or warnings. Re-starting the =

pki-tomcat server manually afterwards ist working fine and does not give =

any errors. starting ipa in force mode gives no errors as well. What can =

I do?


Regards

Martin

--===============6584033144408807393==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWw+CiAgPGhlYWQ+CgogICAgPG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250
ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDwvaGVhZD4KICA8Ym9keT4KICAgIDxw
PkhhbGxvIGFsbDwvcD4KICAgIDxwPkkgaGF2ZSBhIHN0cmFuZ2UgaXNzdWUgd2l0aCBvbmUgb2Yg
bXkgaXBhIHNlcnZlcnMuIGFmdGVyIGFuCiAgICAgIHVwZ3JhZGUgZnJvbSBmZWRvcmEgMzUgdG8g
ZmVkb3JhIDM3IHRoZSBpcGEtc2VydmVyLXVwZ3JhZGUgZmFpbGVkCiAgICAgIG9uIHRoZSBwa2kt
dG9tY2F0IHBhcnQuIFRoZSBpcGF1cGdyYWRlLmxvZyBzYXlzOjwvcD4KICAgIDxwPjxzcGFuIHN0
eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPjxzcGFuCiAgICAgICAgICBzdHlsZT0iY29sb3I6
IzAwMDAwMDtiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmY7Ij4yMDIyLTEyLTIxVDE1OjI3OjUyWgog
ICAgICAgICAgSU5GTyBNaWdyYTwvc3Bhbj48c3BhbgogICAgICAgICAgc3R5bGU9ImNvbG9yOiMw
MDAwMDA7YmFja2dyb3VuZC1jb2xvcjojZmZmZjU0OyI+dGluPC9zcGFuPjxzcGFuCiAgICAgICAg
ICBzdHlsZT0iY29sb3I6IzAwMDAwMDtiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmY7Ij5nIHByb2Zp
bGUKICAgICAgICAgICdjYUVDRnVsbENNQ1NoYXJlZFRva2VuQ2VydCcKICAgICAgICA8L3NwYW4+
PGJyPgogICAgICAgIDIwMjItMTItMjFUMTU6Mjc6NTJaIERFQlVHIHJlcXVlc3QgR0VUCiAgICAg
ICAgPGEgY2xhc3M9Im1vei10eHQtbGluay1mcmVldGV4dCIgaHJlZj0iaHR0cHM6Ly9pcGExLnNl
cnZlci5vcmc6ODQ0My9jYS9yZXN0L2FjY291bnQvbG9naW4iPmh0dHBzOi8vaXBhMS5zZXJ2ZXIu
b3JnOjg0NDMvY2EvcmVzdC9hY2NvdW50L2xvZ2luPC9hPgogICAgICAgIDxicj4KICAgICAgICAy
MDIyLTEyLTIxVDE1OjI3OjUyWiBERUJVRyByZXF1ZXN0IGJvZHkgJycKICAgICAgICA8YnI+CiAg
ICAgICAgMjAyMi0xMi0yMVQxNToyNzo1MlogREVCVUcgcmVzcG9uc2Ugc3RhdHVzIDQwNAogICAg
ICAgIDxicj4KICAgICAgICAyMDIyLTEyLTIxVDE1OjI3OjUyWiBERUJVRyByZXNwb25zZSBoZWFk
ZXJzIENvbnRlbnQtVHlwZToKICAgICAgICB0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOAogICAgICAg
IDxicj4KICAgICAgICBDb250ZW50LUxhbmd1YWdlOiBkZSDCoDxicj4KICAgICAgICBDb250ZW50
LUxlbmd0aDogNzk1CiAgICAgICAgPGJyPgogICAgICAgIERhdGU6IFdlZCwgMjEgRGVjIDIwMjIg
MTU6Mjc6NTIgR01UCiAgICAgICAgPGJyPgogICAgICAgIDxicj4KICAgICAgICA8YnI+CiAgICAg
ICAgMjAyMi0xMi0yMVQxNToyNzo1MlogREVCVUcgcmVzcG9uc2UgYm9keSAoZGVjb2RlZCk6CiAg
ICAgICAgYicmbHQ7IWRvY3R5cGUgaHRtbCZndDsmbHQ7aHRtbAogICAgICAgIGxhbmc9ImRlIiZn
dDsmbHQ7aGVhZCZndDsmbHQ7dGl0bGUmZ3Q7SFRUUCBTdGF0dXMgNDA0CiAgICAgICAgXHhlMlx4
ODBceDkzIG5pY2h0IGdlZnVuZGVuJmx0Oy90aXRsZSZndDsmbHQ7c3R5bGU8YnI+CiAgICAgICAg
dHlwZT0idGV4dC9jc3MiJmd0O2JvZHkge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNl
cmlmO30KICAgICAgICBoMSwgaDIsIGgzLCBiIHtjb2xvcjp3aGl0ZTtiYWNrZ3JvdW5kLWNvbG9y
OiM1MjVENzY7fSBoMQogICAgICAgIHtmb250LXNpemU6MjJweDt9IGgyIHtmb250LXNpemU6MTZw
eDs8YnI+CiAgICAgICAgfSBoMyB7Zm9udC1zaXplOjE0cHg7fSBwIHtmb250LXNpemU6MTJweDt9
IGEge2NvbG9yOmJsYWNrO30KICAgICAgICAubGluZQp7aGVpZ2h0OjFweDtiYWNrZ3JvdW5kLWNv
bG9yOiM1MjVENzY7Ym9yZGVyOm5vbmU7fSZsdDsvc3R5bGUmZ3Q7Jmx0Oy9oZWFkJmd0OyZsdDti
b2R5Jmd0OyZsdDtoMSZndDtIVFRQCiAgICAgICAgU3RhdHVzIDQwPGJyPgogICAgICAgIDQgXHhl
Mlx4ODBceDkzIG5pY2h0IGdlZnVuZGVuJmx0Oy9oMSZndDsmbHQ7aHIgY2xhc3M9ImxpbmUiCiAg
ICAgICAgLyZndDsmbHQ7cCZndDsmbHQ7YiZndDtUeXBlJmx0Oy9iJmd0OyBTdGF0dXMKICAgICAg
ICBSZXBvcnQmbHQ7L3AmZ3Q7Jmx0O3AmZ3Q7Jmx0O2ImZ3Q7TWVzc2FnZSZsdDsvYiZndDsgVGhl
CiAgICAgICAgcmVxdWVzdGVkIHJlc291cmNlIFsmYW1wOyM0NztjYSZhbXA7IzQ3O3Jlc3QmYW1w
OyM0NzthY2NvdW50PGJyPgogICAgICAgICZhbXA7IzQ3O2xvZ2luXSBpcyBub3QKICAgICAgICBh
dmFpbGFibGUmbHQ7L3AmZ3Q7Jmx0O3AmZ3Q7Jmx0O2ImZ3Q7QmVzY2hyZWlidW5nJmx0Oy9iJmd0
OyBUaGUKICAgICAgICBvcmlnaW4gc2VydmVyIGRpZCBub3QgZmluZCBhIGN1cnJlbnQgcmVwcmVz
ZW50YXRpb24gZm9yIHRoZQogICAgICAgIHRhcmdldCByZXNvdXJjZSBvciBpcyBub3Qgd2lsbGlu
ZyB0bzxicj4KICAgICAgICBkaXNjbG9zZSB0aGF0IG9uZSBleGlzdHMuJmx0Oy9wJmd0OyZsdDto
ciBjbGFzcz0ibGluZSIKICAgICAgICAvJmd0OyZsdDtoMyZndDtBcGFjaGUKICAgICAgICBUb21j
YXQvOS4wLjY4Jmx0Oy9oMyZndDsmbHQ7L2JvZHkmZ3Q7Jmx0Oy9odG1sJmd0OycKICAgICAgICA8
YnI+CiAgICAgICAgMjAyMi0xMi0yMVQxNToyNzo1MlogRVJST1IgSVBBIHNlcnZlciB1cGdyYWRl
IGZhaWxlZDogSW5zcGVjdAogICAgICAgIC92YXIvbG9nL2lwYXVwZ3JhZGUubG9nIGFuZCBydW4g
Y29tbWFuZCBpcGEtc2VydmVyLXVwZ3JhZGUKICAgICAgICBtYW51YWxseS4KICAgICAgICA8YnI+
CiAgICAgICAgMjAyMi0xMi0yMVQxNToyNzo1MlogREVCVUcgwqDCoEZpbGUKICAgICAgICAiL3Vz
ci9saWIvcHl0aG9uMy4xMS9zaXRlLXBhY2thZ2VzL2lwYXB5dGhvbi9hZG1pbnRvb2wucHkiLCBs
aW5lCiAgICAgICAgMTgwLCBpbiBleGVjdXRlCiAgICAgICAgPGJyPgogICAgICAgIMKgwqDCoHJl
dHVybl92YWx1ZSA9IHNlbGYucnVuKCkKICAgICAgICA8YnI+CiAgICAgICAgwqDCoMKgwqDCoMKg
wqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgXl5eXl5eXl5eXgogICAgICAgIDxicj4KICAgICAgICDC
oEZpbGUKIi91c3IvbGliL3B5dGhvbjMuMTEvc2l0ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFs
bC9pcGFfc2VydmVyX3VwZ3JhZGUucHkiLAogICAgICAgIGxpbmUgNTQsIGluIHJ1bgogICAgICAg
IMKgwqAgc2VydmVyLnVwZ3JhZGUoKSDCoDxicj4KICAgICAgICDCoEZpbGUKICAgICAgICAiL3Vz
ci9saWIvcHl0aG9uMy4xMS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL3NlcnZlci91
cGdyYWRlLnB5IiwKICAgICAgICBsaW5lIDIwNjEsIGluIHVwZ3JhZGUKICAgICAgICDCoMKgIHVw
