You are right, there are several certificates stuck in dc2:
getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221130160320':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130160321':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130160322':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130160323':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130160324':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-01 22:56:02 -03
expires: 2023-11-21 22:56:02 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130160325':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=IPA RA,O=TNU.COM.UY
issued: 2021-11-09 15:12:27 -03
expires: 2023-10-30 15:12:27 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221130160326':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
principal name: ldap/dc2.tnu.com.uy(a)TNU.COM.UY
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221130160327':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
principal name: HTTP/dc2.tnu.com.uy(a)TNU.COM.UY
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Can I ask you how do I provide the required information to unstuck the certs?
El 30 nov. 2022, a las 19:55, Rob Crittenden
<rcritten(a)redhat.com> escribió:
Juan Pablo Lorier wrote:
> The only expired cert was the HTTP in the dc1 server, dc2 had all the
> certs valid:
This does not show all of the tracked certificates. Use plain getcert
which will show for for all CA helpers.
rob
>
> *Dc1:*
>
> ipa-getcert list
> Number of certificates and requests being tracked: 9.
> Request ID '20191218181440':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=TNU.COM.UY
> subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
> expires: 2023-11-21 15:14:49 -03
> principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY
> <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY
<mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-pkinit-KPKdc
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
> track: yes
> auto-renew: yes
> Request ID '20191219011104':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TNU.COM.UY
> subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
> expires: 2023-11-21 15:13:39 -03
> dns: dc1.tnu.com.uy
> principal name: ldap/dc1.tnu.com.uy(a)TNU.COM.UY
> <mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY>>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
> track: yes
> auto-renew: yes
> Request ID '20211217030046':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA'
> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=TNU.COM.UY
> subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
> expires: 2023-12-18 00:01:22 -03
> dns: dc1.tnu.com.uy
> principal name: HTTP/dc1.tnu.com.uy(a)TNU.COM.UY
> <mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY
<mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY>>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> *Dc2*:
>
> ipa-getcert list
> Number of certificates and requests being tracked: 9.
> Request ID '20200110015908':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=TNU.COM.UY
> subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
> issued: 2021-12-12 22:59:28 -03
> expires: 2023-12-13 22:59:28 -03
> principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY
> <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY
<mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-pkinit-KPKdc
> profile: KDCs_PKINIT_Certs
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
> track: yes
> auto-renew: yes
> Request ID '20221130160326':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TNU.COM.UY
> subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
> issued: 2021-12-12 22:53:10 -03
> expires: 2023-12-13 22:53:10 -03
> dns: dc2.tnu.com.uy
> principal name: ldap/dc2.tnu.com.uy(a)TNU.COM.UY
> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> profile: caIPAserviceCert
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
> track: yes
> auto-renew: yes
> Request ID '20221130160327':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=TNU.COM.UY
> subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
> issued: 2021-12-12 22:53:26 -03
> expires: 2023-12-13 22:53:26 -03
> dns: dc2.tnu.com.uy
> principal name: HTTP/dc2.tnu.com.uy(a)TNU.COM.UY
> <mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY
<mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY>>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> profile: caIPAserviceCert
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>> El 30 nov. 2022, a las 18:50, Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
escribió:
>>
>> Juan Pablo Lorier wrote:
>>> Ok, with the skip-version-check flag it starts correctly, but if I try
>>> to restart the service without the flag, it fails in the same point. The
>>> error is related to the upgrade process then. I’m upgrading from 4.7 to
>>> 4.9 as I didn’t find any restriction in the documentation.
>>> Is it possible that there’s an issue with that upgrade path?
>>
>> If is likely related to your expired certificates. Did you look to see
>> if others besides the HTTP cert expired?
>>
>> rob
>>
>>> Thanks
>>>
>>>> El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
>>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
>>>> <mailto:rcritten@redhat.com>> escribió:
>>>>
>>>> Juan Pablo Lorier wrote:
>>>>> Hi,
>>>>>
>>>>> Rob, the problem with ipactl --ignore-service-failures is that it
>>>>> always
>>>>> try to upgrade from 4.7 to 4.9 first and it fails for that reason.
>>>>
>>>> $ man 8 ipactl
>>>>
>>>> --skip-version-check Skip version check
>>>>
>>>> rob
>>>>
>>>>>
>>>>> I were able to move forward and get poi-tomcat running but I still
>>>>> can’t
>>>>> finish the upgrade process.
>>>>> Here are some more logs to see if you can see a lead to help me.
