Hi, I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right. The initial status was: Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... I got it to this state: Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advanc

Hi Rob, Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%. This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path.> I updated the second server but it’s not able to finalize the update process. DNS is failing to start: # systemctl status ipa-dnskeysyncd.service  *●*ipa-dnskeysyncd.service - IPA key daemon    Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; disabled; vendor preset: disabled)    Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago  Main PID: 250496 (ipa-dnskeysyncd)     Tasks: 1 (limit: 23652)    Memory: 68.4M    CGroup: /system.slice/ipa-dnskeysyncd.service            └─250496 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-dnskeysyncd Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: INFO     Commencing sync process Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipaserver.dnssec.keysyncer: INFO     Initial LDAP dump is done, sychronizing with ODS and BIND Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: *Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false* Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:  GSSAPI client step 1 [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service  -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 12:40:17 -03. -- Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing all plugin modules in ipaserver.plugins... Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.aci Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.automember Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.automount Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.baseldap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    ipaserver.plugins.baseldap is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.baseuser Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.batch Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.caacl Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.cert Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.certmap Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.certprofile Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.config Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.delegation Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.dns Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.dnsserver Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.dogtag Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.domainlevel Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.group Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.hbac Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    ipaserver.plugins.hbac is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.hbacrule Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.hbacsvc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.hbacsvcgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.hbactest Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.host Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.hostgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.idrange Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.idviews Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.internal Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.join Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.krbtpolicy Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.ldap2 Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.location Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.migration Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.misc Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.netgroup Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.otp Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    ipaserver.plugins.otp is not a valid plugin module Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.otpconfig Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.otptoken Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: DEBUG    importing plugin module ipaserver.plugins.passwd

#less /var/log/dirsrv/slapd-*/access [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewab leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL bind in progress [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL bind in progress [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= com,dc=uy" [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" attrs="objectClass cn fqdn serverHostN ame memberOf ipaSshPubKey ipaUniqueID" [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU niqueID" [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" attrs="objectClass ipaUniqueID cn memb er entryusn" [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e xternalUser entryusn" [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108 I see that after the update, the files were changed: [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* /etc/dirsrv/slapd-TNU-COM-UY: total 4208 -rw-r-----. 1 dirsrv dirsrv   1804 Jan 21  2022 Server-Cert-Key.pem -rw-r-----. 1 dirsrv dirsrv   1829 Jan 21  2022 Server-Cert.pem -rw-r-----. 1 dirsrv dirsrv   1464 Jan 21  2022 TNU.COM.UY20IPA20CA.pem -rw-r-----. 1 dirsrv root    36864 Dec 12  2021 cert9.db -rw-rw----. 1 dirsrv dirsrv  28672 Jan  9  2020 cert9.db.orig -r--r-----. 1 dirsrv dirsrv   1729 Jan  9  2020 certmap.conf -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak -rw-r--r--. 1 dirsrv root   208440 Nov 22 10:55 dse.ldif.ipa.1cf1fe204fd69494 -rw-------. 1 dirsrv root   202234 Nov 21 14:01 dse.ldif.ipa.1dd1d38cbd8d26ae -rw-------. 1 dirsrv root   208355 Nov 22 11:26 dse.ldif.ipa.21662457cb42c116 -rw-------. 1 dirsrv root   208355 Nov 22 10:47 dse.ldif.ipa.256a5d66e550a957 -rw-------. 1 dirsrv root   195350 Nov 21 13:35 dse.ldif.ipa.274744b10eed3d9b -rw-------. 1 dirsrv root   203050 Nov 21 19:09 dse.ldif.ipa.385fb48f5462219c -rw-------. 1 dirsrv root   156705 Jan  9  2020 dse.ldif.ipa.6b71b47d73ca452a -rw-------. 1 dirsrv root   202234 Nov 21 13:38 dse.ldif.ipa.767aba4a82811822 -rw-------. 1 dirsrv root   208355 Nov 21 21:07 dse.ldif.ipa.814a4de587fc22ec -rw-------. 1 dirsrv root   208355 Nov 22 10:49 dse.ldif.ipa.889036fc0907e7de -rw-------. 1 dirsrv root   202234 Nov 21 13:47 dse.ldif.ipa.8fd2b7413b99dfa3 -rw-------. 1 dirsrv root   202234 Nov 21 13:42 dse.ldif.ipa.958ca3a96922f2fd -rw-------. 1 dirsrv root   202234 Nov 21 14:48 dse.ldif.ipa.bacd6d1d200348bf -rw-------. 1 dirsrv root   208355 Nov 22 11:24 dse.ldif.ipa.bfadc14f0e609072 -rw-------. 1 dirsrv root   202234 Nov 21 14:23 dse.ldif.ipa.f1e864261a119b6c -rw-------. 1 dirsrv root   202234 Nov 21 15:42 dse.ldif.ipa.fa918bf07c17e2e8 -rw-r--r--. 1 dirsrv root   208167 Nov 22 11:26 dse.ldif.modified.out -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv  36009 Jan  9  2020 dse_original.ldif -rw-r-----. 1 dirsrv root    36864 Dec 12  2021 key4.db -rw-rw----. 1 dirsrv dirsrv  28672 Jan  9  2020 key4.db.orig -r--------. 1 dirsrv dirsrv     67 Jan  9  2020 pin.txt -rw-r-----. 1 dirsrv dirsrv    561 Nov 22 11:26 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv    556 Jan  9  2020 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv     41 Jan  9  2020 pwdfile.txt -r--------. 1 dirsrv dirsrv     41 Jan  9  2020 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv   4096 Nov 22 11:26 schema drwxr-x---. 2 dirsrv root       25 Nov 21 18:59 schema.bak -rw-r--r--. 1 dirsrv root    15142 Nov 21 18:59 slapd-collations.conf I can’t connect to the LDAP service: # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

# less /var/log/ipaupgrade.log Server built:   Jun 29 2021 22:00:15 UTC Server number:  9.0.30.0 OS Name:        Linux OS Version:     4.18.0-348.7.1.el8_5.x86_64 Architecture:   amd64 JVM Version:    1.8.0_322-b06 JVM Vendor:     Red Hat, Inc. 2022-11-22T14:26:56Z DEBUG stderr= 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 2022-11-22T14:26:56Z DEBUG stdout= 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat. 2022-11-22T14:26:56Z DEBUG Starting external process 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>'] 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 2022-11-22T14:26:57Z DEBUG stdout= 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code. See "systemctl status pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details. 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2022-11-22T14:26:57Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute     return_value = self.run()   File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run     server.upgrade()   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2055, in upgrade     upgrade_configuration()   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1783, in upgrade_configuration     ca.start('pki-tomcat')   File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start     self.service.start(instance_name, capture_output=capture_output, wait=wait)   File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 306, in start     skip_output=not capture_output)   File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run     p.returncode, arg_string, output_log, error_log 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> failed because the control process exited with error code.\nSee "systemctl status pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for details.\n') 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information (END)

#ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 2 service(s) are not running Thanks > El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>> escribió: > > Juan Pablo Lorier via FreeIPA-users wrote: >> Hi, >> >> I have a production server that was not maintained and I see that the >> HTTP certificate has expired long ago. I tried to renew it but I'm >> not being agle to get it right. >> >> The initial status was: >> >> Request ID '20191219011208': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> Then following this thread >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >> >> I got it to this state: >> >> Request ID '20191219011208': >> status: MONITORING >> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>  libcurl failed even to execute the HTTP transaction, explaining: >>  SSL certificate problem: certificate has expired). >> stuck: no >> key pair storage: >> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> >> The post indicates that I have to put an old date in the server to >> get it renewed, but as the server is in production, it means that all >> clients will fail to log to the server. Evenmore, what time should I >> return to, before the certificate expiration or right after? >> Thanks in advanc > > I'd guess that this affects a lot more than just the web server cert. > getcert list will tell you. > > Depending on that outcome affect the suggested remediation. > > As for going back in time, you'd need a server outage to do this and it > only would be backwards in time for a short time. Just long enough so > the services could start with non-expired certificates to get them > renewed. But there are other ways to do this that don't require fiddling > with time. > > rob >

El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten(a)redhat.com&gt; escribió: Juan Pablo Lorier wrote: > Hi Rob, > > Thanks for the reply. As I didn’t know other way but to go back in time, > I just did it and now the server is running 100%. > > This was all part of an update from 4.7 to 4.9. According to the > documentation, it was just a matter to def update but it seems that is > not such a happy path.> > I updated the second server but it’s not able to finalize the update > process. DNS is failing to start: > > # systemctl status ipa-dnskeysyncd.service > > > *●*ipa-dnskeysyncd.service - IPA key daemon > Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; > disabled; vendor preset: disabled) > Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h 14min ago > Main PID: 250496 (ipa-dnskeysyncd) > Tasks: 1 (limit: 23652) > Memory: 68.4M > CGroup: /system.slice/ipa-dnskeysyncd.service > └─250496 /usr/libexec/platform-python -I > /usr/libexec/ipa/ipa-dnskeysyncd > > Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 1 > Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client step 2 > Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: > INFO Commencing sync process > Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: > ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, > sychronizing with ODS and BIND > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(96): Missing log.level in configuration. Using > default value: INFO* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using > default value: ALL* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > *Configuration.cpp(124): Missing slots.removable in configuration. Using > default value: false* > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client step 1 > Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: > > > > GSSAPI client step 1 > [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service > > > -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 > 12:40:17 -03. -- > Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing all plugin modules in ipaserver.plugins... > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.aci > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.automember > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.automount > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.baseldap > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG ipaserver.plugins.baseldap is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.baseuser > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.batch > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.ca > <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/>> > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.caacl > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.cert > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.certmap > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.certprofile > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.config > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.delegation > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dns > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dnsserver > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.dogtag > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.domainlevel > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.group > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbac > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG ipaserver.plugins.hbac is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacrule > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacsvc > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hbactest > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.host > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.hostgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.idrange > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.idviews > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.internal > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.join > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.krbtpolicy > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.ldap2 > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.location > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.migration > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.misc > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.netgroup > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otp > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG ipaserver.plugins.otp is not a valid plugin module > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otpconfig > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.otptoken > Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: > DEBUG importing plugin module ipaserver.plugins.passwd There should be quite a bit more after that. > > #less /var/log/dirsrv/slapd-*/access > > [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 > nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 > [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH > base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewab > leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" > [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 > nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 > [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 > nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL > bind in progress > [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 > nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL > bind in progress > [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" > method=sasl version=3 mech=GSSAPI > [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 > nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 > dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= > com,dc=uy" > [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH > base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" > attrs="objectClass cn fqdn serverHostN > ame memberOf ipaSshPubKey ipaUniqueID" > [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 > nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH > base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" > scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU > niqueID" > [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 > nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH > base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" > attrs="objectClass ipaUniqueID cn memb > er entryusn" > [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 > nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH > base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 > filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC > ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro > ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" > attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs > ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU > ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory > userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory > ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e > xternalUser entryusn" > [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 > nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 > notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 > [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 > tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 > [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 > tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 > [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 > tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 > [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 > tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 > [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT > oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 > tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 > [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 > tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 > [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT > oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" > [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 > tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108 > > > I see that after the update, the files were changed: > > > [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* > /etc/dirsrv/slapd-TNU-COM-UY: > total 4208 > -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem > -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem > -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem > -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db > -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig > -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf > -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif > -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak > -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 > dse.ldif.ipa.1cf1fe204fd69494 > -rw-------. 1 dirsrv root 202234 Nov 21 14:01 > dse.ldif.ipa.1dd1d38cbd8d26ae > -rw-------. 1 dirsrv root 208355 Nov 22 11:26 > dse.ldif.ipa.21662457cb42c116 > -rw-------. 1 dirsrv root 208355 Nov 22 10:47 > dse.ldif.ipa.256a5d66e550a957 > -rw-------. 1 dirsrv root 195350 Nov 21 13:35 > dse.ldif.ipa.274744b10eed3d9b > -rw-------. 1 dirsrv root 203050 Nov 21 19:09 > dse.ldif.ipa.385fb48f5462219c > -rw-------. 1 dirsrv root 156705 Jan 9 2020 > dse.ldif.ipa.6b71b47d73ca452a > -rw-------. 1 dirsrv root 202234 Nov 21 13:38 > dse.ldif.ipa.767aba4a82811822 > -rw-------. 1 dirsrv root 208355 Nov 21 21:07 > dse.ldif.ipa.814a4de587fc22ec > -rw-------. 1 dirsrv root 208355 Nov 22 10:49 > dse.ldif.ipa.889036fc0907e7de > -rw-------. 1 dirsrv root 202234 Nov 21 13:47 > dse.ldif.ipa.8fd2b7413b99dfa3 > -rw-------. 1 dirsrv root 202234 Nov 21 13:42 > dse.ldif.ipa.958ca3a96922f2fd > -rw-------. 1 dirsrv root 202234 Nov 21 14:48 > dse.ldif.ipa.bacd6d1d200348bf > -rw-------. 1 dirsrv root 208355 Nov 22 11:24 > dse.ldif.ipa.bfadc14f0e609072 > -rw-------. 1 dirsrv root 202234 Nov 21 14:23 > dse.ldif.ipa.f1e864261a119b6c > -rw-------. 1 dirsrv root 202234 Nov 21 15:42 > dse.ldif.ipa.fa918bf07c17e2e8 > -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out > -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK > -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif > -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db > -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig > -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt > -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt > -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig > -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt > -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig > drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema > drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak > -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf > > > I can’t connect to the LDAP service: > > # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) You have to escape the socket path: ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket <ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket> > # less /var/log/ipaupgrade.log > > Server built: Jun 29 2021 22:00:15 UTC > Server number: 9.0.30.0 > OS Name: Linux > OS Version: 4.18.0-348.7.1.el8_5.x86_64 > Architecture: amd64 > JVM Version: 1.8.0_322-b06 > JVM Vendor: Red Hat, Inc. > > 2022-11-22T14:26:56Z DEBUG stderr= > 2022-11-22T14:26:56Z DEBUG Starting external process > 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] > 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 > 2022-11-22T14:26:56Z DEBUG stdout= > 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in > instance pki-tomcat. > > 2022-11-22T14:26:56Z DEBUG Starting external process > 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', > &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] > 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 > 2022-11-22T14:26:57Z DEBUG stdout= > 2022-11-22T14:26:57Z DEBUG stderr=Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control > process exited with error code. > See "systemctl status pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" and "journalctl -xe" for details. > > 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2022-11-22T14:26:57Z DEBUG File > "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in > execute > return_value = self.run() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 2055, in upgrade > upgrade_configuration() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 1783, in upgrade_configuration > ca.start('pki-tomcat') > File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", > line 524, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", > line 306, in start > skip_output=not capture_output) > File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line > 600, in run > p.returncode, arg_string, output_log, error_log > > 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, > exception: CalledProcessError: CalledProcessError(Command > ['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status > 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control > process exited with error code.\nSee "systemctl status > pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" > and "journalctl -xe" for details.\n') > 2022-11-22T14:26:57Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > CalledProcessError: CalledProcessError(Command ['/bin/systemctl', > 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status > 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control > process exited with error code.\nSee "systemctl status > pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" > and "journalctl -xe" for details.\n') > 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > (END) The CA failed to start. This is often due to expired certificates that get exposed when an upgrade is done. Check that out. > #ipactl status > > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: STOPPED > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > 2 service(s) are not running > > > Thanks > >> El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> escribió: >> >> Juan Pablo Lorier via FreeIPA-users wrote: >>> Hi, >>> >>> I have a production server that was not maintained and I see that the >>> HTTP certificate has expired long ago. I tried to renew it but I'm >>> not being agle to get it right. >>> >>> The initial status was: >>> >>> Request ID '20191219011208': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>> >>> Then following this thread >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>> >>> I got it to this state: >>> >>> Request ID '20191219011208': >>> status: MONITORING >>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>> libcurl failed even to execute the HTTP transaction, explaining: >>> SSL certificate problem: certificate has expired). >>> stuck: no >>> key pair storage: >>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>> >>> The post indicates that I have to put an old date in the server to >>> get it renewed, but as the server is in production, it means that all >>> clients will fail to log to the server. Evenmore, what time should I >>> return to, before the certificate expiration or right after? >>> Thanks in advanc >> >> I'd guess that this affects a lot more than just the web server cert. >> getcert list will tell you. >> >> Depending on that outcome affect the suggested remediation. >> >> As for going back in time, you'd need a server outage to do this and it >> only would be backwards in time for a short time. Just long enough so >> the services could start with non-expired certificates to get them >> renewed. But there are other ways to do this that don't require fiddling >> with time. >> >> rob