Z3JhZGVfY29uZmlndXJhdGlvbigpCiAgICAgICAgPGJyPgogICAgICAgIMKgRmlsZQogICAgICAg
ICIvdXNyL2xpYi9weXRob24zLjExL3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2luc3RhbGwvc2Vy
dmVyL3VwZ3JhZGUucHkiLAogICAgICAgIGxpbmUgMTkxNCwgaW4gdXBncmFkZV9jb25maWd1cmF0
aW9uCiAgICAgICAgwqDCoCBjYV9lbmFibGVfbGRhcF9wcm9maWxlX3N1YnN5c3RlbShjYSkKICAg
ICAgICA8YnI+CiAgICAgICAgwqBGaWxlCiAgICAgICAgIi91c3IvbGliL3B5dGhvbjMuMTEvc2l0
ZS1wYWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFsbC9zZXJ2ZXIvdXBncmFkZS5weSIsCiAgICAgICAg
bGluZSA0NTgsIGluIGNhX2VuYWJsZV9sZGFwX3Byb2ZpbGVfc3Vic3lzdGVtCiAgICAgICAgwqDC
oCBjYWluc3RhbmNlLm1pZ3JhdGVfcHJvZmlsZXNfdG9fbGRhcCgpCiAgICAgICAgPGJyPgogICAg
ICAgIMKgRmlsZQogICAgICAgICIvdXNyL2xpYi9weXRob24zLjExL3NpdGUtcGFja2FnZXMvaXBh
c2VydmVyL2luc3RhbGwvY2FpbnN0YW5jZS5weSIsCiAgICAgICAgbGluZSAyMTU1LCBpbiBtaWdy
YXRlX3Byb2ZpbGVzX3RvX2xkYXAKICAgICAgICDCoMKgIF9jcmVhdGVfZG9ndGFnX3Byb2ZpbGUo
cHJvZmlsZV9pZCwgcHJvZmlsZV9kYXRhLAogICAgICAgIG92ZXJ3cml0ZT1GYWxzZSkKICAgICAg
ICA8YnI+CiAgICAgICAgwqBGaWxlCiAgICAgICAgIi91c3IvbGliL3B5dGhvbjMuMTEvc2l0ZS1w
YWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFsbC9jYWluc3RhbmNlLnB5IiwKICAgICAgICBsaW5lIDIy
MDksIGluIF9jcmVhdGVfZG9ndGFnX3Byb2ZpbGUKICAgICAgICDCoMKgIHdpdGggYXBpLkJhY2tl
bmQucmFfY2VydHByb2ZpbGUgYXMgcHJvZmlsZV9hcGk6CiAgICAgICAgPGJyPgogICAgICAgIMKg
RmlsZQogICAgICAgICIvdXNyL2xpYi9weXRob24zLjExL3NpdGUtcGFja2FnZXMvaXBhc2VydmVy
L3BsdWdpbnMvZG9ndGFnLnB5IiwKICAgICAgICBsaW5lIDEyMTEsIGluIF9fZW50ZXJfXwogICAg
ICAgIMKgwqAgcmFpc2UgZXJyb3JzLlJlbW90ZVJldHJpZXZlRXJyb3IocmVhc29uPV8oJ0ZhaWxl
ZCB0bwogICAgICAgIGF1dGhlbnRpY2F0ZSB0byBDQSBSRVNUIEFQSScpKQogICAgICAgIDxicj4K
ICAgICAgICA8YnI+CiAgICAgICAgMjAyMi0xMi0yMVQxNToyNzo1MlogREVCVUcgVGhlIGlwYS1z
ZXJ2ZXItdXBncmFkZSBjb21tYW5kCiAgICAgICAgZmFpbGVkLCBleGNlcHRpb246IFJlbW90ZVJl
dHJpZXZlRXJyb3I6IEZhaWxlZCB0byBhdXRoZW50aWNhdGUKICAgICAgICB0byBDQSBSRVNUIEFQ
STxicj4KICAgICAgICA8YnI+CiAgICAgICAgVGhlIGNhdGFsaW5hIGxvZ2ZpbGUgc2F5czogPGJy
PgogICAgICA8L3NwYW4+PC9wPgogICAgPHA+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5Om1vbm9z
cGFjZSI+PHNwYW4KICAgICAgICAgIHN0eWxlPSJjb2xvcjojMDAwMDAwO2JhY2tncm91bmQtY29s
b3I6I2ZmZmZmZjsiPjIxLURlYy0yMDIyCiAgICAgICAgICAxNjoyNzoyNi45NDYgU0NIV0VSV0lF
R0VORCBbbWFpbl0KICAgICAgICAgIG9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5TdGFuZGFyZENv
bnRleHQuc3RhcnRJbnRlcm5hbCBPbmUgb3IKICAgICAgICAgIG1vcmUgbGlzdGVuZXJzIGZhaWxl
ZCB0byBzdGFydC4gRnVsbCBkZXRhaWxzIHdpPC9zcGFuPmxsIGJlCiAgICAgICAgZm91bmQgaW4g
dGhlIGFwcHJvcHJpYXRlIGNvbnRhaW5lciBsb2cgZmlsZQogICAgICAgIDxicj4KICAgICAgICAy
MS1EZWMtMjAyMiAxNjoyNzoyNi45NDggU0NIV0VSV0lFR0VORCBbbWFpbl0KICAgICAgICBvcmcu
YXBhY2hlLmNhdGFsaW5hLmNvcmUuU3RhbmRhcmRDb250ZXh0LnN0YXJ0SW50ZXJuYWwgQ29udGV4
dAogICAgICAgIFsvY2FdIHN0YXJ0dXAgZmFpbGVkIGR1ZSB0byBwcmV2aW91cyBlcnJvcnM8YnI+
CiAgICAgICAgPGJyPgogICAgICAgIHRoZSBDQSBkZWJ1ZyBsb2cgZmlsZSBzYXlzOjwvc3Bhbj48
L3A+CiAgICA8cD48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6bW9ub3NwYWNlIj48c3BhbgogICAg
ICAgICAgc3R5bGU9ImNvbG9yOiMwMDAwMDA7YmFja2dyb3VuZC1jb2xvcjojZmZmZmZmOyI+MjAy
Mi0xMi0yMQogICAgICAgICAgMTY6Mjc6MjYgW21haW5dIEZJTkU6IExkYXBCb3VuZENvbm5lY3Rp
b246IENvbm5lYzwvc3Bhbj48c3BhbgogICAgICAgICAgc3R5bGU9ImNvbG9yOiMwMDAwMDA7YmFj
a2dyb3VuZC1jb2xvcjojZmZmZjU0OyI+dGluPC9zcGFuPjxzcGFuCiAgICAgICAgICBzdHlsZT0i
Y29sb3I6IzAwMDAwMDtiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmY7Ij5nIHRvCiAgICAgICAgICBp
cGExLnNlcnZlci5vcmc6NjM2IHdpdGggY2xpZW50IGNlcnQgYXV0aAogICAgICAgIDwvc3Bhbj48
YnI+CiAgICAgICAgMjAyMi0xMi0yMSAxNjoyNzoyNiBbbWFpbl0gRklORToKICAgICAgICBsZGFw
Y29ubi9QS0lTb2NrZXRGYWN0b3J5Lm1ha2VTU0xTb2NrZXQ6IGJlZ2lucwogICAgICAgIDxicj4K
ICAgICAgICAyMDIyLTEyLTIxIDE2OjI3OjI2IFttYWluXSBGSU5FOiBTaWduZWRBdWRpdExvZ2dl
cjogZXZlbnQKICAgICAgICBDTElFTlRfQUNDRVNTX1NFU1NJT05fRVNUQUJMSVNICiAgICAgICAg
PGJyPgogICAgICAgIDIwMjItMTItMjEgMTY6Mjc6MjYgW21haW5dIFNFVkVSRTogVW5hYmxlIHRv
IGNyZWF0ZSBzb2NrZXQ6CiAgICAgICAgamF2YS5uZXQuQ29ubmVjdEV4Y2VwdGlvbjogVmVyYmlu
ZHVuZ3NhdWZiYXUgYWJnZWxlaG50PC9zcGFuPjwvcD4KICAgIDxwPjxzcGFuIHN0eWxlPSJmb250
LWZhbWlseTptb25vc3BhY2UiPndpdGggbWFueSBqYXZhIHRyYWNlYmFjawogICAgICAgIGVycm9y
cyBmb2xsb3dpbmcuIGRpcmVjdG9yeSBzZXJ2ZXIgaXMgcnVubmluZyBhdCB0aGlzIHRpbWUgYW5k
CiAgICAgICAgdGhlcmUgaXMgbm8gY29ubmVjdGlvbiByZXBvcnRlZCBhdCB0aGUgZ2l2ZW4gdGlt
ZS4KICAgICAgICBpcGEtaGVhbHRoY2VjayBkb2VzIG5vdCBnaXZlIGFubnkgZXJyb3JzIG9yIHdh
cm5pbmdzLgogICAgICAgIFJlLXN0YXJ0aW5nIHRoZSBwa2ktdG9tY2F0IHNlcnZlciBtYW51YWxs
eSBhZnRlcndhcmRzIGlzdAogICAgICAgIHdvcmtpbmcgZmluZSBhbmQgZG9lcyBub3QgZ2l2ZSBh
bnkgZXJyb3JzLiBzdGFydGluZyBpcGEgaW4gZm9yY2UKICAgICAgICBtb2RlIGdpdmVzIG5vIGVy
cm9ycyBhcyB3ZWxsLiBXaGF0IGNhbiBJIGRvPzwvc3Bhbj48L3A+CiAgICA8cD48c3BhbiBzdHls
ZT0iZm9udC1mYW1pbHk6bW9ub3NwYWNlIj48YnI+CiAgICAgIDwvc3Bhbj48L3A+CiAgICA8cD48
c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6bW9ub3NwYWNlIj5SZWdhcmRzPC9zcGFuPjwvcD4KICAg
IDxwPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPk1hcnRpbjxicj4KICAgICAg
PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPjwvc3Bhbj48c3Bhbgog
ICAgICAgIHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPjwvc3Bhbj48L3A+CiAgPC9ib2R5
Pgo8L2h0bWw+Cg==