>>>>> Regards
>>>>>
>>>>> */var/log/ipaupgrade.log*
>>>>>
>>>>> 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in
LDAP and
>>>>> enabled; skipping
>>>>> 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is
already in
>>>>> LDAP
>>>>> and enabled; skipping
>>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already
in LDAP and
>>>>> enabled; skipping
>>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert'
>>>>> 2022-11-30T16:07:49Z DEBUG request GET
>>>>>
https://dc2.tnu.com.uy:8443/ca/rest/account/login
>>>>> 2022-11-30T16:07:49Z DEBUG request body ''
>>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed:
>>>>> Traceback (most recent call last):
>>>>> File
"/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
>>>>> 271,
>>>>> in _httplib_request
>>>>> conn.request(method, path, body=request_body, headers=headers)
>>>>> File "/usr/lib64/python3.6/http/client.py", line 1273, in
request
>>>>> self._send_request(method, url, body, headers, encode_chunked)
>>>>> File "/usr/lib64/python3.6/http/client.py", line 1319,
in
>>>>> _send_request
>>>>> self.endheaders(body, encode_chunked=encode_chunked)
>>>>> File "/usr/lib64/python3.6/http/client.py", line 1268, in
endheaders
>>>>> self._send_output(message_body, encode_chunked=encode_chunked)
>>>>> File "/usr/lib64/python3.6/http/client.py", line 1044,
in
>>>>> _send_output
>>>>> self.send(msg)
>>>>> File "/usr/lib64/python3.6/http/client.py", line 982, in
send
>>>>> self.connect()
>>>>> File "/usr/lib64/python3.6/http/client.py", line 1441, in
connect
>>>>> server_hostname=server_hostname)
>>>>> File "/usr/lib64/python3.6/ssl.py", line 365, in
wrap_socket
>>>>> _context=self, _session=session)
>>>>> File "/usr/lib64/python3.6/ssl.py", line 776, in
__init__
>>>>> self.do_handshake()
>>>>> File "/usr/lib64/python3.6/ssl.py", line 1036, in
do_handshake
>>>>> self._sslobj.do_handshake()
>>>>> File "/usr/lib64/python3.6/ssl.py", line 648, in
do_handshake
>>>>> self._sslobj.do_handshake()
>>>>> OSError: [Errno 0] Error
>>>>> 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect
>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>>>> 2022-11-30T16:07:54Z DEBUG File
>>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py",
line 180, in
>>>>> execute
>>>>> return_value = self.run()
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>>>> line 54, in run
>>>>> server.upgrade()
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>> line 2055, in upgrade
>>>>> upgrade_configuration()
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>> line 1908, in upgrade_configuration
>>>>> ca_enable_ldap_profile_subsystem(ca)
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>> line 458, in ca_enable_ldap_profile_subsystem
>>>>> cainstance.migrate_profiles_to_ldap()
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
>>>>> line
>>>>> 2111, in migrate_profiles_to_ldap
>>>>> _create_dogtag_profile(profile_id, profile_data,
overwrite=False)
>>>>> File
>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
>>>>> line
>>>>> 2165, in _create_dogtag_profile
>>>>> with api.Backend.ra_certprofile as profile_api:
>>>>> File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py",
>>>>> line 1207, in __enter__
>>>>> method='GET'
>>>>> File
"/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
>>>>> 218,
>>>>> in https_request
>>>>> method=method, headers=headers)
>>>>> File
"/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
>>>>> 280,
>>>>> in _httplib_request
>>>>> raise NetworkError(uri=uri, error=str(e))
>>>>>
>>>>> 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed,
>>>>> exception: NetworkError: cannot connect to
>>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno
0] Error
>>>>> 2022-11-30T16:07:54Z ERROR Unexpected error - see
>>>>> /var/log/ipaupgrade.log for details:
>>>>> NetworkError: cannot connect to
>>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno
0] Error
>>>>> 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed.
See
>>>>> /var/log/ipaupgrade.log for more information
>>>>>
>>>>>
>>>>> *dirsrv/slapd-TNU-COM-UY/errors*
>>>>>
>>>>> [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin -
acl_parse
>>>>> - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
>>>>> [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin -
acl_parse
>>>>> - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
>>>>> [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin -
acl_parse
>>>>> - The ACL target cn=automember rebuild membership,cn=tasks,cn=config
>>>>> does not exist
>>>>> [30/Nov/2022:13:07:31.157746196 -0300] - INFO -
>>>>> slapi_vattrspi_regattr -
>>>>> Because krbPwdPolicyReference is a new registered virtual attribute
,
>>>>> nsslapd-ignore-virtual-attrs was set to 'off'
>>>>> [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin
-
>>>>> schema-compat-plugin tree scan will start in about 5 seconds!