El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten(a)redhat.com&gt; escribió: Run "ipactl --ignore-service-failures" and it should bring up all the services it can. rob Juan Pablo Lorier wrote: > Hi again, > > I used the ldapi from /etc/ipa/default.conf and I was able to get a > different reply: > > ldapsearch -Y GSSAPI -H > ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket <ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket> > <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>> > > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Ticket expired) > > But if I try to renew the ticket, it fails: > > kinit admin > kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting > initial credentials > > The running DC is in 4.7 and it should reply to the kinit requests > > > I added the debug option to see if I can ge further information. > > ipactl restart > IPA version error: data needs to be upgraded (expected version > '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version > '4.7.1-11.module_el8.0.0+79+bbd20d7b') > Automatically running upgrade, for details see /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Error caught updating > nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and > attributes are managed by topology plugin.No direct modifications allowed. > Error caught updating nsDS5ReplicatedAttributeListTotal: Server is > unwilling to perform: Entry and attributes are managed by topology > plugin.No direct modifications allowed. > Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > CalledProcessError: CalledProcessError(Command ['/bin/systemctl', > 'start', &#39;pki-tomcatd(a)pki-tomcat.service > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status > 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> > <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control > process exited with error code.\nSee "systemctl status > pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" > and "journalctl -xe" for details.\n') > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > > See the upgrade log for more details and/or run > /usr/sbin/ipa-server-upgrade again > Stopping ipa-dnskeysyncd Service > Stopping ipa-otpd Service > Stopping pki-tomcatd Service > Stopping ipa-custodia Service > Stopping httpd Service > Stopping named Service > Stopping kadmin Service > Stopping krb5kdc Service > Stopping Directory Service > Aborting ipactl > > Regards > > >> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> escribió: >> >> Juan Pablo Lorier wrote: >>> Hi Rob, >>> >>> Thanks for the reply. As I didn’t know other way but to go back in time, >>> I just did it and now the server is running 100%. >>> >>> This was all part of an update from 4.7 to 4.9. According to the >>> documentation, it was just a matter to def update but it seems that is >>> not such a happy path.> >>> I updated the second server but it’s not able to finalize the update >>> process. DNS is failing to start: >>> >>> # systemctl status ipa-dnskeysyncd.service >>> >>> >>> *●*ipa-dnskeysyncd.service - IPA key daemon >>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>> disabled; vendor preset: disabled) >>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>> 14min ago >>> Main PID: 250496 (ipa-dnskeysyncd) >>> Tasks: 1 (limit: 23652) >>> Memory: 68.4M >>> CGroup: /system.slice/ipa-dnskeysyncd.service >>> └─250496 /usr/libexec/platform-python -I >>> /usr/libexec/ipa/ipa-dnskeysyncd >>> >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>> step 1 >>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>> step 2 >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: ipa-dnskeysyncd: >>> INFO Commencing sync process >>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>> sychronizing with ODS and BIND >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing log.level in configuration. Using >>> default value: INFO* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. Using >>> default value: ALL* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> *Configuration.cpp(124): Missing slots.removable in configuration. Using >>> default value: false* >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>> step 1 >>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>> >>> >>> >>> GSSAPI client step 1 >>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>> >>> >>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>> 12:40:17 -03. -- >>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing all plugin modules in ipaserver.plugins... >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.aci >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automember >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.automount >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseldap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.baseuser >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.batch >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/>> >>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/>>> >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.caacl >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.cert >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certmap >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.certprofile >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.config >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.delegation >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dns >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.dogtag >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.group >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbac >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hbactest >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.host >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idrange >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.idviews >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.internal >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.join >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.location >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.migration >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.misc >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.netgroup >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otp >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.otptoken >>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>> DEBUG importing plugin module ipaserver.plugins.passwd >> >> There should be quite a bit more after that. >> >>> >>> #less /var/log/dirsrv/slapd-*/access >>> >>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>> krbMaxRenewab >>> leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" >>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 tag=97 >>> nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 tag=97 >>> nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL >>> bind in progress >>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>> method=sasl version=3 mech=GSSAPI >>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 >>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>> com,dc=uy" >>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>> attrs="objectClass cn fqdn serverHostN >>> ame memberOf ipaSshPubKey ipaUniqueID" >>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU >>> niqueID" >>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 tag=101 >>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>> attrs="objectClass ipaUniqueID cn memb >>> er entryusn" >>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 tag=101 >>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs >>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>> xternalUser entryusn" >>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 tag=101 >>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 etime=0.000956734 >>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 etime=0.001489204 >>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 etime=0.003098843 >>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 etime=0.002897696 >>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 etime=0.001372435 >>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 etime=0.001748601 >>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 etime=0.015402108 >>> >>> >>> I see that after the update, the files were changed: >>> >>> >>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>> /etc/dirsrv/slapd-TNU-COM-UY: >>> total 4208 >>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>> dse.ldif.ipa.1cf1fe204fd69494 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>> dse.ldif.ipa.1dd1d38cbd8d26ae >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>> dse.ldif.ipa.21662457cb42c116 >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>> dse.ldif.ipa.256a5d66e550a957 >>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>> dse.ldif.ipa.274744b10eed3d9b >>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>> dse.ldif.ipa.385fb48f5462219c >>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>> dse.ldif.ipa.6b71b47d73ca452a >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>> dse.ldif.ipa.767aba4a82811822 >>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>> dse.ldif.ipa.814a4de587fc22ec >>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>> dse.ldif.ipa.889036fc0907e7de >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>> dse.ldif.ipa.8fd2b7413b99dfa3 >>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>> dse.ldif.ipa.958ca3a96922f2fd >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>> dse.ldif.ipa.bacd6d1d200348bf >>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>> dse.ldif.ipa.bfadc14f0e609072 >>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>> dse.ldif.ipa.f1e864261a119b6c >>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>> dse.ldif.ipa.fa918bf07c17e2e8 >>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out >>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf >>> >>> >>> I can’t connect to the LDAP service: >>> >>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket <ldapi://var/run/slapd-TNU-COM-UY.socket> >>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >> >> You have to escape the socket path: >> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket <ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket> >> >>> # less /var/log/ipaupgrade.log >>> >>> Server built: Jun 29 2021 22:00:15 UTC >>> Server number: 9.0.30.0 >>> OS Name: Linux >>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>> Architecture: amd64 >>> JVM Version: 1.8.0_322-b06 >>> JVM Vendor: Red Hat, Inc. >>> >>> 2022-11-22T14:26:56Z DEBUG stderr= >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] >>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:56Z DEBUG stdout= >>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>> instance pki-tomcat. >>> >>> 2022-11-22T14:26:56Z DEBUG Starting external process >>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>> &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] >>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>> 2022-11-22T14:26:57Z DEBUG stdout= >>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>> for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control >>> process exited with error code. >>> See "systemctl status pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" and "journalctl -xe" for >>> details. >>> >>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>> 2022-11-22T14:26:57Z DEBUG File >>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>> execute >>> return_value = self.run() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 54, in run >>> server.upgrade() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 2055, in upgrade >>> upgrade_configuration() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 1783, in upgrade_configuration >>> ca.start('pki-tomcat') >>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>> line 524, in start >>> self.service.start(instance_name, capture_output=capture_output, >>> wait=wait) >>> File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>> line 306, in start >>> skip_output=not capture_output) >>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line >>> 600, in run >>> p.returncode, arg_string, output_log, error_log >>> >>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>> exception: CalledProcessError: CalledProcessError(Command >>> ['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status >>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control >>> process exited with error code.\nSee "systemctl status >>> pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>> /var/log/ipaupgrade.log for details: >>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>> 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status >>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control >>> process exited with error code.\nSee "systemctl status >>> pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" >>> and "journalctl -xe" for details.\n') >>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See >>> /var/log/ipaupgrade.log for more information >>> (END) >> >> The CA failed to start. This is often due to expired certificates that >> get exposed when an upgrade is done. Check that out. >> >>> #ipactl status >>> >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: STOPPED >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> pki-tomcatd Service: STOPPED >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> 2 service(s) are not running >>> >>> >>> Thanks >>> >>>> El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> >>>> <mailto:rcritten@redhat.com>> escribió: >>>> >>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> I have a production server that was not maintained and I see that the >>>>> HTTP certificate has expired long ago. I tried to renew it but I'm >>>>> not being agle to get it right. >>>>> >>>>> The initial status was: >>>>> >>>>> Request ID '20191219011208': >>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>> stuck: yes >>>>> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> Then following this thread >>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>>>> >>>>> I got it to this state: >>>>> >>>>> Request ID '20191219011208': >>>>> status: MONITORING >>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>> SSL certificate problem: certificate has expired). >>>>> stuck: no >>>>> key pair storage: >>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>> >>>>> The post indicates that I have to put an old date in the server to >>>>> get it renewed, but as the server is in production, it means that all >>>>> clients will fail to log to the server. Evenmore, what time should I >>>>> return to, before the certificate expiration or right after? >>>>> Thanks in advanc >>>> >>>> I'd guess that this affects a lot more than just the web server cert. >>>> getcert list will tell you. >>>> >>>> Depending on that outcome affect the suggested remediation. >>>> >>>> As for going back in time, you'd need a server outage to do this and it >>>> only would be backwards in time for a short time. Just long enough so >>>> the services could start with non-expired certificates to get them >>>> renewed. But there are other ways to do this that don't require fiddling >>>> with time. >>>> >>>> rob