--===============6584033144408807393==--

From lists at fahrendorf.de Fri Dec 23 09:49:33 2022
Content-Type: multipart/mixed; boundary="===============0866567915076795150=="
MIME-Version: 1.0
From: Martin (Lists) <lists at fahrendorf.de>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ipa upgrade failed
Date: Fri, 23 Dec 2022 10:49:14 +0100
Message-ID: <5a9fd838-fae3-103b-cdd7-6c0af1e05a62@fahrendorf.de>
In-Reply-To: e917b610-4259-a903-f4ee-f26e6cbdf943@fahrendorf.de

--===============0866567915076795150==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Am 21.12.22 um 17:10 schrieb Martin (Lists) via FreeIPA-users:
>
> Hallo all
>
> I have a strange issue with one of my ipa servers. after an upgrade =

> from fedora 35 to fedora 37 the ipa-server-upgrade failed on the =

> pki-tomcat part. The ipaupgrade.log says:
>
> 2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
> 2022-12-21T15:27:52Z DEBUG request GET =

> https://ipa1.server.org:8443/ca/rest/account/login
> 2022-12-21T15:27:52Z DEBUG request body ''
> 2022-12-21T15:27:52Z DEBUG response status 404
> 2022-12-21T15:27:52Z DEBUG response headers Content-Type: =

> text/html;charset=3Dutf-8
> Content-Language: de
> Content-Length: 795
> Date: Wed, 21 Dec 2022 15:27:52 GMT
>
>
> 2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype =

> html><html lang=3D"de"><head><title>HTTP Status 404 \xe2\x80\x93 nicht =

> gefunden</title><style
> type=3D"text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, =

> h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 =

> {font-size:16px;
> } h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line =

> {height:1px;background-color:#525D76;border:none;}</style></head><body><h=
1>HTTP =

> Status 40
> 4 \xe2\x80\x93 nicht gefunden</h1><hr class=3D"line" /><p><b>Type</b> =