>>>>> [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd
>>>>> started. Listening on All Interfaces port 389 for LDAP requests
>>>>> [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon -
>>>>> Listening
>>>>> on All Interfaces port 636 for LDAPS requests
>>>>> [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon -
>>>>> Listening
>>>>> on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests
>>>>> [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin
-
>>>>> Finished plugin initialization.
>>>>> [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>> [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds -
Could
>>>>> not get initial credentials for principal
>>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY
>>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>]
>>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
any
>>>>> KDC for requested realm)
>>>>>
>>>>> *localhost_access_log.2022-11-30.txt*
>>>>>
>>>>> 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 -
>>>>> XXX - - [30/Nov/2022:13:10:51 -0300] "POST
/ca/admin/ca/getStatus
>>>>> HTTP/1.1" 200 193
>>>>> XXX - - [30/Nov/2022:14:19:14 -0300] "GET
/ca/rest/account/login
>>>>> HTTP/1.1" 401 669
>>>>>
>>>>>
>>>>>> El 23 nov. 2022, a las 18:42, Rob Crittenden
<rcritten(a)redhat.com
>>>>>> <mailto:rcritten@redhat.com>
>>>>>> <mailto:rcritten@redhat.com>> escribió:
>>>>>>
>>>>>> Run "ipactl --ignore-service-failures" and it should
bring up all the
>>>>>> services it can.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>> Juan Pablo Lorier wrote:
>>>>>>> Hi again,
>>>>>>>
>>>>>>> I used the ldapi from /etc/ipa/default.conf and I was able to
get a
>>>>>>> different reply:
>>>>>>>
>>>>>>> ldapsearch -Y GSSAPI -H
>>>>>>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket
>>>>>>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>
>>>>>>>
>>>>>>> SASL/GSSAPI authentication started
>>>>>>> ldap_sasl_interactive_bind_s: Local error (-2)
>>>>>>> additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified
>>>>>>> GSS failure. Minor code may provide more information
(Ticket
>>>>>>> expired)
>>>>>>>
>>>>>>> But if I try to renew the ticket, it fails:
>>>>>>>
>>>>>>> kinit admin
>>>>>>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY'
while getting
>>>>>>> initial credentials
>>>>>>>
>>>>>>> The running DC is in 4.7 and it should reply to the kinit
requests
>>>>>>>
>>>>>>>
>>>>>>> I added the debug option to see if I can ge further
information.
>>>>>>>
>>>>>>> ipactl restart
>>>>>>> IPA version error: data needs to be upgraded (expected
version
>>>>>>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current
version
>>>>>>> '4.7.1-11.module_el8.0.0+79+bbd20d7b')
>>>>>>> Automatically running upgrade, for details see
>>>>>>> /var/log/ipaupgrade.log
>>>>>>> Be patient, this may take a few minutes.
>>>>>>> Automatic upgrade failed: Error caught updating
>>>>>>> nsDS5ReplicatedAttributeList: Server is unwilling to
perform:
>>>>>>> Entry and
>>>>>>> attributes are managed by topology plugin.No direct
modifications
>>>>>>> allowed.
>>>>>>> Error caught updating nsDS5ReplicatedAttributeListTotal:
Server is
>>>>>>> unwilling to perform: Entry and attributes are managed by
topology
>>>>>>> plugin.No direct modifications allowed.
>>>>>>> Update complete
>>>>>>> Upgrading the configuration of the IPA services
>>>>>>> [Verifying that root certificate is published]
>>>>>>> [Migrate CRL publish directory]
>>>>>>> CRL tree already moved
>>>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log
and run
>>>>>>> command ipa-server-upgrade manually.
