On to, 07 tammi 2021, Uzor Ide via FreeIPA-users wrote:
Can you check the ipaupgrade.log.
I found out when I upgraded ipa-server on Centos 8 last-week that
ipaupgrade script has has wrong path information for the file
"/usr/share/pki/acme/database/ldap/database.conf".
The upgrade script has path as
"/usr/share/pki/acme/database/ds/database.conf" while what actually exists
is "/usr/share/pki/acme/database/ldap/database.conf"
I just created a symbolic link pointing to the correct path and the update
completed.
I think you are mixing up CentOS 8 Stream and CentOS 8 here. The issue
above is on CentOS 8 Stream as ACME support is only available in FreeIPA
4.9.0. This is known problem with pki-core module in Centos 8 Stream
being older (yet) and will be handled by CentOS packagers now that they
are back from vacation/holidays.
CentOS 8 does not have this issue but it will be crucial to know
pki-core components versions and also Java versions.
_Uz
On Thu, Jan 7, 2021 at 7:01 AM Rob Crittenden via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Vinícius Ferrão via FreeIPA-users wrote:
> > Hello, I’ve a single IPA machine that provides authentication for
> > itself. It does not even have any client or host.
> >
> > After def -y update and reboot, IPA fails to load an it’s in broken
> state.
> >
> > [root@headnode ~]# systemctl status ipa
> > ● ipa.service - Identity, Policy, Audit
> > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor
> > preset: disabled)
> > Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03;
> > 45min ago
> > Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited,
> > status=1/FAILURE)
> > Main PID: 1278 (code=exited, status=1/FAILURE)
> >
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree
> > already moved
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server
> > upgrade failed: Inspect /var/log/ipaupgrade.log and run command i>
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected
> > error - see /var/log/ipaupgrade.log for details:
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]:
> > CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
> > 'start', '>
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The
> > ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more >
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the
> > upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade>
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting
> > ipactl
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service:
> > Main process exited, code=exited, status=1/FAILURE
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service:
> > Failed with result 'exit-code'.
> > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to
> > start Identity, Policy, Audit.
> >
> > If asks for look on /var/log/ipaupgrade.log; but this log is just
> > overwhelming. You must know what you should be looking for for actually
> > find something.
> >
> > The relevant thing that I’ve found by myself is:
> > 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed,
> > exception: CalledProcessError: CalledProcessError(Command
> > ['/bin/systemctl', 'start', 'pki-tomcatd(a)pki-tomcat.service
> > <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit
status
> > 1: 'Job for pki-tomcatd(a)pki-tomcat.service
> > <mailto:pki-tomcatd@pki-tomcat.service> failed because a timeout was
> > exceeded.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service
> > <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl
-xe" for
> > details.\n’)
> >
> > Is that Java regression again that happened a month or two ago?
> >
>
> Hard to say. You upgraded from what to what? Was java included in the
> updated packages?
>
> Does /bin/systemctl start pki-tomcatd(a)pki-tomcat.service work outside
> the upgrader?
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland