El 30 nov. 2022, a las 19:55, Rob Crittenden <rcritten@redhat.com> escribió:

Juan Pablo Lorier wrote:

The only expired cert was the HTTP in the dc1 server, dc2 had all the
certs valid:

This does not show all of the tracked certificates. Use plain getcert
which will show for for all CA helpers.

rob

*Dc1:*

 ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191218181440':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
expires: 2023-11-21 15:14:49 -03
principal name: krbtgt/TNU.COM.UY@TNU.COM.UY
<mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20191219011104':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
expires: 2023-11-21 15:13:39 -03
dns: dc1.tnu.com.uy
principal name: ldap/dc1.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20211217030046':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
expires: 2023-12-18 00:01:22 -03
dns: dc1.tnu.com.uy
principal name: HTTP/dc1.tnu.com.uy@TNU.COM.UY
<mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

*Dc2*:

 ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
principal name: krbtgt/TNU.COM.UY@TNU.COM.UY
<mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221130160326':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221130160327':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY
<mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

El 30 nov. 2022, a las 18:50, Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>> escribió:

Juan Pablo Lorier wrote:

Ok, with the skip-version-check flag it starts correctly, but if I try
to restart the service without the flag, it fails in the same point. The
error is related to the upgrade process then. I’m upgrading from 4.7 to
4.9 as I didn’t find any restriction in the documentation.
Is it possible that there’s an issue with that upgrade path?

If is likely related to your expired certificates. Did you look to see
if others besides the HTTP cert expired?

rob

Thanks

El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>> escribió:

Juan Pablo Lorier wrote:

Hi,

Rob, the problem with ipactl --ignore-service-failures is that it
always
try to upgrade from 4.7 to 4.9 first and it fails for that reason.

$ man 8 ipactl

--skip-version-check  Skip version check

rob

I were able to move forward and get poi-tomcat running but I still
can’t
finish the upgrade process.
Here are some more logs to see if you can see a lead to help me.
Regards

*/var/log/ipaupgrade.log*

022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and
enabled; skipping
2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in
LDAP
and enabled; skipping
2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and
enabled; skipping
2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert'
2022-11-30T16:07:49Z DEBUG request GET
https://dc2.tnu.com.uy:8443/ca/rest/account/login
2022-11-30T16:07:49Z DEBUG request body ''
2022-11-30T16:07:54Z DEBUG httplib request failed:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
271,
in _httplib_request
    conn.request(method, path, body=request_body, headers=headers)
  File "/usr/lib64/python3.6/http/client.py", line 1273, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1319, in
_send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1044, in
_send_output
    self.send(msg)
  File "/usr/lib64/python3.6/http/client.py", line 982, in send
    self.connect()
  File "/usr/lib64/python3.6/http/client.py", line 1441, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    self._sslobj.do_handshake()
OSError: [Errno 0] Error
2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-11-30T16:07:54Z DEBUG   File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in
execute
    return_value = self.run()
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
    server.upgrade()
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 2055, in upgrade
    upgrade_configuration()
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1908, in upgrade_configuration
    ca_enable_ldap_profile_subsystem(ca)
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
    cainstance.migrate_profiles_to_ldap()
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line
2111, in migrate_profiles_to_ldap
    _create_dogtag_profile(profile_id, profile_data, overwrite=False)
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line
2165, in _create_dogtag_profile
    with api.Backend.ra_certprofile as profile_api:
  File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py",
line 1207, in __enter__
    method='GET'
  File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
218,
in https_request
    method=method, headers=headers)
  File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
280,
in _httplib_request
    raise NetworkError(uri=uri, error=str(e))

2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed,
exception: NetworkError: cannot connect to
'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
2022-11-30T16:07:54Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
NetworkError: cannot connect to
'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information


*dirsrv/slapd-TNU-COM-UY/errors*

[30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
[30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
- The ACL target cn=automember rebuild membership,cn=tasks,cn=config
does not exist
[30/Nov/2022:13:07:31.157746196 -0300] - INFO -
slapi_vattrspi_regattr -
Because krbPwdPolicyReference is a new registered virtual attribute ,
nsslapd-ignore-virtual-attrs was set to 'off'
[30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin -
schema-compat-plugin tree scan will start in about 5 seconds!
[30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd
started.  Listening on All Interfaces port 389 for LDAP requests
[30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon -
Listening
on All Interfaces port 636 for LDAPS requests
[30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon -
Listening
on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests
[30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin -
Finished plugin initialization.
[30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)
[30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could
not get initial credentials for principal
[ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
KDC for requested realm)

*localhost_access_log.2022-11-30.txt*

127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 -
XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus
HTTP/1.1" 200 193
XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login
HTTP/1.1" 401 669