>>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>>>>>> CalledProcessError: CalledProcessError(Command
['/bin/systemctl',
>>>>>>> 'start', 'pki-tomcatd(a)pki-tomcat.service
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned
non-zero exit
>>>>>>> status
>>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because
the control
>>>>>>> process exited with error code.\nSee "systemctl status
>>>>>>> pki-tomcatd(a)pki-tomcat.service
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>"
>>>>>>> and "journalctl -xe" for details.\n')
>>>>>>> The ipa-server-upgrade command failed. See
>>>>>>> /var/log/ipaupgrade.log for
>>>>>>> more information
>>>>>>>
>>>>>>> See the upgrade log for more details and/or run
>>>>>>> /usr/sbin/ipa-server-upgrade again
>>>>>>> Stopping ipa-dnskeysyncd Service
>>>>>>> Stopping ipa-otpd Service
>>>>>>> Stopping pki-tomcatd Service
>>>>>>> Stopping ipa-custodia Service
>>>>>>> Stopping httpd Service
>>>>>>> Stopping named Service
>>>>>>> Stopping kadmin Service
>>>>>>> Stopping krb5kdc Service
>>>>>>> Stopping Directory Service
>>>>>>> Aborting ipactl
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>>
>>>>>>>> El 23 nov. 2022, a las 11:50, Rob Crittenden
<rcritten(a)redhat.com
>>>>>>>> <mailto:rcritten@redhat.com>
>>>>>>>> <mailto:rcritten@redhat.com>
>>>>>>>> <mailto:rcritten@redhat.com>> escribió:
>>>>>>>>
>>>>>>>> Juan Pablo Lorier wrote:
>>>>>>>>> Hi Rob,
>>>>>>>>>
>>>>>>>>> Thanks for the reply. As I didn’t know other way but
to go back in
>>>>>>>>> time,
>>>>>>>>> I just did it and now the server is running 100%.
>>>>>>>>>
>>>>>>>>> This was all part of an update from 4.7 to 4.9.
According to the
>>>>>>>>> documentation, it was just a matter to def update but
it seems
>>>>>>>>> that is
>>>>>>>>> not such a happy path.>
>>>>>>>>> I updated the second server but it’s not able to
finalize the
>>>>>>>>> update
>>>>>>>>> process. DNS is failing to start:
>>>>>>>>>
>>>>>>>>> # systemctl status ipa-dnskeysyncd.service
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *●*ipa-dnskeysyncd.service - IPA key daemon
>>>>>>>>> Loaded: loaded
(/usr/lib/systemd/system/ipa-dnskeysyncd.service;
>>>>>>>>> disabled; vendor preset: disabled)
>>>>>>>>> Active: *active (running)*since Tue 2022-11-22
11:27:16 -03; 1h
>>>>>>>>> 14min ago
>>>>>>>>> Main PID: 250496 (ipa-dnskeysyncd)
>>>>>>>>> Tasks: 1 (limit: 23652)
>>>>>>>>> Memory: 68.4M
>>>>>>>>> CGroup: /system.slice/ipa-dnskeysyncd.service
>>>>>>>>> └─250496 /usr/libexec/platform-python -I
>>>>>>>>> /usr/libexec/ipa/ipa-dnskeysyncd
>>>>>>>>>
>>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy
platform-python[250496]: GSSAPI
>>>>>>>>> client
>>>>>>>>> step 1
>>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy
platform-python[250496]: GSSAPI
>>>>>>>>> client
>>>>>>>>> step 2
>>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy
ipa-dnskeysyncd[250496]:
>>>>>>>>> ipa-dnskeysyncd:
>>>>>>>>> INFO Commencing sync process
>>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy
ipa-dnskeysyncd[250496]:
>>>>>>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP
dump is done,
>>>>>>>>> sychronizing with ODS and BIND
>>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy
platform-python[250503]:
>>>>>>>>> *Configuration.cpp(96): Missing log.level in
configuration. Using
>>>>>>>>> default value: INFO*
>>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy
platform-python[250503]:
>>>>>>>>> *Configuration.cpp(96): Missing slots.mechanisms in
configuration.
>>>>>>>>> Using
>>>>>>>>> default value: ALL*
>>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy
platform-python[250503]:
>>>>>>>>> *Configuration.cpp(124): Missing slots.removable in
configuration.
>>>>>>>>> Using
>>>>>>>>> default value: false*
>>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy
platform-python[250503]: GSSAPI
>>>>>>>>> client
>>>>>>>>> step 1
>>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy
platform-python[250503]: GSSAPI
>>>>>>>>> client
>>>>>>>>> step 1
>>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy
platform-python[250503]:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> GSSAPI client step 1
>>>>>>>>> [root@dc2 sysconfig]# journalctl -u
ipa-dnskeysyncd.service
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at
Tue 2022-11-22
>>>>>>>>> 12:40:17 -03. --
>>>>>>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started
IPA key daemon.
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing all plugin modules in
ipaserver.plugins...