El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten(a)redhat.com&gt; escribió: Juan Pablo Lorier wrote: > Hi, > > Rob, the problem with ipactl --ignore-service-failures is that it always > try to upgrade from 4.7 to 4.9 first and it fails for that reason. $ man 8 ipactl --skip-version-check Skip version check rob > > I were able to move forward and get poi-tomcat running but I still can’t > finish the upgrade process. > Here are some more logs to see if you can see a lead to help me. > Regards > > */var/log/ipaupgrade.log* > > 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and > enabled; skipping > 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP > and enabled; skipping > 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and > enabled; skipping > 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' > 2022-11-30T16:07:49Z DEBUG request GET > https://dc2.tnu.com.uy:8443/ca/rest/account/login > 2022-11-30T16:07:49Z DEBUG request body '' > 2022-11-30T16:07:54Z DEBUG httplib request failed: > Traceback (most recent call last): > File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, > in _httplib_request > conn.request(method, path, body=request_body, headers=headers) > File "/usr/lib64/python3.6/http/client.py", line 1273, in request > self._send_request(method, url, body, headers, encode_chunked) > File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request > self.endheaders(body, encode_chunked=encode_chunked) > File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders > self._send_output(message_body, encode_chunked=encode_chunked) > File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output > self.send(msg) > File "/usr/lib64/python3.6/http/client.py", line 982, in send > self.connect() > File "/usr/lib64/python3.6/http/client.py", line 1441, in connect > server_hostname=server_hostname) > File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket > _context=self, _session=session) > File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ > self.do_handshake() > File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake > self._sslobj.do_handshake() > File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake > self._sslobj.do_handshake() > OSError: [Errno 0] Error > 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2022-11-30T16:07:54Z DEBUG File > "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in > execute > return_value = self.run() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 2055, in upgrade > upgrade_configuration() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 1908, in upgrade_configuration > ca_enable_ldap_profile_subsystem(ca) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", > line 458, in ca_enable_ldap_profile_subsystem > cainstance.migrate_profiles_to_ldap() > File > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line > 2111, in migrate_profiles_to_ldap > _create_dogtag_profile(profile_id, profile_data, overwrite=False) > File > "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line > 2165, in _create_dogtag_profile > with api.Backend.ra_certprofile as profile_api: > File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", > line 1207, in __enter__ > method='GET' > File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, > in https_request > method=method, headers=headers) > File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, > in _httplib_request > raise NetworkError(uri=uri, error=str(e)) > > 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, > exception: NetworkError: cannot connect to > 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error > 2022-11-30T16:07:54Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > NetworkError: cannot connect to > 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error > 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > > > *dirsrv/slapd-TNU-COM-UY/errors* > > [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist > [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist > [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse > - The ACL target cn=automember rebuild membership,cn=tasks,cn=config > does not exist > [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - > Because krbPwdPolicyReference is a new registered virtual attribute , > nsslapd-ignore-virtual-attrs was set to 'off' > [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - > schema-compat-plugin tree scan will start in about 5 seconds! > [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd > started. Listening on All Interfaces port 389 for LDAP requests > [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening > on All Interfaces port 636 for LDAPS requests > [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening > on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests > [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - > Finished plugin initialization. > [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could > not get initial credentials for principal > [ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>>] > in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for requested realm) > > *localhost_access_log.2022-11-30.txt* > > 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - > XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus > HTTP/1.1" 200 193 > XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login > HTTP/1.1" 401 669 > > >> El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> escribió: >> >> Run "ipactl --ignore-service-failures" and it should bring up all the >> services it can. >> >> rob >> >> Juan Pablo Lorier wrote: >>> Hi again, >>> >>> I used the ldapi from /etc/ipa/default.conf and I was able to get a >>> different reply: >>> >>> ldapsearch -Y GSSAPI -H >>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket <ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket> >>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>> >>> >>> SASL/GSSAPI authentication started >>> ldap_sasl_interactive_bind_s: Local error (-2) >>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (Ticket expired) >>> >>> But if I try to renew the ticket, it fails: >>> >>> kinit admin >>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting >>> initial credentials >>> >>> The running DC is in 4.7 and it should reply to the kinit requests >>> >>> >>> I added the debug option to see if I can ge further information. >>> >>> ipactl restart >>> IPA version error: data needs to be upgraded (expected version >>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version >>> '4.7.1-11.module_el8.0.0+79+bbd20d7b') >>> Automatically running upgrade, for details see /var/log/ipaupgrade.log >>> Be patient, this may take a few minutes. >>> Automatic upgrade failed: Error caught updating >>> nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and >>> attributes are managed by topology plugin.No direct modifications >>> allowed. >>> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is >>> unwilling to perform: Entry and attributes are managed by topology >>> plugin.No direct modifications allowed. >>> Update complete >>> Upgrading the configuration of the IPA services >>> [Verifying that root certificate is published] >>> [Migrate CRL publish directory] >>> CRL tree already moved >>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >>> command ipa-server-upgrade manually. >>> Unexpected error - see /var/log/ipaupgrade.log for details: >>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>> 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status >>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control >>> process exited with error code.\nSee "systemctl status >>> pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" >>> and "journalctl -xe" for details.\n') >>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>> more information >>> >>> See the upgrade log for more details and/or run >>> /usr/sbin/ipa-server-upgrade again >>> Stopping ipa-dnskeysyncd Service >>> Stopping ipa-otpd Service >>> Stopping pki-tomcatd Service >>> Stopping ipa-custodia Service >>> Stopping httpd Service >>> Stopping named Service >>> Stopping kadmin Service >>> Stopping krb5kdc Service >>> Stopping Directory Service >>> Aborting ipactl >>> >>> Regards >>> >>> >>>> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> >>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> escribió: >>>> >>>> Juan Pablo Lorier wrote: >>>>> Hi Rob, >>>>> >>>>> Thanks for the reply. As I didn’t know other way but to go back in >>>>> time, >>>>> I just did it and now the server is running 100%. >>>>> >>>>> This was all part of an update from 4.7 to 4.9. According to the >>>>> documentation, it was just a matter to def update but it seems that is >>>>> not such a happy path.> >>>>> I updated the second server but it’s not able to finalize the update >>>>> process. DNS is failing to start: >>>>> >>>>> # systemctl status ipa-dnskeysyncd.service >>>>> >>>>> >>>>> *●*ipa-dnskeysyncd.service - IPA key daemon >>>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>>>> disabled; vendor preset: disabled) >>>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>>>> 14min ago >>>>> Main PID: 250496 (ipa-dnskeysyncd) >>>>> Tasks: 1 (limit: 23652) >>>>> Memory: 68.4M >>>>> CGroup: /system.slice/ipa-dnskeysyncd.service >>>>> └─250496 /usr/libexec/platform-python -I >>>>> /usr/libexec/ipa/ipa-dnskeysyncd >>>>> >>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>>> step 1 >>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>>> step 2 >>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>> ipa-dnskeysyncd: >>>>> INFO Commencing sync process >>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>>>> sychronizing with ODS and BIND >>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>> *Configuration.cpp(96): Missing log.level in configuration. Using >>>>> default value: INFO* >>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>>>> Using >>>>> default value: ALL* >>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>> *Configuration.cpp(124): Missing slots.removable in configuration. >>>>> Using >>>>> default value: false* >>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>>> step 1 >>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>>> step 1 >>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>> >>>>> >>>>> >>>>> GSSAPI client step 1 >>>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>>>> >>>>> >>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>>>> 12:40:17 -03. -- >>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing all plugin modules in ipaserver.plugins... >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.aci >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.automember >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.automount >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.baseldap >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.baseuser >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.batch >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>>>> <http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/>> >>>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/>>> >>>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>>>> <http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/>> <http://ipaserver.plugins.ca/ <http://ipaserver.plugins.ca/>>> >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.caacl >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.cert >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.certmap >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.certprofile >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.config >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.delegation >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.dns >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.dogtag >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.group >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.hbac >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.hbactest >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.host >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.idrange >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.idviews >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.internal >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.join >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.location >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.migration >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.misc >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.netgroup >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.otp >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.otptoken >>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: ipalib.plugable: >>>>> DEBUG importing plugin module ipaserver.plugins.passwd >>>> >>>> There should be quite a bit more after that. >>>> >>>>> >>>>> #less /var/log/dirsrv/slapd-*/access >>>>> >>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>>>> tag=101 >>>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>>>> krbMaxRenewab >>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" >>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>>>> tag=101 >>>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>>>> method=sasl version=3 mech=GSSAPI >>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>>>> tag=97 >>>>> nentries=0 wtime=0.000071973 optime=0.002531582 etime=0.002602416, SASL >>>>> bind in progress >>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>>>> method=sasl version=3 mech=GSSAPI >>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>>>> tag=97 >>>>> nentries=0 wtime=0.000058962 optime=0.001451477 etime=0.001509337, SASL >>>>> bind in progress >>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>>>> method=sasl version=3 mech=GSSAPI >>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 tag=97 >>>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>>>> com,dc=uy" >>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>>>> attrs="objectClass cn fqdn serverHostN >>>>> ame memberOf ipaSshPubKey