El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>> escribió:

Run "ipactl --ignore-service-failures" and it should bring up all the
services it can.

rob

Juan Pablo Lorier wrote:

Hi again,

I used the ldapi from /etc/ipa/default.conf and I was able to get a
different reply:

 ldapsearch -Y GSSAPI -H
ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket
<ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Ticket
expired)

But if I try to renew the ticket, it fails:

 kinit admin
kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting
initial credentials

The running DC is in 4.7 and it should reply to the kinit requests


I added the debug option to see if I can ge further information.

 ipactl restart
IPA version error: data needs to be upgraded (expected version
'4.9.10-6.module_el8.7.0+1209+42bcbcde', current version
'4.7.1-11.module_el8.0.0+79+bbd20d7b')
Automatically running upgrade, for details see
/var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Error caught updating
nsDS5ReplicatedAttributeList: Server is unwilling to perform:
Entry and
attributes are managed by topology plugin.No direct modifications
allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
unwilling to perform: Entry and attributes are managed by topology
plugin.No direct modifications allowed.
Update complete
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit
status
1: 'Job for pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> failed because the control
process exited with error code.\nSee "systemctl status
pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>"
and "journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for
more information

See the upgrade log for more details and/or run
/usr/sbin/ipa-server-upgrade again
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
Aborting ipactl

Regards

El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>> escribió:

Juan Pablo Lorier wrote:

Hi Rob,

Thanks for the reply. As I didn’t know other way but to go back in
time,
I just did it and now the server is running 100%.

This was all part of an update from 4.7 to 4.9. According to the
documentation, it was just a matter to def update but it seems
that is
not such a happy path.>
I updated the second server but it’s not able to finalize the
update
process. DNS is failing to start:

# systemctl status ipa-dnskeysyncd.service 


*●*ipa-dnskeysyncd.service - IPA key daemon
   Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service;
disabled; vendor preset: disabled)
   Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h
14min ago
 Main PID: 250496 (ipa-dnskeysyncd)
    Tasks: 1 (limit: 23652)
   Memory: 68.4M
   CGroup: /system.slice/ipa-dnskeysyncd.service
           └─250496 /usr/libexec/platform-python -I
/usr/libexec/ipa/ipa-dnskeysyncd

Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI
client
step 1
Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI
client
step 2
Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]:
ipa-dnskeysyncd:
INFO     Commencing sync process
Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]:
ipaserver.dnssec.keysyncer: INFO     Initial LDAP dump is done,
sychronizing with ODS and BIND
Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
*Configuration.cpp(96): Missing log.level in configuration. Using
default value: INFO*
Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
*Configuration.cpp(96): Missing slots.mechanisms in configuration.
Using
default value: ALL*
Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
*Configuration.cpp(124): Missing slots.removable in configuration.
Using
default value: false*
Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI
client
step 1
Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI
client
step 1
Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: 



GSSAPI client step 1
[root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service 


-- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22
12:40:17 -03. --
Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon.
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing all plugin modules in ipaserver.plugins...
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.aci
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.automember
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.automount
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.baseldap
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    ipaserver.plugins.baseldap is not a valid plugin module
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.baseuser
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.batch
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.ca
<http://ipaserver.plugins.ca/>
<http://ipaserver.plugins.ca/>
<http://ipaserver.plugins.ca
<http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>>
<http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/>
<http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>>
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.caacl
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.cert
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.certmap
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.certprofile
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.config
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.delegation
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.dns
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.dnsserver
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.dogtag
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.domainlevel
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.group
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.hbac
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    ipaserver.plugins.hbac is not a valid plugin module
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.hbacrule
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.hbacsvc
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.hbacsvcgroup
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.hbactest
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.host
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.hostgroup
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.idrange
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.idviews
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.internal
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.join
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.krbtpolicy
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.ldap2
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.location
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.migration
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.misc
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.netgroup
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.otp
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    ipaserver.plugins.otp is not a valid plugin module
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.otpconfig
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.otptoken
Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
ipalib.plugable:
DEBUG    importing plugin module ipaserver.plugins.passwd

There should be quite a bit more after that.