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.aci
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.automember
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.automount
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.baseldap
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG ipaserver.plugins.baseldap is not a valid
plugin module
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.baseuser
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.batch
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.ca
>>>>>>>>> <
http://ipaserver.plugins.ca/>
>>>>>>>>> <
http://ipaserver.plugins.ca/>
>>>>>>>>> <
http://ipaserver.plugins.ca
>>>>>>>>> <
http://ipaserver.plugins.ca/>
<
http://ipaserver.plugins.ca/>>
>>>>>>>>> <
http://ipaserver.plugins.ca
<
http://ipaserver.plugins.ca/>
>>>>>>>>> <
http://ipaserver.plugins.ca/>
<
http://ipaserver.plugins.ca/>>
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.caacl
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.cert
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.certmap
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.certprofile
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.config
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.delegation
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.dns
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.dnsserver
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.dogtag
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.domainlevel
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.group
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.hbac
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin
module
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.hbacrule
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.hbacsvc
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.hbacsvcgroup
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.hbactest
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.host
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.hostgroup
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.idrange
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.idviews
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.internal
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.join
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.krbtpolicy
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.ldap2
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.location
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.migration
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.misc
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.netgroup
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.otp
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG ipaserver.plugins.otp is not a valid plugin
module
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.otpconfig
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.otptoken
>>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy
ipa-dnskeysyncd[55662]:
>>>>>>>>> ipalib.plugable:
>>>>>>>>> DEBUG importing plugin module
ipaserver.plugins.passwd
>>>>>>>>
>>>>>>>> There should be quite a bit more after that.
>>>>>>>>
>>>>>>>>>
>>>>>>>>> #less /var/log/dirsrv/slapd-*/access
>>>>>>>>>
>>>>>>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68
RESULT err=0
>>>>>>>>> tag=101
>>>>>>>>> nentries=1 wtime=0.000108886 optime=0.000198759
etime=0.000306290
>>>>>>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69
SRCH
>>>>>>>>>
base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0
>>>>>>>>> filter="(objectClass=krbticketpolicyaux)"
attrs="krbMaxTicketLife
>>>>>>>>> krbMaxRenewab
>>>>>>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife
>>>>>>>>> krbAuthIndMaxRenewableAge"
>>>>>>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69
RESULT err=0
>>>>>>>>> tag=101
>>>>>>>>> nentries=1 wtime=0.000086049 optime=0.000059372
etime=0.000144403
>>>>>>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1
BIND dn=""
>>>>>>>>> method=sasl version=3 mech=GSSAPI
>>>>>>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1
RESULT err=14
>>>>>>>>> tag=97
>>>>>>>>> nentries=0 wtime=0.000071973 optime=0.002531582
>>>>>>>>> etime=0.002602416, SASL
>>>>>>>>> bind in progress
>>>>>>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2
BIND dn=""
>>>>>>>>> method=sasl version=3 mech=GSSAPI
>>>>>>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2
RESULT err=14
>>>>>>>>> tag=97
>>>>>>>>> nentries=0 wtime=0.000058962 optime=0.001451477
>>>>>>>>> etime=0.001509337, SASL
>>>>>>>>> bind in progress
>>>>>>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3
BIND dn=""
>>>>>>>>> method=sasl version=3 mech=GSSAPI
>>>>>>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3
RESULT err=0
>>>>>>>>> tag=97
>>>>>>>>> nentries=0 wtime=0.000114469 optime=0.000719743
etime=0.000833026
>>>>>>>>>
dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=
>>>>>>>>> com,dc=uy"
>>>>>>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4
SRCH
>>>>>>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy"
scope=2
>>>>>>>>>
filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))"
>>>>>>>>> attrs="objectClass cn fqdn serverHostN
>>>>>>>>> ame memberOf ipaSshPubKey ipaUniqueID"
>>>>>>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4
RESULT err=0
>>>>>>>>> tag=101
>>>>>>>>> nentries=1 wtime=0.000107524 optime=0.000653663
etime=0.000758994
>>>>>>>>> notes=P details="Paged Search" pr_idx=0
pr_cookie=-1
>>>>>>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5
SRCH
>>>>>>>>>
base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy"
>>>>>>>>> scope=0 filter="(objectClass=*)"
attrs="objectClass cn memberOf
>>>>>>>>> ipaU
>>>>>>>>> niqueID"
>>>>>>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5
RESULT err=0
>>>>>>>>> tag=101