> Status Report</p><p><b>Message</b> The requested resource =

> [&#47;ca&#47;rest&#47;account
> &#47;login] is not available</p><p><b>Beschreibung</b> The origin =

> server did not find a current representation for the target resource =

> or is not willing to
> disclose that one exists.</p><hr class=3D"line" /><h3>Apache =

> Tomcat/9.0.68</h3></body></html>'
> 2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect =

> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2022-12-21T15:27:52Z DEBUG =C2=A0=C2=A0File =

> "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, =

> in execute
> =C2=A0=C2=A0=C2=A0return_value =3D self.run()
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0^^^^^^^^^^
> =C2=A0File =

> "/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.p=
y", =

> line 54, in run =C2=A0=C2=A0 server.upgrade()
> =C2=A0File =

> "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", =

> line 2061, in upgrade =C2=A0=C2=A0 upgrade_configuration()
> =C2=A0File =

> "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", =

> line 1914, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca)
> =C2=A0File =

> "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", =

> line 458, in ca_enable_ldap_profile_subsystem =

> cainstance.migrate_profiles_to_ldap()
> =C2=A0File =

> "/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", =

> line 2155, in migrate_profiles_to_ldap =

> _create_dogtag_profile(profile_id, profile_data, overwrite=3DFalse)
> =C2=A0File =

> "/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", =

> line 2209, in _create_dogtag_profile =C2=A0=C2=A0 with =

> api.Backend.ra_certprofile as profile_api:
> =C2=A0File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py=
", =

> line 1211, in __enter__ =C2=A0=C2=A0 raise =

> errors.RemoteRetrieveError(reason=3D_('Failed to authenticate to CA REST =

> API'))
>
> 2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed, =

> exception: RemoteRetrieveError: Failed to authenticate to CA REST API
>
> The catalina logfile says:
>
> 21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main] =

> org.apache.catalina.core.StandardContext.startInternal One or more =

> listeners failed to start. Full details will be found in the =

> appropriate container log file
> 21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main] =

> org.apache.catalina.core.StandardContext.startInternal Context [/ca] =

> startup failed due to previous errors
>
> the CA debug log file says:
>
> 2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to =

> ipa1.server.org:636 with client cert auth
> 2022-12-21 16:27:26 [main] FINE: =

> ldapconn/PKISocketFactory.makeSSLSocket: begins
> 2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event =

> CLIENT_ACCESS_SESSION_ESTABLISH
> 2022-12-21 16:27:26 [main] SEVERE: Unable to create socket: =

> java.net.ConnectException: Verbindungsaufbau abgelehnt
>
> with many java traceback errors following. directory server is running =

> at this time and there is no connection reported at the given time. =

> ipa-healthceck does not give anny errors or warnings. Re-starting the =

> pki-tomcat server manually afterwards ist working fine and does not =

> give any errors. starting ipa in force mode gives no errors as well. =

> What can I do?
>
>
> Regards
>
> Martin
>
Hallo,

I tried the upgrade once again an found another error I missed before. =

During LDAP updates there was an error stating:

ERROR: Add failure Server is unwilling to perform:

during updating the /usr/share/ipa/updates/55-pbacmemberof.update files. =

Is this a problem? This update failed on both of my ipa servers (one is =

only one week old, so there were no regular upgrades of ipa). Rerunning =

ipa-ldap-updater alone with the update-file gives the same error.