ipaUniqueID" >>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>>>> tag=101 >>>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU >>>>> niqueID" >>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>>>> tag=101 >>>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>>>> attrs="objectClass ipaUniqueID cn memb >>>>> er entryusn" >>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>>>> tag=101 >>>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>>>> ipaSudoRunAs >>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>>>> xternalUser entryusn" >>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>>>> tag=101 >>>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>>>> etime=0.000956734 >>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>>>> etime=0.001489204 >>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>>>> etime=0.003098843 >>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>>>> etime=0.002897696 >>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>>>> etime=0.001372435 >>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>>>> etime=0.001748601 >>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>>>> etime=0.015402108 >>>>> >>>>> >>>>> I see that after the update, the files were changed: >>>>> >>>>> >>>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>>>> /etc/dirsrv/slapd-TNU-COM-UY: >>>>> total 4208 >>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 TNU.COM.UY20IPA20CA.pem >>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>>>> dse.ldif.ipa.1cf1fe204fd69494 >>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>>>> dse.ldif.ipa.1dd1d38cbd8d26ae >>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>>>> dse.ldif.ipa.21662457cb42c116 >>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>>>> dse.ldif.ipa.256a5d66e550a957 >>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>>>> dse.ldif.ipa.274744b10eed3d9b >>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>>>> dse.ldif.ipa.385fb48f5462219c >>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>>>> dse.ldif.ipa.6b71b47d73ca452a >>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>>>> dse.ldif.ipa.767aba4a82811822 >>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>>>> dse.ldif.ipa.814a4de587fc22ec >>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>>>> dse.ldif.ipa.889036fc0907e7de >>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>>>> dse.ldif.ipa.8fd2b7413b99dfa3 >>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>>>> dse.ldif.ipa.958ca3a96922f2fd >>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>>>> dse.ldif.ipa.bacd6d1d200348bf >>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>>>> dse.ldif.ipa.bfadc14f0e609072 >>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>>>> dse.ldif.ipa.f1e864261a119b6c >>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>>>> dse.ldif.ipa.fa918bf07c17e2e8 >>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out >>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf >>>>> >>>>> >>>>> I can’t connect to the LDAP service: >>>>> >>>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket <ldapi://var/run/slapd-TNU-COM-UY.socket> >>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >>>> >>>> You have to escape the socket path: >>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket <ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket> >>>> >>>>> # less /var/log/ipaupgrade.log >>>>> >>>>> Server built: Jun 29 2021 22:00:15 UTC >>>>> Server number: 9.0.30.0 >>>>> OS Name: Linux >>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>>>> Architecture: amd64 >>>>> JVM Version: 1.8.0_322-b06 >>>>> JVM Vendor: Red Hat, Inc. >>>>> >>>>> 2022-11-22T14:26:56Z DEBUG stderr= >>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] >>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>>>> 2022-11-22T14:26:56Z DEBUG stdout= >>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>>>> instance pki-tomcat. >>>>> >>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>>>> &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] >>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>>>> 2022-11-22T14:26:57Z DEBUG stdout= >>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>>>> for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control >>>>> process exited with error code. >>>>> See "systemctl status pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" and "journalctl -xe" for >>>>> details. >>>>> >>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>>> 2022-11-22T14:26:57Z DEBUG File >>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>>>> execute >>>>> return_value = self.run() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>> line 54, in run >>>>> server.upgrade() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 2055, in upgrade >>>>> upgrade_configuration() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 1783, in upgrade_configuration >>>>> ca.start('pki-tomcat') >>>>> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>>>> line 524, in start >>>>> self.service.start(instance_name, capture_output=capture_output, >>>>> wait=wait) >>>>> File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>>>> line 306, in start >>>>> skip_output=not capture_output) >>>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line >>>>> 600, in run >>>>> p.returncode, arg_string, output_log, error_log >>>>> >>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>>>> exception: CalledProcessError: CalledProcessError(Command >>>>> ['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status >>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control >>>>> process exited with error code.\nSee "systemctl status >>>>> pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>" >>>>> and "journalctl -xe" for details.\n') >>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>>>> /var/log/ipaupgrade.log for details: >>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>> 'start', &#39;pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>>'] returned non-zero exit status >>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> failed because the control >>>>> process exited with error code.\nSee "systemctl status >>>>> pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>> >>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>> and "journalctl -xe" for details.\n') >>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See >>>>> /var/log/ipaupgrade.log for more information >>>>> (END) >>>> >>>> The CA failed to start. This is often due to expired certificates that >>>> get exposed when an upgrade is done. Check that out. >>>> >>>>> #ipactl status >>>>> >>>>> Directory Service: RUNNING >>>>> krb5kdc Service: RUNNING >>>>> kadmin Service: RUNNING >>>>> named Service: STOPPED >>>>> httpd Service: RUNNING >>>>> ipa-custodia Service: RUNNING >>>>> pki-tomcatd Service: STOPPED >>>>> ipa-otpd Service: RUNNING >>>>> ipa-dnskeysyncd Service: RUNNING >>>>> 2 service(s) are not running >>>>> >>>>> >>>>> Thanks >>>>> >>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >>>>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> >>>>>> <mailto:rcritten@redhat.com> >>>>>> <mailto:rcritten@redhat.com>> escribió: >>>>>> >>>>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have a production server that was not maintained and I see that the >>>>>>> HTTP certificate has expired long ago. I tried to renew it but I'm >>>>>>> not being agle to get it right. >>>>>>> >>>>>>> The initial status was: >>>>>>> >>>>>>> Request ID '20191219011208': >>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>>> stuck: yes >>>>>>> key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>> >>>>>>> Then following this thread >>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>>>>>> >>>>>>> I got it to this state: >>>>>>> >>>>>>> Request ID '20191219011208': >>>>>>> status: MONITORING >>>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>>>> SSL certificate problem: certificate has expired). >>>>>>> stuck: no >>>>>>> key pair storage: >>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>> >>>>>>> The post indicates that I have to put an old date in the server to >>>>>>> get it renewed, but as the server is in production, it means that all >>>>>>> clients will fail to log to the server. Evenmore, what time should I >>>>>>> return to, before the certificate expiration or right after? >>>>>>> Thanks in advanc >>>>>> >>>>>> I'd guess that this affects a lot more than just the web server cert. >>>>>> getcert list will tell you. >>>>>> >>>>>> Depending on that outcome affect the suggested remediation. >>>>>> >>>>>> As for going back in time, you'd need a server outage to do this >>>>>> and it >>>>>> only would be backwards in time for a short time. Just long enough so >>>>>> the services could start with non-expired certificates to get them >>>>>> renewed. But there are other ways to do this that don't require >>>>>> fiddling >>>>>> with time. >>>>>> >>>>>> rob

El 30 nov. 2022, a las 18:50, Rob Crittenden <rcritten(a)redhat.com&gt; escribió: Juan Pablo Lorier wrote: > Ok, with the skip-version-check flag it starts correctly, but if I try > to restart the service without the flag, it fails in the same point. The > error is related to the upgrade process then. I’m upgrading from 4.7 to > 4.9 as I didn’t find any restriction in the documentation. > Is it possible that there’s an issue with that upgrade path? If is likely related to your expired certificates. Did you look to see if others besides the HTTP cert expired? rob > Thanks > >> El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten(a)redhat.com >> <mailto:rcritten@redhat.com>> escribió: >> >> Juan Pablo Lorier wrote: >>> Hi, >>> >>> Rob, the problem with ipactl --ignore-service-failures is that it always >>> try to upgrade from 4.7 to 4.9 first and it fails for that reason. >> >> $ man 8 ipactl >> >> --skip-version-check Skip version check >> >> rob >> >>> >>> I were able to move forward and get poi-tomcat running but I still can’t >>> finish the upgrade process. >>> Here are some more logs to see if you can see a lead to help me. >>> Regards >>> >>> */var/log/ipaupgrade.log* >>> >>> 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and >>> enabled; skipping >>> 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP >>> and enabled; skipping >>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and >>> enabled; skipping >>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>> 2022-11-30T16:07:49Z DEBUG request GET >>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>> 2022-11-30T16:07:49Z DEBUG request body '' >>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>> Traceback (most recent call last): >>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, >>> in _httplib_request >>> conn.request(method, path, body=request_body, headers=headers) >>> File "/usr/lib64/python3.6/http/client.py", line 1273, in request >>> self._send_request(method, url, body, headers, encode_chunked) >>> File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request >>> self.endheaders(body, encode_chunked=encode_chunked) >>> File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders >>> self._send_output(message_body, encode_chunked=encode_chunked) >>> File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output >>> self.send(msg) >>> File "/usr/lib64/python3.6/http/client.py", line 982, in send >>> self.connect() >>> File "/usr/lib64/python3.6/http/client.py", line 1441, in connect >>> server_hostname=server_hostname) >>> File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket >>> _context=self, _session=session) >>> File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ >>> self.do_handshake() >>> File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake >>> self._sslobj.do_handshake() >>> File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake >>> self._sslobj.do_handshake() >>> OSError: [Errno 0] Error >>> 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect >>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>> 2022-11-30T16:07:54Z DEBUG File >>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>> execute >>> return_value = self.run() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 54, in run >>> server.upgrade() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 2055, in upgrade >>> upgrade_configuration() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 1908, in upgrade_configuration >>> ca_enable_ldap_profile_subsystem(ca) >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>> line 458, in ca_enable_ldap_profile_subsystem >>> cainstance.migrate_profiles_to_ldap() >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >>> 2111, in migrate_profiles_to_ldap >>> _create_dogtag_profile(profile_id, profile_data, overwrite=False) >>> File >>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >>> 2165, in _create_dogtag_profile >>> with api.Backend.ra_certprofile as profile_api: >>> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", >>> line 1207, in __enter__ >>> method='GET' >>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, >>> in https_request >>> method=method, headers=headers) >>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, >>> in _httplib_request >>> raise NetworkError(uri=uri, error=str(e)) >>> >>> 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, >>> exception: NetworkError: cannot connect to >>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>> 2022-11-30T16:07:54Z ERROR Unexpected error - see >>> /var/log/ipaupgrade.log for details: >>> NetworkError: cannot connect to >>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>> 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See >>> /var/log/ipaupgrade.log for more information >>> >>> >>> *dirsrv/slapd-TNU-COM-UY/errors* >>> >>> [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse >>> - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist >>> [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse >>> - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist >>> [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse >>> - The ACL target cn=automember rebuild membership,cn=tasks,cn=config >>> does not exist >>> [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - >>> Because krbPwdPolicyReference is a new registered virtual attribute , >>> nsslapd-ignore-virtual-attrs was set to 'off' >>> [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - >>> schema-compat-plugin tree scan will start in about 5 seconds! >>> [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd >>> started. Listening on All Interfaces port 389 for LDAP requests >>> [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening >>> on All Interfaces port 636 for LDAPS requests >>> [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening >>> on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests >>> [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - >>> Finished plugin initialization. >>> [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could >>> not get initial credentials for principal >>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>> KDC for requested realm) >>> >>> *localhost_access_log.2022-11-30.txt* >>> >>> 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - >>> XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus >>> HTTP/1.1" 200 193 >>> XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login >>> HTTP/1.1" 401 669 >>> >>> >>>> El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten(a)redhat.com >>>> <mailto:rcritten@redhat.com> >>>> <mailto:rcritten@redhat.com>> escribió: >>>> >>>> Run "ipactl --ignore-service-failures" and it should bring up all the >>>> services it can. >>>> >>>> rob >>>> >>>> Juan Pablo Lorier wrote: >>>>> Hi again, >>>>> >>>>> I used the ldapi from /etc/ipa/default.conf and I was able to get a >>>>> different reply: >>>>> >>>>> ldapsearch -Y GSSAPI -H >>>>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket >>>>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket> >>>>> >>>>> SASL/GSSAPI authentication started >>>>> ldap_sasl_interactive_bind_s: Local error (-2) >>>>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (Ticket expired) >>>>> >>>>> But if I try to renew the ticket, it fails: >>>>> >>>>> kinit admin >>>>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting >>>>> initial credentials >>>>> >>>>> The running DC is in 4.7 and it should reply to the kinit requests >>>>> >>>>> >>>>> I added the debug option to see if I can ge further information. >>>>> >>>>> ipactl restart >>>>> IPA version error: data needs to be upgraded (expected version >>>>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version >>>>> '4.7.1-11.module_el8.0.0+79+bbd20d7b') >>>>> Automatically running upgrade, for details see /var/log/ipaupgrade.log >>>>> Be patient, this may take a few minutes. >>>>> Automatic upgrade failed: Error caught updating >>>>> nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and >>>>> attributes are managed by topology plugin.No direct modifications >>>>> allowed. >>>>> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is >>>>> unwilling to perform: Entry and attributes are managed by topology >>>>> plugin.No direct modifications allowed. >>>>> Update complete >>>>> Upgrading the configuration of the IPA services >>>>> [Verifying that root certificate is published] >>>>> [Migrate CRL publish directory] >>>>> CRL tree already moved >>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >>>>> command ipa-server-upgrade manually. >>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>> 'start', &#39;pki-tomcatd(a)pki-tomcat.service >>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status >>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service >>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>> process exited with error code.\nSee "systemctl status >>>>> pki-tomcatd(a)pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>> and "journalctl -xe" for details.\n') >>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>> more information >>>>> >>>>> See the upgrade log for more details and/or run >>>>> /usr/sbin/ipa-server-upgrade again >>>>> Stopping ipa-dnskeysyncd Service >>>>> Stopping ipa-otpd Service >>>>> Stopping pki-tomcatd Service >>>>> Stopping ipa-custodia Service >>>>> Stopping httpd Service >>>>> Stopping named Service >>>>> Stopping kadmin Service >>>>> Stopping krb5kdc Service >>>>> Stopping Directory Service >>>>> Aborting ipactl >>>>> >>>>> Regards >>>>> >>>>> >>>>>> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten(a)redhat.com >>>>>> <mailto:rcritten@redhat.com> >>>>>> <mailto:rcritten@redhat.com> >>>>>> <mailto:rcritten@redhat.com>> escribió: >>>>>> >>>>>> Juan Pablo Lorier wrote: >>>>>>> Hi Rob, >>>>>>> >>>>>>> Thanks for the reply. As I didn’t know other way but to go back in >>>>>>> time, >>>>>>> I just did it and now the server is running 100%. >>>>>>> >>>>>>> This was all part of an update from 4.7 to 4.9. According to the >>>>>>> documentation, it was just a matter to def update but it seems >>>>>>> that is >>>>>>> not such a happy path.> >>>>>>> I updated the second server but it’s not able to finalize the update >>>>>>> process. DNS is failing to start: >>>>>>> >>>>>>> # systemctl status ipa-dnskeysyncd.service >>>>>>> >>>>>>> >>>>>>> *●*ipa-dnskeysyncd.service - IPA key daemon >>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>>>>>> disabled; vendor preset: disabled) >>>>>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>>>>>> 14min ago >>>>>>> Main PID: 250496 (ipa-dnskeysyncd) >>>>>>> Tasks: 1 (limit: 23652) >>>>>>> Memory: 68.4M >>>>>>> CGroup: /system.slice/ipa-dnskeysyncd.service >>>>>>> └─250496 /usr/libexec/platform-python -I >>>>>>> /usr/libexec/ipa/ipa-dnskeysyncd >>>>>>> >>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>>>>> step 1 >>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>>>>> step 2 >>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>> ipa-dnskeysyncd: >>>>>>> INFO Commencing sync process >>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>>>>>> sychronizing with ODS and BIND >>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>> *Configuration.cpp(96): Missing log.level in configuration. Using >>>>>>> default value: INFO* >>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>>>>>> Using >>>>>>> default value: ALL* >>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>> *Configuration.cpp(124): Missing slots.removable in configuration. >>>>>>> Using >>>>>>> default value: false* >>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>>>>> step 1 >>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>>>>> step 1 >>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>> >>>>>>> >>>>>>> >>>>>>> GSSAPI client step 1 >>>>>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>>>>>> >>>>>>> >>>>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>>>>>> 12:40:17 -03. -- >>>>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing all plugin modules in ipaserver.plugins... >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.aci >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.automember >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.automount >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.baseldap >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.baseuser >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.batch >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.ca >>>>>>> <http://ipaserver.plugins.ca/> >>>>>>> <http://ipaserver.plugins.ca/> >>>>>>> <http://ipaserver.plugins.ca >>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.caacl >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.cert >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.certmap >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.certprofile >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.config >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.delegation >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.dns >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.dogtag >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.group >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.hbac >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.hbactest >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.host >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.idrange >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.idviews >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.internal >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.join >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.location >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.migration >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.misc >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.netgroup >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.otp >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.otptoken >>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>> ipalib.plugable: >>>>>>> DEBUG importing plugin module ipaserver.plugins.passwd >>>>>> >>>>>> There should be quite a bit more after that. >>>>>> >>>>>>> >>>>>>> #less /var/log/dirsrv/slapd-*/access >>>>>>> >>>>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>>>>>> tag=101 >>>>>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>>>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>>>>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>>>>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>>>>>> krbMaxRenewab >>>>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife >>>>>>> krbAuthIndMaxRenewableAge" >>>>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>>>>>> tag=101 >>>>>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>>>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>>>>>> tag=97 >>>>>>> nentries=0 wtime=0.000071973 optime=0.002531582 >>>>>>> etime=0.002602416, SASL >>>>>>> bind in progress >>>>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>>>>>> tag=97 >>>>>>> nentries=0 wtime=0.000058962 optime=0.001451477 >>>>>>> etime=0.001509337, SASL >>>>>>> bind in progress >>>>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >>>>>>> tag=97 >>>>>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>>>>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>>>>>> com,dc=uy" >>>>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>>>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>>>>>> attrs="objectClass cn fqdn serverHostN >>>>>>> ame memberOf ipaSshPubKey ipaUniqueID" >>>>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>>>>>> tag=101 >>>>>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>>>>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>>>>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU >>>>>>> niqueID" >>>>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>>>>>> tag=101 >>>>>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>>>>>> attrs="objectClass ipaUniqueID cn memb >>>>>>> er entryusn" >>>>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>>>>>> tag=101 >>>>>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>>>>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>>>>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>>>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>>>>>> ipaSudoRunAs >>>>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>>>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>>>>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>>>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>>>>>> xternalUser entryusn" >>>>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>>>>>> tag=101 >>>>>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>>>>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>>>>>> etime=0.000956734 >>>>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>>>>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>>>>>> etime=0.001489204 >>>>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>>>>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>>>>>> etime=0.003098843 >>>>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>>>>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>>>>>> etime=0.002897696 >>>>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>>>>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>>>>>> etime=0.001372435 >>>>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>>>>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>>>>>> etime=0.001748601 >>>>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>>>>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>>>>>> etime=0.015402108 >>>>>>> >>>>>>> >>>>>>> I see that after the update, the files were changed: >>>>>>> >>>>>>> >>>>>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>>>>>> /etc/dirsrv/slapd-TNU-COM-UY: >>>>>>> total 4208 >>>>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>>>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>>>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >>>>>>> TNU.COM.UY20IPA20CA.pem >>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>>>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>>>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>>>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>>>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>>>>>> dse.ldif.ipa.1cf1fe204fd69494 >>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>>>>>> dse.ldif.ipa.1dd1d38cbd8d26ae >>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>>>>>> dse.ldif.ipa.21662457cb42c116 >>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>>>>>> dse.ldif.ipa.256a5d66e550a957 >>>>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>>>>>> dse.ldif.ipa.274744b10eed3d9b >>>>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>>>>>> dse.ldif.ipa.385fb48f5462219c >>>>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>>>>>> dse.ldif.ipa.6b71b47d73ca452a >>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>>>>>> dse.ldif.ipa.767aba4a82811822 >>>>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>>>>>> dse.ldif.ipa.814a4de587fc22ec >>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>>>>>> dse.ldif.ipa.889036fc0907e7de >>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>>>>>> dse.ldif.ipa.8fd2b7413b99dfa3 >>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>>>>>> dse.ldif.ipa.958ca3a96922f2fd >>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>>>>>> dse.ldif.ipa.bacd6d1d200348bf >>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>>>>>> dse.ldif.ipa.bfadc14f0e609072 >>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>>>>>> dse.ldif.ipa.f1e864261a119b6c >>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>>>>>> dse.ldif.ipa.fa918bf07c17e2e8 >>>>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out >>>>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>>>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>>>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>>>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>>>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>>>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>>>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>>>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>>>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>>>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf >>>>>>> >>>>>>> >>>>>>> I can’t connect to the LDAP service: >>>>>>> >>>>>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>>>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >>>>>> >>>>>> You have to escape the socket path: >>>>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket >>>>>> >>>>>>> # less /var/log/ipaupgrade.log >>>>>>> >>>>>>> Server built: Jun 29 2021 22:00:15 UTC >>>>>>> Server number: 9.0.30.0 >>>>>>> OS Name: Linux >>>>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>>>>>> Architecture: amd64 >>>>>>> JVM Version: 1.8.0_322-b06 >>>>>>> JVM Vendor: Red Hat, Inc. >>>>>>> >>>>>>> 2022-11-22T14:26:56Z DEBUG stderr= >>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >>>>>>> 'kra'] >>>>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>>>>>> 2022-11-22T14:26:56Z DEBUG stdout= >>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>>>>>> instance pki-tomcat. >>>>>>> >>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>>>>>> &#39;pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>'] >>>>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>>>>>> 2022-11-22T14:26:57Z DEBUG stdout= >>>>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>>>>>> for pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>> process exited with error code. >>>>>>> See "systemctl status pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for >>>>>>> details. >>>>>>> >>>>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>>>>> 2022-11-22T14:26:57Z DEBUG File >>>>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >>>>>>> 180, in >>>>>>> execute >>>>>>> return_value = self.run() >>>>>>> File >>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>>>> line 54, in run >>>>>>> server.upgrade() >>>>>>> File >>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>> line 2055, in upgrade >>>>>>> upgrade_configuration() >>>>>>> File >>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>> line 1783, in upgrade_configuration >>>>>>> ca.start('pki-tomcat') >>>>>>> File >>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>>>>>> line 524, in start >>>>>>> self.service.start(instance_name, capture_output=capture_output, >>>>>>> wait=wait) >>>>>>> File >>>>>>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>>>>>> line 306, in start >>>>>>> skip_output=not capture_output) >>>>>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line >>>>>>> 600, in run >>>>>>> p.returncode, arg_string, output_log, error_log >>>>>>> >>>>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>>>>>> exception: CalledProcessError: CalledProcessError(Command >>>>>>> ['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit >>>>>>> status >>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>> process exited with error code.\nSee "systemctl status >>>>>>> pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>>> and "journalctl -xe" for details.\n') >>>>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>>>>>> /var/log/ipaupgrade.log for details: >>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>>>> 'start', &#39;pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit >>>>>>> status >>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>> process exited with error code.\nSee "systemctl status >>>>>>> pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>>> and "journalctl -xe" for details.\n') >>>>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See >>>>>>> /var/log/ipaupgrade.log for more information >>>>>>> (END) >>>>>> >>>>>> The CA failed to start. This is often due to expired certificates that >>>>>> get exposed when an upgrade is done. Check that out. >>>>>> >>>>>>> #ipactl status >>>>>>> >>>>>>> Directory Service: RUNNING >>>>>>> krb5kdc Service: RUNNING >>>>>>> kadmin Service: RUNNING >>>>>>> named Service: STOPPED >>>>>>> httpd Service: RUNNING >>>>>>> ipa-custodia Service: RUNNING >>>>>>> pki-tomcatd Service: STOPPED >>>>>>> ipa-otpd Service: RUNNING >>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>> 2 service(s) are not running >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>>>>>>> <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >>>>>>>> <mailto:rcritten@redhat.com> >>>>>>>> <mailto:rcritten@redhat.com> >>>>>>>> <mailto:rcritten@redhat.com>> escribió: >>>>>>>> >>>>>>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have a production server that was not maintained and I see >>>>>>>>> that the >>>>>>>>> HTTP certificate has expired long ago. I tried to renew it but I'm >>>>>>>>> not being agle to get it right. >>>>>>>>> >>>>>>>>> The initial status was: >>>>>>>>> >>>>>>>>> Request ID '20191219011208': >>>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>>>>> stuck: yes >>>>>>>>> key pair storage: >>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>> >>>>>>>>> Then following this thread >>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>>>>>>>> >>>>>>>>> I got it to this state: >>>>>>>>> >>>>>>>>> Request ID '20191219011208': >>>>>>>>> status: MONITORING >>>>>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>>>>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>>>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>>>>>> SSL certificate problem: certificate has expired). >>>>>>>>> stuck: no >>>>>>>>> key pair storage: >>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>> >>>>>>>>> The post indicates that I have to put an old date in the server to >>>>>>>>> get it renewed, but as the server is in production, it means >>>>>>>>> that all >>>>>>>>> clients will fail to log to the server. Evenmore, what time >>>>>>>>> should I >>>>>>>>> return to, before the certificate expiration or right after? >>>>>>>>> Thanks in advanc >>>>>>>> >>>>>>>> I'd guess that this affects a lot more than just the web server >>>>>>>> cert. >>>>>>>> getcert list will tell you. >>>>>>>> >>>>>>>> Depending on that outcome affect the suggested remediation. >>>>>>>> >>>>>>>> As for going back in time, you'd need a server outage to do this >>>>>>>> and it >>>>>>>> only would be backwards in time for a short time. Just long >>>>>>>> enough so >>>>>>>> the services could start with non-expired certificates to get them >>>>>>>> renewed. But there are other ways to do this that don't require >>>>>>>> fiddling >>>>>>>> with time. >>>>>>>> >>>>>>>> rob >

El 30 nov. 2022, a las 19:55, Rob Crittenden <rcritten(a)redhat.com&gt; escribió: Juan Pablo Lorier wrote: > The only expired cert was the HTTP in the dc1 server, dc2 had all the > certs valid: This does not show all of the tracked certificates. Use plain getcert which will show for for all CA helpers. rob > > *Dc1:* > > ipa-getcert list > Number of certificates and requests being tracked: 9. > Request ID '20191218181440': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY > expires: 2023-11-21 15:14:49 -03 > principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY > <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20191219011104': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY > expires: 2023-11-21 15:13:39 -03 > dns: dc1.tnu.com.uy > principal name: ldap/dc1.tnu.com.uy(a)TNU.COM.UY > <mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc1.tnu.com.uy@TNU.COM.UY>> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY > track: yes > auto-renew: yes > Request ID '20211217030046': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY > expires: 2023-12-18 00:01:22 -03 > dns: dc1.tnu.com.uy > principal name: HTTP/dc1.tnu.com.uy(a)TNU.COM.UY > <mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY <mailto:HTTP/dc1.tnu.com.uy@TNU.COM.UY>> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > *Dc2*: > > ipa-getcert list > Number of certificates and requests being tracked: 9. > Request ID '20200110015908': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:59:28 -03 > expires: 2023-12-13 22:59:28 -03 > principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY > <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20221130160326': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:10 -03 > expires: 2023-12-13 22:53:10 -03 > dns: dc2.tnu.com.uy > principal name: ldap/dc2.tnu.com.uy(a)TNU.COM.UY > <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY > track: yes > auto-renew: yes > Request ID '20221130160327': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:26 -03 > expires: 2023-12-13 22:53:26 -03 > dns: dc2.tnu.com.uy > principal name: HTTP/dc2.tnu.com.uy(a)TNU.COM.UY > <mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY <mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY>> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > >> El 30 nov. 2022, a las 18:50, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> escribió: >> >> Juan Pablo Lorier wrote: >>> Ok, with the skip-version-check flag it starts correctly, but if I try >>> to restart the service without the flag, it fails in the same point. The >>> error is related to the upgrade process then. I’m upgrading from 4.7 to >>> 4.9 as I didn’t find any restriction in the documentation. >>> Is it possible that there’s an issue with that upgrade path? >> >> If is likely related to your expired certificates. Did you look to see >> if others besides the HTTP cert expired? >> >> rob >> >>> Thanks >>> >>>> El 30 nov. 2022, a las 16:21, Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >>>> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> >>>> <mailto:rcritten@redhat.com>> escribió: >>>> >>>> Juan Pablo Lorier wrote: >>>>> Hi, >>>>> >>>>> Rob, the problem with ipactl --ignore-service-failures is that it >>>>> always >>>>> try to upgrade from 4.7 to 4.9 first and it fails for that reason. >>>> >>>> $ man 8 ipactl >>>> >>>> --skip-version-check Skip version check >>>> >>>> rob >>>> >>>>> >>>>> I were able to move forward and get poi-tomcat running but I still >>>>> can’t >>>>> finish the upgrade process. >>>>> Here are some more logs to see if you can see a lead to help me. >>>>> Regards >>>>> >>>>> */var/log/ipaupgrade.log* >>>>> >>>>> 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and >>>>> enabled; skipping >>>>> 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in >>>>> LDAP >>>>> and enabled; skipping >>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and >>>>> enabled; skipping >>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>>>> 2022-11-30T16:07:49Z DEBUG request GET >>>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>>>> 2022-11-30T16:07:49Z DEBUG request body '' >>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>>>> Traceback (most recent call last): >>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line >>>>> 271, >>>>> in _httplib_request >>>>> conn.request(method, path, body=request_body, headers=headers) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1273, in request >>>>> self._send_request(method, url, body, headers, encode_chunked) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1319, in >>>>> _send_request >>>>> self.endheaders(body, encode_chunked=encode_chunked) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders >>>>> self._send_output(message_body, encode_chunked=encode_chunked) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1044, in >>>>> _send_output >>>>> self.send(msg) >>>>> File "/usr/lib64/python3.6/http/client.py", line 982, in send >>>>> self.connect() >>>>> File "/usr/lib64/python3.6/http/client.py", line 1441, in connect >>>>> server_hostname=server_hostname) >>>>> File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket >>>>> _context=self, _session=session) >>>>> File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ >>>>> self.do_handshake() >>>>> File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake >>>>> self._sslobj.do_handshake() >>>>> File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake >>>>> self._sslobj.do_handshake() >>>>> OSError: [Errno 0] Error >>>>> 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect >>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>>> 2022-11-30T16:07:54Z DEBUG File >>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>>>> execute >>>>> return_value = self.run() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>> line 54, in run >>>>> server.upgrade() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 2055, in upgrade >>>>> upgrade_configuration() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 1908, in upgrade_configuration >>>>> ca_enable_ldap_profile_subsystem(ca) >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 458, in ca_enable_ldap_profile_subsystem >>>>> cainstance.migrate_profiles_to_ldap() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", >>>>> line >>>>> 2111, in migrate_profiles_to_ldap >>>>> _create_dogtag_profile(profile_id, profile_data, overwrite=False) >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", >>>>> line >>>>> 2165, in _create_dogtag_profile >>>>> with api.Backend.ra_certprofile as profile_api: >>>>> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", >>>>> line 1207, in __enter__ >>>>> method='GET' >>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line >>>>> 218, >>>>> in https_request >>>>> method=method, headers=headers) >>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line >>>>> 280, >>>>> in _httplib_request >>>>> raise NetworkError(uri=uri, error=str(e)) >>>>> >>>>> 