>>>>>>>>> nentries=1 wtime=0.000092854 optime=0.002558537
etime=0.002649094
>>>>>>>>> notes=P details="Paged Search" pr_idx=0
pr_cookie=-1
>>>>>>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6
SRCH
>>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>>>>>>>>>
filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))"
>>>>>>>>> attrs="objectClass ipaUniqueID cn memb
>>>>>>>>> er entryusn"
>>>>>>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6
RESULT err=0
>>>>>>>>> tag=101
>>>>>>>>> nentries=0 wtime=0.000115180 optime=0.000258196
etime=0.000371481
>>>>>>>>> notes=P details="Paged Search" pr_idx=0
pr_cookie=-1
>>>>>>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7
SRCH
>>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>>>>>>>>>
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC
>>>>>>>>>
ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro
>>>>>>>>>
ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))"
>>>>>>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag
ipaSudoOpt
>>>>>>>>> ipaSudoRunAs
>>>>>>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd
memberHost memberU
>>>>>>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory
hostCategory
>>>>>>>>> userCategory ipaSudoRunAsUserCategory
ipaSudoRunAsGroupCategory
>>>>>>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup
ipaSudoRunAsExtUserGroup e
>>>>>>>>> xternalUser entryusn"
>>>>>>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7
RESULT err=0
>>>>>>>>> tag=101
>>>>>>>>> nentries=0 wtime=0.000112679 optime=0.000418158
etime=0.000529132
>>>>>>>>> notes=P details="Paged Search" pr_idx=0
pr_cookie=-1
>>>>>>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805
EXT
>>>>>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>>>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799
EXT
>>>>>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>>>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805
RESULT err=0
>>>>>>>>> tag=120 nentries=0 wtime=0.000194721
optime=0.000766071
>>>>>>>>> etime=0.000956734
>>>>>>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799
RESULT err=0
>>>>>>>>> tag=120 nentries=0 wtime=0.000326560
optime=0.001178137
>>>>>>>>> etime=0.001489204
>>>>>>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806
EXT
>>>>>>>>> oid="2.16.840.1.113730.3.5.5"
name="replication-multimaster-extop"
>>>>>>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806
RESULT err=0
>>>>>>>>> tag=120 nentries=0 wtime=0.000133089
optime=0.002969180
>>>>>>>>> etime=0.003098843
>>>>>>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800
EXT
>>>>>>>>> oid="2.16.840.1.113730.3.5.5"
name="replication-multimaster-extop"
>>>>>>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800
RESULT err=0
>>>>>>>>> tag=120 nentries=0 wtime=0.000131720
optime=0.002769639
>>>>>>>>> etime=0.002897696
>>>>>>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807
EXT
>>>>>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>>>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801
EXT
>>>>>>>>> oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
>>>>>>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801
RESULT err=0
>>>>>>>>> tag=120 nentries=0 wtime=0.000245657
optime=0.001129708
>>>>>>>>> etime=0.001372435
>>>>>>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807
RESULT err=0
>>>>>>>>> tag=120 nentries=0 wtime=0.000293789
optime=0.001457836
>>>>>>>>> etime=0.001748601
>>>>>>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808
EXT
>>>>>>>>> oid="2.16.840.1.113730.3.5.5"
name="replication-multimaster-extop"
>>>>>>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808
RESULT err=0
>>>>>>>>> tag=120 nentries=0 wtime=0.010809128
optime=0.004600843
>>>>>>>>> etime=0.015402108
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I see that after the update, the files were changed:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [root@dc2 sysconfig]# ll
/etc/dirsrv/slapd-TNU-COM-UY*
>>>>>>>>> /etc/dirsrv/slapd-TNU-COM-UY:
>>>>>>>>> total 4208
>>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022
Server-Cert-Key.pem
>>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022
Server-Cert.pem
>>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022
>>>>>>>>> TNU.COM.UY20IPA20CA.pem
>>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021
cert9.db
>>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020
cert9.db.orig
>>>>>>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020
certmap.conf
>>>>>>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27
dse.ldif
>>>>>>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26
dse.ldif.bak
>>>>>>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55
>>>>>>>>> dse.ldif.ipa.1cf1fe204fd69494
>>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01
>>>>>>>>> dse.ldif.ipa.1dd1d38cbd8d26ae
>>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26
>>>>>>>>> dse.ldif.ipa.21662457cb42c116
>>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47
>>>>>>>>> dse.ldif.ipa.256a5d66e550a957
>>>>>>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35
>>>>>>>>> dse.ldif.ipa.274744b10eed3d9b
>>>>>>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09
>>>>>>>>> dse.ldif.ipa.385fb48f5462219c
>>>>>>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020
>>>>>>>>> dse.ldif.ipa.6b71b47d73ca452a
>>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38
>>>>>>>>> dse.ldif.ipa.767aba4a82811822
>>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07
>>>>>>>>> dse.ldif.ipa.814a4de587fc22ec
>>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49
>>>>>>>>> dse.ldif.ipa.889036fc0907e7de
>>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47
>>>>>>>>> dse.ldif.ipa.8fd2b7413b99dfa3
>>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42
>>>>>>>>> dse.ldif.ipa.958ca3a96922f2fd
>>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48