Regards
Martin

--===============0866567915076795150==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWw+CiAgPGhlYWQ+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRl
bnQ9InRleHQvaHRtbDsgY2hhcnNldD1VVEYtOCI+CiAgPC9oZWFkPgogIDxib2R5PgogICAgPGRp
diBjbGFzcz0ibW96LWNpdGUtcHJlZml4Ij5BbSAyMS4xMi4yMiB1bSAxNzoxMCBzY2hyaWViIE1h
cnRpbgogICAgICAoTGlzdHMpIHZpYSBGcmVlSVBBLXVzZXJzOjxicj4KICAgIDwvZGl2PgogICAg
PGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIKICAgICAgY2l0ZT0ibWlkOmU5MTdiNjEwLTQyNTktYTkw
My1mNGVlLWYyNmU2Y2JkZjk0M0BmYWhyZW5kb3JmLmRlIj4KICAgICAgPG1ldGEgaHR0cC1lcXVp
dj0iY29udGVudC10eXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogICAg
ICA8cD5IYWxsbyBhbGw8L3A+CiAgICAgIDxwPkkgaGF2ZSBhIHN0cmFuZ2UgaXNzdWUgd2l0aCBv
bmUgb2YgbXkgaXBhIHNlcnZlcnMuIGFmdGVyIGFuCiAgICAgICAgdXBncmFkZSBmcm9tIGZlZG9y
YSAzNSB0byBmZWRvcmEgMzcgdGhlIGlwYS1zZXJ2ZXItdXBncmFkZQogICAgICAgIGZhaWxlZCBv
biB0aGUgcGtpLXRvbWNhdCBwYXJ0LiBUaGUgaXBhdXBncmFkZS5sb2cgc2F5czo8L3A+CiAgICAg
IDxwPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPjxzcGFuCiAgICAgICAgICAg
IHN0eWxlPSJjb2xvcjojMDAwMDAwO2JhY2tncm91bmQtY29sb3I6I2ZmZmZmZjsiPjIwMjItMTIt
MjFUMTU6Mjc6NTJaCiAgICAgICAgICAgIElORk8gTWlncmE8L3NwYW4+PHNwYW4KICAgICAgICAg
ICAgc3R5bGU9ImNvbG9yOiMwMDAwMDA7YmFja2dyb3VuZC1jb2xvcjojZmZmZjU0OyI+dGluPC9z
cGFuPjxzcGFuCiAgICAgICAgICAgIHN0eWxlPSJjb2xvcjojMDAwMDAwO2JhY2tncm91bmQtY29s
b3I6I2ZmZmZmZjsiPmcgcHJvZmlsZQogICAgICAgICAgICAnY2FFQ0Z1bGxDTUNTaGFyZWRUb2tl
bkNlcnQnIDwvc3Bhbj48YnI+CiAgICAgICAgICAyMDIyLTEyLTIxVDE1OjI3OjUyWiBERUJVRyBy
ZXF1ZXN0IEdFVCA8YQogICAgICAgICAgICBjbGFzcz0ibW96LXR4dC1saW5rLWZyZWV0ZXh0Igog
ICAgICAgICAgICBocmVmPSJodHRwczovL2lwYTEuc2VydmVyLm9yZzo4NDQzL2NhL3Jlc3QvYWNj
b3VudC9sb2dpbiIKICAgICAgICAgICAgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIj5odHRwczovL2lw
YTEuc2VydmVyLm9yZzo4NDQzL2NhL3Jlc3QvYWNjb3VudC9sb2dpbjwvYT4KICAgICAgICAgIDxi
cj4KICAgICAgICAgIDIwMjItMTItMjFUMTU6Mjc6NTJaIERFQlVHIHJlcXVlc3QgYm9keSAnJyA8
YnI+CiAgICAgICAgICAyMDIyLTEyLTIxVDE1OjI3OjUyWiBERUJVRyByZXNwb25zZSBzdGF0dXMg
NDA0IDxicj4KICAgICAgICAgIDIwMjItMTItMjFUMTU6Mjc6NTJaIERFQlVHIHJlc3BvbnNlIGhl
YWRlcnMgQ29udGVudC1UeXBlOgogICAgICAgICAgdGV4dC9odG1sO2NoYXJzZXQ9dXRmLTggPGJy
PgogICAgICAgICAgQ29udGVudC1MYW5ndWFnZTogZGUgwqA8YnI+CiAgICAgICAgICBDb250ZW50
LUxlbmd0aDogNzk1IDxicj4KICAgICAgICAgIERhdGU6IFdlZCwgMjEgRGVjIDIwMjIgMTU6Mjc6
NTIgR01UIDxicj4KICAgICAgICAgIDxicj4KICAgICAgICAgIDxicj4KICAgICAgICAgIDIwMjIt
MTItMjFUMTU6Mjc6NTJaIERFQlVHIHJlc3BvbnNlIGJvZHkgKGRlY29kZWQpOgogICAgICAgICAg
YicmbHQ7IWRvY3R5cGUgaHRtbCZndDsmbHQ7aHRtbAogICAgICAgICAgbGFuZz0iZGUiJmd0OyZs
dDtoZWFkJmd0OyZsdDt0aXRsZSZndDtIVFRQIFN0YXR1cyA0MDQKICAgICAgICAgIFx4ZTJceDgw
XHg5MyBuaWNodCBnZWZ1bmRlbiZsdDsvdGl0bGUmZ3Q7Jmx0O3N0eWxlPGJyPgogICAgICAgICAg
dHlwZT0idGV4dC9jc3MiJmd0O2JvZHkge2ZvbnQtZmFtaWx5OlRhaG9tYSxBcmlhbCxzYW5zLXNl
cmlmO30KICAgICAgICAgIGgxLCBoMiwgaDMsIGIge2NvbG9yOndoaXRlO2JhY2tncm91bmQtY29s
b3I6IzUyNUQ3Njt9IGgxCiAgICAgICAgICB7Zm9udC1zaXplOjIycHg7fSBoMiB7Zm9udC1zaXpl
OjE2cHg7PGJyPgogICAgICAgICAgfSBoMyB7Zm9udC1zaXplOjE0cHg7fSBwIHtmb250LXNpemU6
MTJweDt9IGEge2NvbG9yOmJsYWNrO30KICAgICAgICAgIC5saW5lCntoZWlnaHQ6MXB4O2JhY2tn
cm91bmQtY29sb3I6IzUyNUQ3Njtib3JkZXI6bm9uZTt9Jmx0Oy9zdHlsZSZndDsmbHQ7L2hlYWQm
Z3Q7Jmx0O2JvZHkmZ3Q7Jmx0O2gxJmd0O0hUVFAKICAgICAgICAgIFN0YXR1cyA0MDxicj4KICAg
ICAgICAgIDQgXHhlMlx4ODBceDkzIG5pY2h0IGdlZnVuZGVuJmx0Oy9oMSZndDsmbHQ7aHIgY2xh
c3M9ImxpbmUiCiAgICAgICAgICAvJmd0OyZsdDtwJmd0OyZsdDtiJmd0O1R5cGUmbHQ7L2ImZ3Q7
IFN0YXR1cwogICAgICAgICAgUmVwb3J0Jmx0Oy9wJmd0OyZsdDtwJmd0OyZsdDtiJmd0O01lc3Nh
Z2UmbHQ7L2ImZ3Q7IFRoZQogICAgICAgICAgcmVxdWVzdGVkIHJlc291cmNlIFsmYW1wOyM0Nztj
YSZhbXA7IzQ3O3Jlc3QmYW1wOyM0NzthY2NvdW50PGJyPgogICAgICAgICAgJmFtcDsjNDc7bG9n
aW5dIGlzIG5vdAogICAgICAgICAgYXZhaWxhYmxlJmx0Oy9wJmd0OyZsdDtwJmd0OyZsdDtiJmd0
O0Jlc2NocmVpYnVuZyZsdDsvYiZndDsKICAgICAgICAgIFRoZSBvcmlnaW4gc2VydmVyIGRpZCBu
b3QgZmluZCBhIGN1cnJlbnQgcmVwcmVzZW50YXRpb24gZm9yCiAgICAgICAgICB0aGUgdGFyZ2V0
