Things are getting worse.
First, the version I reported before was incorrect (taken from a client).
Here's the server one.
$ ipa --version
VERSION: 4.2.4, API_VERSION: 2.156
I did a dnf update (Fedora 23). The IPA upgrade failed.
I tried running it again, manually, after a reboot:
$ ipa-server-upgrade
session memcached servers not running
Upgrading IPA:
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
[4/8]: starting directory server
[5/8]: updating schema
[6/8]: upgrading server
Add failure attribute "cn" not allowed
[7/8]: stopping directory server
[8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command ''/bin/systemctl' 'start'
'httpd.service''
returned non-zero exit status 1
The ipaupgrade log only says that starting httpd failed.
HTTPD log says:
[Wed Jun 07 14:32:26.822478 2017] [core:notice] [pid 3182] SELinux policy
enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Jun 07 14:32:26.823122 2017] [suexec:notice] [pid 3182] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 07 14:32:26.823467 2017] [:warn] [pid 3182] NSSSessionCacheTimeout
is deprecated. Ignoring.
[Wed Jun 07 14:32:26.913923 2017] [:error] [pid 3182] SSL Library Error:
-8181 Certificate has expired
[Wed Jun 07 14:32:26.913942 2017] [:error] [pid 3182] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so
the server can start until the problem can be resolved.
Any suggestion?
On Wed, 7 Jun 2017 at 13:17 Roberto Cornacchia <roberto.cornacchia(a)gmail.com>
wrote:
Not being able to login to the admin console, I checked the httpd log
and
found the following errors:
[Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error:
-8181 Certificate has expired
[Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no
record of generation 47 of exiting child 10203
I also get an error during enrollment of a new client (which seems to
retrieve a valid certificate anyway):
Password for admin(a)HQ.SPINQUE.COM:
Successfully retrieved CA cert
Subject: CN=Certificate
Authority,O=HQ.SPINQUE.COM
Issuer: CN=Certificate
Authority,O=HQ.SPINQUE.COM
Valid From: Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction,
explaining: TCP connection reset by peer
Services are up:
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Certificate monitoring seems ok:
$ getcert list -d /etc/httpd/alias -n ipaCert
Number of certificates and requests being tracked: 8.
Request ID '20160501114633':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=HQ.SPINQUE.COM
subject: CN=IPA
RA,O=HQ.SPINQUE.COM
expires: 2019-01-26 19:41:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Version:
$ ipa --version
VERSION: 4.4.3, API_VERSION: 2.215
Could you please point me at what else to check?