>>>>>>>>> dse.ldif.ipa.bacd6d1d200348bf
>>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24
>>>>>>>>> dse.ldif.ipa.bfadc14f0e609072
>>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23
>>>>>>>>> dse.ldif.ipa.f1e864261a119b6c
>>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42
>>>>>>>>> dse.ldif.ipa.fa918bf07c17e2e8
>>>>>>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26
>>>>>>>>> dse.ldif.modified.out
>>>>>>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26
dse.ldif.startOK
>>>>>>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020
dse_original.ldif
>>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021
key4.db
>>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020
key4.db.orig
>>>>>>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020
pin.txt
>>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26
pkcs11.txt
>>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020
pkcs11.txt.orig
>>>>>>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020
pwdfile.txt
>>>>>>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020
pwdfile.txt.orig
>>>>>>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26
schema
>>>>>>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59
schema.bak
>>>>>>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59
>>>>>>>>> slapd-collations.conf
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I can’t connect to the LDAP service:
>>>>>>>>>
>>>>>>>>> # ldapsearch -Y GSSAPI -H
ldapi://var/run/slapd-TNU-COM-UY.socket
>>>>>>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP
server (-1)
>>>>>>>>
>>>>>>>> You have to escape the socket path:
>>>>>>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
>>>>>>>>
>>>>>>>>> # less /var/log/ipaupgrade.log
>>>>>>>>>
>>>>>>>>> Server built: Jun 29 2021 22:00:15 UTC
>>>>>>>>> Server number: 9.0.30.0
>>>>>>>>> OS Name: Linux
>>>>>>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64
>>>>>>>>> Architecture: amd64
>>>>>>>>> JVM Version: 1.8.0_322-b06
>>>>>>>>> JVM Vendor: Red Hat, Inc.
>>>>>>>>>
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG
args=['pki-server', 'subsystem-show',
>>>>>>>>> 'kra']
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return
code=1
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG stdout=
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No
kra subsystem in
>>>>>>>>> instance pki-tomcat.
>>>>>>>>>
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process
>>>>>>>>> 2022-11-22T14:26:56Z DEBUG
args=['/bin/systemctl', 'start',
>>>>>>>>> 'pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>']
>>>>>>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return
code=1
>>>>>>>>> 2022-11-22T14:26:57Z DEBUG stdout=
>>>>>>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job
>>>>>>>>> for pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed
because the control
>>>>>>>>> process exited with error code.
>>>>>>>>> See "systemctl status
pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>"
and "journalctl -xe" for
>>>>>>>>> details.
>>>>>>>>>
>>>>>>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed:
Inspect
>>>>>>>>> /var/log/ipaupgrade.log and run command
ipa-server-upgrade
>>>>>>>>> manually.
>>>>>>>>> 2022-11-22T14:26:57Z DEBUG File
>>>>>>>>>
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line
>>>>>>>>> 180, in
>>>>>>>>> execute
>>>>>>>>> return_value = self.run()
>>>>>>>>> File
>>>>>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>>>>>>>> line 54, in run
>>>>>>>>> server.upgrade()
>>>>>>>>> File
>>>>>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>>>>>> line 2055, in upgrade
>>>>>>>>> upgrade_configuration()
>>>>>>>>> File
>>>>>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>>>>>> line 1783, in upgrade_configuration
>>>>>>>>> ca.start('pki-tomcat')
>>>>>>>>> File
>>>>>>>>>
"/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>>>>>>>>> line 524, in start
>>>>>>>>> self.service.start(instance_name,
>>>>>>>>> capture_output=capture_output,
>>>>>>>>> wait=wait)
>>>>>>>>> File
>>>>>>>>>
"/usr/lib/python3.6/site-packages/ipaplatform/base/services.py",
>>>>>>>>> line 306, in start
>>>>>>>>> skip_output=not capture_output)
>>>>>>>>> File
"/usr/lib/python3.6/site-packages/ipapython/ipautil.py",
>>>>>>>>> line
>>>>>>>>> 600, in run
>>>>>>>>> p.returncode, arg_string, output_log, error_log
>>>>>>>>>
>>>>>>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade
command failed,
>>>>>>>>> exception: CalledProcessError:
CalledProcessError(Command
>>>>>>>>> ['/bin/systemctl', 'start',
'pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>']
returned non-zero exit
>>>>>>>>> status
>>>>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed
because the control
>>>>>>>>> process exited with error code.\nSee "systemctl
status
>>>>>>>>> pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>"
>>>>>>>>> and "journalctl -xe" for details.\n')
>>>>>>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see
>>>>>>>>> /var/log/ipaupgrade.log for details:
>>>>>>>>> CalledProcessError: CalledProcessError(Command
['/bin/systemctl',
>>>>>>>>> 'start', 'pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>']
returned non-zero exit
>>>>>>>>> status
>>>>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed
because the control
>>>>>>>>> process exited with error code.\nSee "systemctl
status
>>>>>>>>> pki-tomcatd(a)pki-tomcat.service
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
<mailto:pki-tomcatd@pki-tomcat.service>"
>>>>>>>>> and "journalctl -xe" for details.\n')
>>>>>>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade
command
>>>>>>>>> failed. See
>>>>>>>>> /var/log/ipaupgrade.log for more information
>>>>>>>>> (END)
>>>>>>>>
>>>>>>>> The CA failed to start. This is often due to expired
>>>>>>>> certificates that
>>>>>>>> get exposed when an upgrade is done. Check that out.