IHJlc291cmNlIG9yIGlzIG5vdCB3aWxsaW5nIHRvPGJyPgogICAgICAgICAgZGlzY2xvc2UgdGhh
dCBvbmUgZXhpc3RzLiZsdDsvcCZndDsmbHQ7aHIgY2xhc3M9ImxpbmUiCiAgICAgICAgICAvJmd0
OyZsdDtoMyZndDtBcGFjaGUKICAgICAgICAgIFRvbWNhdC85LjAuNjgmbHQ7L2gzJmd0OyZsdDsv
Ym9keSZndDsmbHQ7L2h0bWwmZ3Q7JyA8YnI+CiAgICAgICAgICAyMDIyLTEyLTIxVDE1OjI3OjUy
WiBFUlJPUiBJUEEgc2VydmVyIHVwZ3JhZGUgZmFpbGVkOiBJbnNwZWN0CiAgICAgICAgICAvdmFy
L2xvZy9pcGF1cGdyYWRlLmxvZyBhbmQgcnVuIGNvbW1hbmQgaXBhLXNlcnZlci11cGdyYWRlCiAg
ICAgICAgICBtYW51YWxseS4gPGJyPgogICAgICAgICAgMjAyMi0xMi0yMVQxNToyNzo1MlogREVC
VUcgwqDCoEZpbGUKICAgICAgICAgICIvdXNyL2xpYi9weXRob24zLjExL3NpdGUtcGFja2FnZXMv
aXBhcHl0aG9uL2FkbWludG9vbC5weSIsCiAgICAgICAgICBsaW5lIDE4MCwgaW4gZXhlY3V0ZSA8
YnI+CiAgICAgICAgICDCoMKgwqByZXR1cm5fdmFsdWUgPSBzZWxmLnJ1bigpIDxicj4KICAgICAg
ICAgIMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoMKgwqDCoF5eXl5eXl5eXl4gPGJyPgog
ICAgICAgICAgwqBGaWxlCiIvdXNyL2xpYi9weXRob24zLjExL3NpdGUtcGFja2FnZXMvaXBhc2Vy
dmVyL2luc3RhbGwvaXBhX3NlcnZlcl91cGdyYWRlLnB5IiwKICAgICAgICAgIGxpbmUgNTQsIGlu
IHJ1biDCoMKgIHNlcnZlci51cGdyYWRlKCkgwqA8YnI+CiAgICAgICAgICDCoEZpbGUKICAgICAg
ICAgICIvdXNyL2xpYi9weXRob24zLjExL3NpdGUtcGFja2FnZXMvaXBhc2VydmVyL2luc3RhbGwv
c2VydmVyL3VwZ3JhZGUucHkiLAogICAgICAgICAgbGluZSAyMDYxLCBpbiB1cGdyYWRlIMKgwqAg
dXBncmFkZV9jb25maWd1cmF0aW9uKCkgPGJyPgogICAgICAgICAgwqBGaWxlCiAgICAgICAgICAi
L3Vzci9saWIvcHl0aG9uMy4xMS9zaXRlLXBhY2thZ2VzL2lwYXNlcnZlci9pbnN0YWxsL3NlcnZl
ci91cGdyYWRlLnB5IiwKICAgICAgICAgIGxpbmUgMTkxNCwgaW4gdXBncmFkZV9jb25maWd1cmF0
aW9uIMKgwqAKICAgICAgICAgIGNhX2VuYWJsZV9sZGFwX3Byb2ZpbGVfc3Vic3lzdGVtKGNhKSA8
YnI+CiAgICAgICAgICDCoEZpbGUKICAgICAgICAgICIvdXNyL2xpYi9weXRob24zLjExL3NpdGUt
cGFja2FnZXMvaXBhc2VydmVyL2luc3RhbGwvc2VydmVyL3VwZ3JhZGUucHkiLAogICAgICAgICAg
bGluZSA0NTgsIGluIGNhX2VuYWJsZV9sZGFwX3Byb2ZpbGVfc3Vic3lzdGVtIMKgwqAKICAgICAg
ICAgIGNhaW5zdGFuY2UubWlncmF0ZV9wcm9maWxlc190b19sZGFwKCkgPGJyPgogICAgICAgICAg
wqBGaWxlCiAgICAgICAgICAiL3Vzci9saWIvcHl0aG9uMy4xMS9zaXRlLXBhY2thZ2VzL2lwYXNl
cnZlci9pbnN0YWxsL2NhaW5zdGFuY2UucHkiLAogICAgICAgICAgbGluZSAyMTU1LCBpbiBtaWdy
YXRlX3Byb2ZpbGVzX3RvX2xkYXAgwqDCoAogICAgICAgICAgX2NyZWF0ZV9kb2d0YWdfcHJvZmls
ZShwcm9maWxlX2lkLCBwcm9maWxlX2RhdGEsCiAgICAgICAgICBvdmVyd3JpdGU9RmFsc2UpIDxi
cj4KICAgICAgICAgIMKgRmlsZQogICAgICAgICAgIi91c3IvbGliL3B5dGhvbjMuMTEvc2l0ZS1w
YWNrYWdlcy9pcGFzZXJ2ZXIvaW5zdGFsbC9jYWluc3RhbmNlLnB5IiwKICAgICAgICAgIGxpbmUg
MjIwOSwgaW4gX2NyZWF0ZV9kb2d0YWdfcHJvZmlsZSDCoMKgIHdpdGgKICAgICAgICAgIGFwaS5C
YWNrZW5kLnJhX2NlcnRwcm9maWxlIGFzIHByb2ZpbGVfYXBpOiA8YnI+CiAgICAgICAgICDCoEZp
bGUKICAgICAgICAgICIvdXNyL2xpYi9weXRob24zLjExL3NpdGUtcGFja2FnZXMvaXBhc2VydmVy
L3BsdWdpbnMvZG9ndGFnLnB5IiwKICAgICAgICAgIGxpbmUgMTIxMSwgaW4gX19lbnRlcl9fIMKg
wqAgcmFpc2UKICAgICAgICAgIGVycm9ycy5SZW1vdGVSZXRyaWV2ZUVycm9yKHJlYXNvbj1fKCdG
YWlsZWQgdG8gYXV0aGVudGljYXRlIHRvCiAgICAgICAgICBDQSBSRVNUIEFQSScpKSA8YnI+CiAg
ICAgICAgICA8YnI+CiAgICAgICAgICAyMDIyLTEyLTIxVDE1OjI3OjUyWiBERUJVRyBUaGUgaXBh
LXNlcnZlci11cGdyYWRlIGNvbW1hbmQKICAgICAgICAgIGZhaWxlZCwgZXhjZXB0aW9uOiBSZW1v
dGVSZXRyaWV2ZUVycm9yOiBGYWlsZWQgdG8gYXV0aGVudGljYXRlCiAgICAgICAgICB0byBDQSBS
RVNUIEFQSTxicj4KICAgICAgICAgIDxicj4KICAgICAgICAgIFRoZSBjYXRhbGluYSBsb2dmaWxl
IHNheXM6IDxicj4KICAgICAgICA8L3NwYW4+PC9wPgogICAgICA8cD48c3BhbiBzdHlsZT0iZm9u
dC1mYW1pbHk6bW9ub3NwYWNlIj48c3BhbgogICAgICAgICAgICBzdHlsZT0iY29sb3I6IzAwMDAw
MDtiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmY7Ij4yMS1EZWMtMjAyMgogICAgICAgICAgICAxNjoy
NzoyNi45NDYgU0NIV0VSV0lFR0VORCBbbWFpbl0KICAgICAgICAgICAgb3JnLmFwYWNoZS5jYXRh
bGluYS5jb3JlLlN0YW5kYXJkQ29udGV4dC5zdGFydEludGVybmFsIE9uZQogICAgICAgICAgICBv
ciBtb3JlIGxpc3RlbmVycyBmYWlsZWQgdG8gc3RhcnQuIEZ1bGwgZGV0YWlscyB3aTwvc3Bhbj5s
bAogICAgICAgICAgYmUgZm91bmQgaW4gdGhlIGFwcHJvcHJpYXRlIGNvbnRhaW5lciBsb2cgZmls
ZSA8YnI+CiAgICAgICAgICAyMS1EZWMtMjAyMiAxNjoyNzoyNi45NDggU0NIV0VSV0lFR0VORCBb
bWFpbl0KICAgICAgICAgIG9yZy5hcGFjaGUuY2F0YWxpbmEuY29yZS5TdGFuZGFyZENvbnRleHQu