#less /var/log/dirsrv/slapd-*/access

[22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0
tag=101
nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290
[22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH
base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewab
leAge krbTicketFlags krbAuthIndMaxTicketLife
krbAuthIndMaxRenewableAge"
[22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0
tag=101
nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403
[22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI
[22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14
tag=97
nentries=0 wtime=0.000071973 optime=0.002531582
etime=0.002602416, SASL
bind in progress
[22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI
[22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14
tag=97
nentries=0 wtime=0.000058962 optime=0.001451477
etime=0.001509337, SASL
bind in progress
[22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn=""
method=sasl version=3 mech=GSSAPI
[22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0
tag=97
nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026
dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=
com,dc=uy"
[22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH
base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2
filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))"
attrs="objectClass cn fqdn serverHostN
ame memberOf ipaSshPubKey ipaUniqueID"
[22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0
tag=101
nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994
notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH
base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy"
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf
ipaU
niqueID"
[22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0
tag=101
nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094
notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH
base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))"
attrs="objectClass ipaUniqueID cn memb
er entryusn"
[22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0
tag=101
nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481
notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH
base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC
ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro
ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt
ipaSudoRunAs
ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU
ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory
userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory
ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e
xternalUser entryusn"
[22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0
tag=101
nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132
notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
[22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT
oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT
oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0
tag=120 nentries=0 wtime=0.000194721 optime=0.000766071
etime=0.000956734
[22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0
tag=120 nentries=0 wtime=0.000326560 optime=0.001178137
etime=0.001489204
[22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT
oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0
tag=120 nentries=0 wtime=0.000133089 optime=0.002969180
etime=0.003098843
[22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT
oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0
tag=120 nentries=0 wtime=0.000131720 optime=0.002769639
etime=0.002897696
[22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT
oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT
oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0
tag=120 nentries=0 wtime=0.000245657 optime=0.001129708
etime=0.001372435
[22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0
tag=120 nentries=0 wtime=0.000293789 optime=0.001457836
etime=0.001748601
[22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT
oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0
tag=120 nentries=0 wtime=0.010809128 optime=0.004600843
etime=0.015402108


I see that after the update, the files were changed:


[root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY*
/etc/dirsrv/slapd-TNU-COM-UY:
total 4208
-rw-r-----. 1 dirsrv dirsrv   1804 Jan 21  2022 Server-Cert-Key.pem
-rw-r-----. 1 dirsrv dirsrv   1829 Jan 21  2022 Server-Cert.pem
-rw-r-----. 1 dirsrv dirsrv   1464 Jan 21  2022
TNU.COM.UY20IPA20CA.pem
-rw-r-----. 1 dirsrv root    36864 Dec 12  2021 cert9.db
-rw-rw----. 1 dirsrv dirsrv  28672 Jan  9  2020 cert9.db.orig
-r--r-----. 1 dirsrv dirsrv   1729 Jan  9  2020 certmap.conf
-rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif
-rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak
-rw-r--r--. 1 dirsrv root   208440 Nov 22 10:55
dse.ldif.ipa.1cf1fe204fd69494
-rw-------. 1 dirsrv root   202234 Nov 21 14:01
dse.ldif.ipa.1dd1d38cbd8d26ae
-rw-------. 1 dirsrv root   208355 Nov 22 11:26
dse.ldif.ipa.21662457cb42c116
-rw-------. 1 dirsrv root   208355 Nov 22 10:47
dse.ldif.ipa.256a5d66e550a957
-rw-------. 1 dirsrv root   195350 Nov 21 13:35
dse.ldif.ipa.274744b10eed3d9b
-rw-------. 1 dirsrv root   203050 Nov 21 19:09
dse.ldif.ipa.385fb48f5462219c
-rw-------. 1 dirsrv root   156705 Jan  9  2020
dse.ldif.ipa.6b71b47d73ca452a
-rw-------. 1 dirsrv root   202234 Nov 21 13:38
dse.ldif.ipa.767aba4a82811822
-rw-------. 1 dirsrv root   208355 Nov 21 21:07
dse.ldif.ipa.814a4de587fc22ec
-rw-------. 1 dirsrv root   208355 Nov 22 10:49
dse.ldif.ipa.889036fc0907e7de
-rw-------. 1 dirsrv root   202234 Nov 21 13:47
dse.ldif.ipa.8fd2b7413b99dfa3
-rw-------. 1 dirsrv root   202234 Nov 21 13:42
dse.ldif.ipa.958ca3a96922f2fd
-rw-------. 1 dirsrv root   202234 Nov 21 14:48
dse.ldif.ipa.bacd6d1d200348bf
-rw-------. 1 dirsrv root   208355 Nov 22 11:24
dse.ldif.ipa.bfadc14f0e609072
-rw-------. 1 dirsrv root   202234 Nov 21 14:23
dse.ldif.ipa.f1e864261a119b6c
-rw-------. 1 dirsrv root   202234 Nov 21 15:42
dse.ldif.ipa.fa918bf07c17e2e8
-rw-r--r--. 1 dirsrv root   208167 Nov 22 11:26
dse.ldif.modified.out
-rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv  36009 Jan  9  2020 dse_original.ldif
-rw-r-----. 1 dirsrv root    36864 Dec 12  2021 key4.db
-rw-rw----. 1 dirsrv dirsrv  28672 Jan  9  2020 key4.db.orig
-r--------. 1 dirsrv dirsrv     67 Jan  9  2020 pin.txt
-rw-r-----. 1 dirsrv dirsrv    561 Nov 22 11:26 pkcs11.txt
-rw-rw----. 1 dirsrv dirsrv    556 Jan  9  2020 pkcs11.txt.orig
-rw-------. 1 dirsrv dirsrv     41 Jan  9  2020 pwdfile.txt
-r--------. 1 dirsrv dirsrv     41 Jan  9  2020 pwdfile.txt.orig
drwxrwx---. 2 dirsrv dirsrv   4096 Nov 22 11:26 schema
drwxr-x---. 2 dirsrv root       25 Nov 21 18:59 schema.bak
-rw-r--r--. 1 dirsrv root    15142 Nov 21 18:59
slapd-collations.conf