>>>>>>>>
>>>>>>>>> #ipactl status
>>>>>>>>>
>>>>>>>>> Directory Service: RUNNING
>>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>>> kadmin Service: RUNNING
>>>>>>>>> named Service: STOPPED
>>>>>>>>> httpd Service: RUNNING
>>>>>>>>> ipa-custodia Service: RUNNING
>>>>>>>>> pki-tomcatd Service: STOPPED
>>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>>> 2 service(s) are not running
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden
>>>>>>>>>> <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
>>>>>>>>>> <mailto:rcritten@redhat.com>
>>>>>>>>>> <mailto:rcritten@redhat.com>
>>>>>>>>>> <mailto:rcritten@redhat.com>> escribió:
>>>>>>>>>>
>>>>>>>>>> Juan Pablo Lorier via FreeIPA-users wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I have a production server that was not
maintained and I see
>>>>>>>>>>> that the
>>>>>>>>>>> HTTP certificate has expired long ago. I
tried to renew it
>>>>>>>>>>> but I'm
>>>>>>>>>>> not being agle to get it right.
>>>>>>>>>>>
>>>>>>>>>>> The initial status was:
>>>>>>>>>>>
>>>>>>>>>>> Request ID '20191219011208':
>>>>>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>>>>>>>>> stuck: yes
>>>>>>>>>>> key pair storage:
>>>>>>>>>>>
type=FILE,location='/var/lib/ipa/private/httpd.key'
>>>>>>>>>>> certificate:
type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>>>>>>>>
>>>>>>>>>>> Then following this thread
>>>>>>>>>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>>>>>>>>>>
>>>>>>>>>>> I got it to this state:
>>>>>>>>>>>
>>>>>>>>>>> Request ID '20191219011208':
>>>>>>>>>>> status: MONITORING
>>>>>>>>>>> ca-error: Server at
https://dc1.tnu.com.uy/ipa/xml failed
>>>>>>>>>>> request,
>>>>>>>>>>> will retry: -504 (HTTP POST to URL
'https://XXXX/ipa/xml' failed.
>>>>>>>>>>> libcurl failed even to execute the HTTP
transaction, explaining:
>>>>>>>>>>> SSL certificate problem: certificate has
expired).
>>>>>>>>>>> stuck: no
>>>>>>>>>>> key pair storage:
>>>>>>>>>>>
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA'
>>>>>>>>>>> certificate:
type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>>>>>>>>
>>>>>>>>>>> The post indicates that I have to put an old
date in the
>>>>>>>>>>> server to
>>>>>>>>>>> get it renewed, but as the server is in
production, it means
>>>>>>>>>>> that all
>>>>>>>>>>> clients will fail to log to the server.
Evenmore, what time
>>>>>>>>>>> should I
>>>>>>>>>>> return to, before the certificate expiration
or right after?
>>>>>>>>>>> Thanks in advanc
>>>>>>>>>>
>>>>>>>>>> I'd guess that this affects a lot more than
just the web server
>>>>>>>>>> cert.
>>>>>>>>>> getcert list will tell you.
>>>>>>>>>>
>>>>>>>>>> Depending on that outcome affect the suggested
remediation.
>>>>>>>>>>
>>>>>>>>>> As for going back in time, you'd need a
server outage to do this
>>>>>>>>>> and it
>>>>>>>>>> only would be backwards in time for a short time.
Just long
>>>>>>>>>> enough so
>>>>>>>>>> the services could start with non-expired
certificates to get them
>>>>>>>>>> renewed. But there are other ways to do this that
don't require
>>>>>>>>>> fiddling
>>>>>>>>>> with time.
>>>>>>>>>>
>>>>>>>>>> rob