c3RhcnRJbnRlcm5hbCBDb250ZXh0CiAgICAgICAgICBbL2NhXSBzdGFydHVwIGZhaWxlZCBkdWUg
dG8gcHJldmlvdXMgZXJyb3JzPGJyPgogICAgICAgICAgPGJyPgogICAgICAgICAgdGhlIENBIGRl
YnVnIGxvZyBmaWxlIHNheXM6PC9zcGFuPjwvcD4KICAgICAgPHA+PHNwYW4gc3R5bGU9ImZvbnQt
ZmFtaWx5Om1vbm9zcGFjZSI+PHNwYW4KICAgICAgICAgICAgc3R5bGU9ImNvbG9yOiMwMDAwMDA7
YmFja2dyb3VuZC1jb2xvcjojZmZmZmZmOyI+MjAyMi0xMi0yMQogICAgICAgICAgICAxNjoyNzoy
NiBbbWFpbl0gRklORTogTGRhcEJvdW5kQ29ubmVjdGlvbjogQ29ubmVjPC9zcGFuPjxzcGFuCiAg
ICAgICAgICAgIHN0eWxlPSJjb2xvcjojMDAwMDAwO2JhY2tncm91bmQtY29sb3I6I2ZmZmY1NDsi
PnRpbjwvc3Bhbj48c3BhbgogICAgICAgICAgICBzdHlsZT0iY29sb3I6IzAwMDAwMDtiYWNrZ3Jv
dW5kLWNvbG9yOiNmZmZmZmY7Ij5nIHRvCiAgICAgICAgICAgIGlwYTEuc2VydmVyLm9yZzo2MzYg
d2l0aCBjbGllbnQgY2VydCBhdXRoIDwvc3Bhbj48YnI+CiAgICAgICAgICAyMDIyLTEyLTIxIDE2
OjI3OjI2IFttYWluXSBGSU5FOgogICAgICAgICAgbGRhcGNvbm4vUEtJU29ja2V0RmFjdG9yeS5t
YWtlU1NMU29ja2V0OiBiZWdpbnMgPGJyPgogICAgICAgICAgMjAyMi0xMi0yMSAxNjoyNzoyNiBb
bWFpbl0gRklORTogU2lnbmVkQXVkaXRMb2dnZXI6IGV2ZW50CiAgICAgICAgICBDTElFTlRfQUND
RVNTX1NFU1NJT05fRVNUQUJMSVNIIDxicj4KICAgICAgICAgIDIwMjItMTItMjEgMTY6Mjc6MjYg
W21haW5dIFNFVkVSRTogVW5hYmxlIHRvIGNyZWF0ZSBzb2NrZXQ6CiAgICAgICAgICBqYXZhLm5l
dC5Db25uZWN0RXhjZXB0aW9uOiBWZXJiaW5kdW5nc2F1ZmJhdSBhYmdlbGVobnQ8L3NwYW4+PC9w
PgogICAgICA8cD48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6bW9ub3NwYWNlIj53aXRoIG1hbnkg
amF2YSB0cmFjZWJhY2sKICAgICAgICAgIGVycm9ycyBmb2xsb3dpbmcuIGRpcmVjdG9yeSBzZXJ2
ZXIgaXMgcnVubmluZyBhdCB0aGlzIHRpbWUgYW5kCiAgICAgICAgICB0aGVyZSBpcyBubyBjb25u
ZWN0aW9uIHJlcG9ydGVkIGF0IHRoZSBnaXZlbiB0aW1lLgogICAgICAgICAgaXBhLWhlYWx0aGNl
Y2sgZG9lcyBub3QgZ2l2ZSBhbm55IGVycm9ycyBvciB3YXJuaW5ncy4KICAgICAgICAgIFJlLXN0
YXJ0aW5nIHRoZSBwa2ktdG9tY2F0IHNlcnZlciBtYW51YWxseSBhZnRlcndhcmRzIGlzdAogICAg
ICAgICAgd29ya2luZyBmaW5lIGFuZCBkb2VzIG5vdCBnaXZlIGFueSBlcnJvcnMuIHN0YXJ0aW5n
IGlwYSBpbgogICAgICAgICAgZm9yY2UgbW9kZSBnaXZlcyBubyBlcnJvcnMgYXMgd2VsbC4gV2hh
dCBjYW4gSSBkbz88L3NwYW4+PC9wPgogICAgICA8cD48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6
bW9ub3NwYWNlIj48YnI+CiAgICAgICAgPC9zcGFuPjwvcD4KICAgICAgPHA+PHNwYW4gc3R5bGU9
ImZvbnQtZmFtaWx5Om1vbm9zcGFjZSI+UmVnYXJkczwvc3Bhbj48L3A+CiAgICAgIDxwPjxzcGFu
IHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPk1hcnRpbjxicj4KICAgICAgICA8L3NwYW4+
PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5Om1vbm9zcGFjZSI+PC9zcGFuPjxzcGFuCiAgICAgICAg
ICBzdHlsZT0iZm9udC1mYW1pbHk6bW9ub3NwYWNlIj48L3NwYW4+PC9wPgogICAgPC9ibG9ja3F1
b3RlPgogICAgPHA+SGFsbG8sPC9wPgogICAgPHA+SSB0cmllZCB0aGUgdXBncmFkZSBvbmNlIGFn
YWluIGFuIGZvdW5kIGFub3RoZXIgZXJyb3IgSSBtaXNzZWQKICAgICAgYmVmb3JlLiBEdXJpbmcg
TERBUCB1cGRhdGVzIHRoZXJlIHdhcyBhbiBlcnJvciBzdGF0aW5nOjwvcD4KICAgIDxwPjxzcGFu
IHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPjxzcGFuCiAgICAgICAgICBzdHlsZT0iY29s
b3I6IzAwMDAwMDtiYWNrZ3JvdW5kLWNvbG9yOiNmZmZmZmY7Ij5FUlJPUjogQWRkCiAgICAgICAg
ICBmYWlsdXJlIFNlcnZlciBpcyB1bndpbGxpbmcgdG8gcGVyZm9ybTo8L3NwYW4+PC9zcGFuPjwv
cD4KICAgIDxwPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTptb25vc3BhY2UiPmR1cmluZyB1cGRh
dGluZyB0aGUgPC9zcGFuPjxzcGFuCiAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5Om1vbm9zcGFj
ZSI+PHNwYW4KICAgICAgICAgIHN0eWxlPSJjb2xvcjojMDAwMDAwO2JhY2tncm91bmQtY29sb3I6
I2ZmZmZmZjsiPi91c3Ivc2hhcmUvaXBhL3VwZGF0ZXMvNTUtcGJhY21lbWJlcm9mLnVwZGF0ZQog
ICAgICAgICAgZmlsZXMuIElzIHRoaXMgYSBwcm9ibGVtPyBUaGlzIHVwZGF0ZSBmYWlsZWQgb24g
Ym90aCBvZiBteSBpcGEKICAgICAgICAgIHNlcnZlcnMgKG9uZSBpcyBvbmx5IG9uZSB3ZWVrIG9s
ZCwgc28gdGhlcmUgd2VyZSBubyByZWd1bGFyCiAgICAgICAgICB1cGdyYWRlcyBvZiBpcGEpLiBS
ZXJ1bm5pbmcgaXBhLWxkYXAtdXBkYXRlciBhbG9uZSB3aXRoIHRoZQogICAgICAgICAgdXBkYXRl
LWZpbGUgZ2l2ZXMgdGhlIHNhbWUgZXJyb3IuPGJyPgogICAgICAgIDwvc3Bhbj48L3NwYW4+PC9w
PgogICAgPHA+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5Om1vbm9zcGFjZSI+UmVnYXJkczxicj4K
ICAgICAgICBNYXJ0aW48YnI+CiAgICAgIDwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6
bW9ub3NwYWNlIj48L3NwYW4+PC9wPgogIDwvYm9keT4KPC9odG1sPgo=