I can’t connect to the LDAP service:

# ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

You have to escape the socket path:
ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket

# less /var/log/ipaupgrade.log

Server built:   Jun 29 2021 22:00:15 UTC
Server number:  9.0.30.0
OS Name:        Linux
OS Version:     4.18.0-348.7.1.el8_5.x86_64
Architecture:   amd64
JVM Version:    1.8.0_322-b06
JVM Vendor:     Red Hat, Inc.

2022-11-22T14:26:56Z DEBUG stderr=
2022-11-22T14:26:56Z DEBUG Starting external process
2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show',
'kra']
2022-11-22T14:26:56Z DEBUG Process finished, return code=1
2022-11-22T14:26:56Z DEBUG stdout=
2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in
instance pki-tomcat.

2022-11-22T14:26:56Z DEBUG Starting external process
2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start',
'pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>']
2022-11-22T14:26:57Z DEBUG Process finished, return code=1
2022-11-22T14:26:57Z DEBUG stdout=
2022-11-22T14:26:57Z DEBUG stderr=Job
for pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> failed because the control
process exited with error code.
See "systemctl status pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for
details.

2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.
2022-11-22T14:26:57Z DEBUG   File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line
180, in
execute
    return_value = self.run()
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
    server.upgrade()
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 2055, in upgrade
    upgrade_configuration()
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1783, in upgrade_configuration
    ca.start('pki-tomcat')
  File
"/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
line 524, in start
    self.service.start(instance_name,
capture_output=capture_output,
wait=wait)
  File
"/usr/lib/python3.6/site-packages/ipaplatform/base/services.py",
line 306, in start
    skip_output=not capture_output)
  File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py",
line
600, in run
    p.returncode, arg_string, output_log, error_log

2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed,
exception: CalledProcessError: CalledProcessError(Command
['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit
status
1: 'Job for pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> failed because the control
process exited with error code.\nSee "systemctl status
pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>"
and "journalctl -xe" for details.\n')
2022-11-22T14:26:57Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
'start', 'pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit
status
1: 'Job for pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> failed because the control
process exited with error code.\nSee "systemctl status
pki-tomcatd@pki-tomcat.service
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>"
and "journalctl -xe" for details.\n')
2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command
failed. See
/var/log/ipaupgrade.log for more information
(END)

The CA failed to start. This is often due to expired
certificates that
get exposed when an upgrade is done. Check that out.

#ipactl status

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
2 service(s) are not running


Thanks

El 22 nov. 2022, a las 11:43, Rob Crittenden
<rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com>> escribió:

Juan Pablo Lorier via FreeIPA-users wrote:

Hi,

I have a production server that was not maintained and I see
that the
HTTP certificate has expired long ago. I tried to renew it
but I'm
not being agle to get it right.

The initial status was:

Request ID '20191219011208':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'

Then following this thread
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/

I got it to this state:

Request ID '20191219011208':
status: MONITORING
ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed
request,
will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed.
 libcurl failed even to execute the HTTP transaction, explaining:
 SSL certificate problem: certificate has expired).
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'

The post indicates that I have to put an old date in the
server to
get it renewed, but as the server is in production, it means
that all
clients will fail to log to the server. Evenmore, what time
should I
return to, before the certificate expiration or right after?
Thanks in advanc

I'd guess that this affects a lot more than just the web server
cert.
getcert list will tell you.

Depending on that outcome affect the suggested remediation.

As for going back in time, you'd need a server outage to do this
and it
only would be backwards in time for a short time. Just long
enough so
the services could start with non-expired certificates to get them
renewed. But there are other ways to do this that don't require
fiddling
with time.

rob