7:45 p.m.
Johannes Falke via FreeIPA-users wrote:
Ok, thanks for being my rubber duck. I solved it while preparing an
anonymized ipaupgrade.log for you.
I noticed that the failure I was looking at was actually a secondary failure after a
first failed upgrade. The primary error was a result of a missing caECAdminCert.cfg
(https://bugzilla.redhat.com/show_bug.cgi?id=1836806) which was apparently never patched
for Fedora 29/30. Since I never saw the error message from the first failed automatic
ipa-server-upgrade during/after Fedora release upgrade), I reran ipa-server-upgrade which
then gave me a different error (the one I was trying to debug above).
At some point when previously trying to fix the installation after the failed upgrade, I
did see the caECAdminCert.cfg message, but I had tried adding the file and re-running
ipa-server-upgrade and it did not fix it. It turns out that a failed ipa-server-upgrade is
not rolled back and irreparably damages the existing configuration - maybe this should be
explicitly noted?
After noticing what was happening today, I rolled back to my pre-upgrade Fedora 29
snapshot, copied /usr/share/pki/ca/profiles/ca/caECAdminCert.cfg to
/var/lib/pki/pki-tomcat/ca/profiles/ca/ and then ran the Fedora 29 -> 30 upgrade -
something I now recall I had planned to do when I first saw that error but forgot (since I
was busy excluding a real PKI/certificate error).
That's great, I'm glad you got it fixed. Thanks for following up with
the solution.
rob