--===============0866567915076795150==--

From abokovoy at redhat.com Fri Dec 23 11:51:37 2022
Content-Type: multipart/mixed; boundary="===============6224202916388773064=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ipa upgrade failed
Date: Fri, 23 Dec 2022 13:51:20 +0200
Message-ID: <Y6WWOJMq/MelJAll@redhat.com>
In-Reply-To: e917b610-4259-a903-f4ee-f26e6cbdf943@fahrendorf.de

--===============6224202916388773064==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On ke, 21 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
>Hallo all
>
>I have a strange issue with one of my ipa servers. after an upgrade =

>from fedora 35 to fedora 37 the ipa-server-upgrade failed on the =

>pki-tomcat part. The ipaupgrade.log says:

Did you do this upgrade as a jump right from 35 to 37? I am not sure
this is a right way to do it. We test individual upgrades 35-36-37 and
they work fine.

Anyway, your problem, based on the second email you sent, is that
memberof plugin in 389-ds misbehaves. We've seen few issues like that
recently reported so please open a bug against 389-ds-base in Fedora and
attach access/errors logs from the 389-ds instance.



>
>2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
>2022-12-21T15:27:52Z DEBUG request GET =

>https://ipa1.server.org:8443/ca/rest/account/login
>2022-12-21T15:27:52Z DEBUG request body ''
>2022-12-21T15:27:52Z DEBUG response status 404
>2022-12-21T15:27:52Z DEBUG response headers Content-Type: =

>text/html;charset=3Dutf-8
>Content-Language: de
>Content-Length: 795
>Date: Wed, 21 Dec 2022 15:27:52 GMT
>
>
>2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype =

>html><html lang=3D"de"><head><title>HTTP Status 404 \xe2\x80\x93 nicht =

>gefunden</title><style
>type=3D"text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, =

>h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 =

>{font-size:16px;
>} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:=
1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP =

>Status 40
>4 \xe2\x80\x93 nicht gefunden</h1><hr class=3D"line" /><p><b>Type</b> =

>Status Report</p><p><b>Message</b> The requested resource =

>[&#47;ca&#47;rest&#47;account
>&#47;login] is not available</p><p><b>Beschreibung</b> The origin =

>server did not find a current representation for the target resource =

>or is not willing to
>disclose that one exists.</p><hr class=3D"line" /><h3>Apache =

>Tomcat/9.0.68</h3></body></html>'
>2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect =

>/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>2022-12-21T15:27:52Z DEBUG =C2=A0=C2=A0File =

>"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, =

>in execute
>=C2=A0=C2=A0=C2=A0return_value =3D self.run()
>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0^^^^^^^^^^
>=C2=A0File "/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server=
_upgrade.py", =

>line 54, in run =C2=A0=C2=A0 server.upgrade()
>=C2=A0File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upg=
rade.py", =

>line 2061, in upgrade =C2=A0=C2=A0 upgrade_configuration()
>=C2=A0File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upg=
rade.py", =

>line 1914, in upgrade_configuration =C2=A0=C2=A0 =

>ca_enable_ldap_profile_subsystem(ca)
>=C2=A0File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upg=
rade.py", =

>line 458, in ca_enable_ldap_profile_subsystem =C2=A0=C2=A0 =

>cainstance.migrate_profiles_to_ldap()
>=C2=A0File =

>"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", =

>line 2155, in migrate_profiles_to_ldap =C2=A0=C2=A0 =

>_create_dogtag_profile(profile_id, profile_data, overwrite=3DFalse)
>=C2=A0File =

>"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", =

>line 2209, in _create_dogtag_profile =C2=A0=C2=A0 with =

>api.Backend.ra_certprofile as profile_api:
>=C2=A0File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py"=
, =

>line 1211, in __enter__ =C2=A0=C2=A0 raise =

>errors.RemoteRetrieveError(reason=3D_('Failed to authenticate to CA REST =

>API'))
>
>2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed, =

>exception: RemoteRetrieveError: Failed to authenticate to CA REST API
>
>The catalina logfile says:
>
>21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main] =

>org.apache.catalina.core.StandardContext.startInternal One or more =

>listeners failed to start. Full details will be found in the =

>appropriate container log file
>21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main] =

>org.apache.catalina.core.StandardContext.startInternal Context [/ca] =

>startup failed due to previous errors
>
>the CA debug log file says:
>
>2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to =

>ipa1.server.org:636 with client cert auth
>2022-12-21 16:27:26 [main] FINE: =

>ldapconn/PKISocketFactory.makeSSLSocket: begins
>2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event =

>CLIENT_ACCESS_SESSION_ESTABLISH
>2022-12-21 16:27:26 [main] SEVERE: Unable to create socket: =

>java.net.ConnectException: Verbindungsaufbau abgelehnt
>
>with many java traceback errors following. directory server is running =

>at this time and there is no connection reported at the given time. =

>ipa-healthceck does not give anny errors or warnings. Re-starting the =

>pki-tomcat server manually afterwards ist working fine and does not =

>give any errors. starting ipa in force mode gives no errors as well. =

>What can I do?
>
>
>Regards
>
>Martin




-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============6224202916388773064==--

From lists at fahrendorf.de Fri Dec 23 11:59:28 2022
Content-Type: multipart/mixed; boundary="===============1338632521674376830=="
MIME-Version: 1.0
From: Martin (Lists) <lists at fahrendorf.de>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ipa upgrade failed
Date: Fri, 23 Dec 2022 12:59:11 +0100
Message-ID: <3f8a5741-9a57-9e73-7ea0-efeaec005d27@fahrendorf.de>
In-Reply-To: Y6WWOJMq/MelJAll@redhat.com

--===============1338632521674376830==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Am 23.12.22 um 12:51 schrieb Alexander Bokovoy via FreeIPA-users:
> On ke, 21 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
>> Hallo all
>>
>> I have a strange issue with one of my ipa servers. after an upgrade =

>> from fedora 35 to fedora 37 the ipa-server-upgrade failed on the =

>> pki-tomcat part. The ipaupgrade.log says:
>
> Did you do this upgrade as a jump right from 35 to 37? I am not sure
> this is a right way to do it. We test individual upgrades 35-36-37 and
> they work fine.

Yes, I did a direct upgrade from 35 to 37.

>
> Anyway, your problem, based on the second email you sent, is that
> memberof plugin in 389-ds misbehaves. We've seen few issues like that
> recently reported so please open a bug against 389-ds-base in Fedora and
> attach access/errors logs from the 389-ds instance.

I will open a bug. Thanks.

Regards
Martin


--===============1338632521674376830==--

From abokovoy at redhat.com Fri Dec 23 19:30:36 2022
Content-Type: multipart/mixed; boundary="===============8086444011455042676=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: ipa upgrade failed
Date: Fri, 23 Dec 2022 21:30:20 +0200
Message-ID: <Y6YBzAv9p2F+negq@redhat.com>
In-Reply-To: 3f8a5741-9a57-9e73-7ea0-efeaec005d27@fahrendorf.de

--===============8086444011455042676==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On pe, 23 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
>Am 23.12.22 um 12:51 schrieb Alexander Bokovoy via FreeIPA-users:
>>On ke, 21 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
>>>Hallo all
>>>
>>>I have a strange issue with one of my ipa servers. after an =

>>>upgrade from fedora 35 to fedora 37 the ipa-server-upgrade failed =

>>>on the pki-tomcat part. The ipaupgrade.log says:
>>
>>Did you do this upgrade as a jump right from 35 to 37? I am not sure
>>this is a right way to do it. We test individual upgrades 35-36-37 and
>>they work fine.
>
>Yes, I did a direct upgrade from 35 to 37.
>
>>
>>Anyway, your problem, based on the second email you sent, is that
>>memberof plugin in 389-ds misbehaves. We've seen few issues like that
>>recently reported so please open a bug against 389-ds-base in Fedora and
>>attach access/errors logs from the 389-ds instance.
>
>I will open a bug. Thanks.

 From 389-ds developers:

-------
The problem (55-pbacmemberof.update) is that F37 was a rebase (in Nov)
that contained an incomplete fix for #5413 [1]. The  #5413 was fixed in
two PR [2] and [3].  F37 contains [2] but not [3] that was fixed in Dec.

For F37 we need to a respin

[1] https://github.com/389ds/389-ds-base/issues/5413
[2] https://github.com/389ds/389-ds-base/commit/9db7a5adfaed49336ccee3bac43=
849c97c5c863b
[3] https://github.com/389ds/389-ds-base/commit/6aa7a6d5bf8b1d774087e8a5d0e=
147f4c636a7ad
-------

Please open a Fedora bug so that it is updated.

-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============8086444011455042676==--