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, >>>>> exception: NetworkError: cannot connect to >>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>>>> 2022-11-30T16:07:54Z ERROR Unexpected error - see >>>>> /var/log/ipaupgrade.log for details: >>>>> NetworkError: cannot connect to >>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>>>> 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See >>>>> /var/log/ipaupgrade.log for more information >>>>> >>>>> >>>>> *dirsrv/slapd-TNU-COM-UY/errors* >>>>> >>>>> [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse >>>>> - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist >>>>> [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse >>>>> - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist >>>>> [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse >>>>> - The ACL target cn=automember rebuild membership,cn=tasks,cn=config >>>>> does not exist >>>>> [30/Nov/2022:13:07:31.157746196 -0300] - INFO - >>>>> slapi_vattrspi_regattr - >>>>> Because krbPwdPolicyReference is a new registered virtual attribute , >>>>> nsslapd-ignore-virtual-attrs was set to 'off' >>>>> [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - >>>>> schema-compat-plugin tree scan will start in about 5 seconds! >>>>> [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd >>>>> started. Listening on All Interfaces port 389 for LDAP requests >>>>> [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - >>>>> Listening >>>>> on All Interfaces port 636 for LDAPS requests >>>>> [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - >>>>> Listening >>>>> on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests >>>>> [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - >>>>> Finished plugin initialization. >>>>> [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/dc2.tnu.com.uy(a)TNU.COM.UY >>>>> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> >>>>> *localhost_access_log.2022-11-30.txt* >>>>> >>>>> 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - >>>>> XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus >>>>> HTTP/1.1" 200 193 >>>>> XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login >>>>> HTTP/1.1" 401 669 >>>>> >>>>> >>>>>> El 23 nov. 2022, a las 18:42, Rob Crittenden <rcritten(a)redhat.com >>>>>> <mailto:rcritten@redhat.com> >>>>>> <mailto:rcritten@redhat.com>> escribió: >>>>>> >>>>>> Run "ipactl --ignore-service-failures" and it should bring up all the >>>>>> services it can. >>>>>> >>>>>> rob >>>>>> >>>>>> Juan Pablo Lorier wrote: >>>>>>> Hi again, >>>>>>> >>>>>>> I used the ldapi from /etc/ipa/default.conf and I was able to get a >>>>>>> different reply: >>>>>>> >>>>>>> ldapsearch -Y GSSAPI -H >>>>>>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket >>>>>>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket> >>>>>>> >>>>>>> SASL/GSSAPI authentication started >>>>>>> ldap_sasl_interactive_bind_s: Local error (-2) >>>>>>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>>> GSS failure. Minor code may provide more information (Ticket >>>>>>> expired) >>>>>>> >>>>>>> But if I try to renew the ticket, it fails: >>>>>>> >>>>>>> kinit admin >>>>>>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting >>>>>>> initial credentials >>>>>>> >>>>>>> The running DC is in 4.7 and it should reply to the kinit requests >>>>>>> >>>>>>> >>>>>>> I added the debug option to see if I can ge further information. >>>>>>> >>>>>>> ipactl restart >>>>>>> IPA version error: data needs to be upgraded (expected version >>>>>>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version >>>>>>> '4.7.1-11.module_el8.0.0+79+bbd20d7b') >>>>>>> Automatically running upgrade, for details see >>>>>>> /var/log/ipaupgrade.log >>>>>>> Be patient, this may take a few minutes. >>>>>>> Automatic upgrade failed: Error caught updating >>>>>>> nsDS5ReplicatedAttributeList: Server is unwilling to perform: >>>>>>> Entry and >>>>>>> attributes are managed by topology plugin.No direct modifications >>>>>>> allowed. >>>>>>> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is >>>>>>> unwilling to perform: Entry and attributes are managed by topology >>>>>>> plugin.No direct modifications allowed. >>>>>>> Update complete >>>>>>> Upgrading the configuration of the IPA services >>>>>>> [Verifying that root certificate is published] >>>>>>> [Migrate CRL publish directory] >>>>>>> CRL tree already moved >>>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >>>>>>> command ipa-server-upgrade manually. >>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>>>> 'start', &#39;pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit >>>>>>> status >>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>> process exited with error code.\nSee "systemctl status >>>>>>> pki-tomcatd(a)pki-tomcat.service >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>>> and "journalctl -xe" for details.\n') >>>>>>> The ipa-server-upgrade command failed. See >>>>>>> /var/log/ipaupgrade.log for >>>>>>> more information >>>>>>> >>>>>>> See the upgrade log for more details and/or run >>>>>>> /usr/sbin/ipa-server-upgrade again >>>>>>> Stopping ipa-dnskeysyncd Service >>>>>>> Stopping ipa-otpd Service >>>>>>> Stopping pki-tomcatd Service >>>>>>> Stopping ipa-custodia Service >>>>>>> Stopping httpd Service >>>>>>> Stopping named Service >>>>>>> Stopping kadmin Service >>>>>>> Stopping krb5kdc Service >>>>>>> Stopping Directory Service >>>>>>> Aborting ipactl >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>>> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcritten(a)redhat.com >>>>>>>> <mailto:rcritten@redhat.com> >>>>>>>> <mailto:rcritten@redhat.com> >>>>>>>> <mailto:rcritten@redhat.com>> escribió: >>>>>>>> >>>>>>>> Juan Pablo Lorier wrote: >>>>>>>>> Hi Rob, >>>>>>>>> >>>>>>>>> Thanks for the reply. As I didn’t know other way but to go back in >>>>>>>>> time, >>>>>>>>> I just did it and now the server is running 100%. >>>>>>>>> >>>>>>>>> This was all part of an update from 4.7 to 4.9. According to the >>>>>>>>> documentation, it was just a matter to def update but it seems >>>>>>>>> that is >>>>>>>>> not such a happy path.> >>>>>>>>> I updated the second server but it’s not able to finalize the >>>>>>>>> update >>>>>>>>> process. DNS is failing to start: >>>>>>>>> >>>>>>>>> # systemctl status ipa-dnskeysyncd.service >>>>>>>>> >>>>>>>>> >>>>>>>>> *●*ipa-dnskeysyncd.service - IPA key daemon >>>>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>>>>>>>> disabled; vendor preset: disabled) >>>>>>>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>>>>>>>> 14min ago >>>>>>>>> Main PID: 250496 (ipa-dnskeysyncd) >>>>>>>>> Tasks: 1 (limit: 23652) >>>>>>>>> Memory: 68.4M >>>>>>>>> CGroup: /system.slice/ipa-dnskeysyncd.service >>>>>>>>> └─250496 /usr/libexec/platform-python -I >>>>>>>>> /usr/libexec/ipa/ipa-dnskeysyncd >>>>>>>>> >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>>>>>>>> client >>>>>>>>> step 1 >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>>>>>>>> client >>>>>>>>> step 2 >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>>>> ipa-dnskeysyncd: >>>>>>>>> INFO Commencing sync process >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>>>>>>>> sychronizing with ODS and BIND >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> *Configuration.cpp(96): Missing log.level in configuration. Using >>>>>>>>> default value: INFO* >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>>>>>>>> Using >>>>>>>>> default value: ALL* >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> *Configuration.cpp(124): Missing slots.removable in configuration. >>>>>>>>> Using >>>>>>>>> default value: false* >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>>>>>>>> client >>>>>>>>> step 1 >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>>>>>>>> client >>>>>>>>> step 1 >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> GSSAPI client step 1 >>>>>>>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>>>>>>>> >>>>>>>>> >>>>>>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>>>>>>>> 12:40:17 -03. -- >>>>>>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing all plugin modules in ipaserver.plugins... >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.aci >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.automember >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.automount >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseldap >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseuser >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.batch >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.ca >>>>>>>>> <http://ipaserver.plugins.ca/> >>>>>>>>> <http://ipaserver.plugins.ca/> >>>>>>>>> <http://ipaserver.plugins.ca >>>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.caacl >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.cert >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.certmap >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.certprofile >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.config >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.delegation >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dns >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dogtag >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.group >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbac >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbactest >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.host >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.idrange >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.idviews >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.internal >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.join >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.location >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.migration >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.misc >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.netgroup >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otp >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otptoken >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.passwd >>>>>>>> >>>>>>>> There should be quite a bit more after that. >>>>>>>> >>>>>>>>> >>>>>>>>> #less /var/log/dirsrv/slapd-*/access >>>>>>>>> >>>>>>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>>>>>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>>>>>>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>>>>>>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>>>>>>>> krbMaxRenewab >>>>>>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife >>>>>>>>> krbAuthIndMaxRenewableAge" >>>>>>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>>>>>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>>>>>>>> tag=97 >>>>>>>>> nentries=0 wtime=0.000071973 optime=0.002531582 >>>>>>>>> etime=0.002602416, SASL >>>>>>>>> bind in progress >>>>>>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>>>>>>>> tag=97 >>>>>>>>> nentries=0 wtime=0.000058962 optime=0.001451477 >>>>>>>>> etime=0.001509337, SASL >>>>>>>>> bind in progress >>>>>>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >>>>>>>>> tag=97 >>>>>>>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>>>>>>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>>>>>>>> com,dc=uy" >>>>>>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>>>>>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>>>>>>>> attrs="objectClass cn fqdn serverHostN >>>>>>>>> ame memberOf ipaSshPubKey ipaUniqueID" >>>>>>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>>>>>>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>>>>>>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf >>>>>>>>> ipaU >>>>>>>>> niqueID" >>>>>>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>>>>>>>> attrs="objectClass ipaUniqueID cn memb >>>>>>>>> er entryusn" >>>>>>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>>>>>>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>>>>>>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>>>>>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>>>>>>>> ipaSudoRunAs >>>>>>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>>>>>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>>>>>>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>>>>>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>>>>>>>> xternalUser entryusn" >>>>>>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>>>>>>>> etime=0.000956734 >>>>>>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>>>>>>>> etime=0.001489204 >>>>>>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>>>>>>>> etime=0.003098843 >>>>>>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>>>>>>>> etime=0.002897696 >>>>>>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>>>>>>>> etime=0.001372435 >>>>>>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>>>>>>>> etime=0.001748601 >>>>>>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>>>>>>>> etime=0.015402108 >>>>>>>>> >>>>>>>>> >>>>>>>>> I see that after the update, the files were changed: >>>>>>>>> >>>>>>>>> >>>>>>>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>>>>>>>> /etc/dirsrv/slapd-TNU-COM-UY: >>>>>>>>> total 4208 >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >>>>>>>>> TNU.COM.UY20IPA20CA.pem >>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>>>>>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>>>>>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>>>>>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>>>>>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>>>>>>>> dse.ldif.ipa.1cf1fe204fd69494 >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>>>>>>>> dse.ldif.ipa.1dd1d38cbd8d26ae >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>>>>>>>> dse.ldif.ipa.21662457cb42c116 >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>>>>>>>> dse.ldif.ipa.256a5d66e550a957 >>>>>>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>>>>>>>> dse.ldif.ipa.274744b10eed3d9b >>>>>>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>>>>>>>> dse.ldif.ipa.385fb48f5462219c >>>>>>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>>>>>>>> dse.ldif.ipa.6b71b47d73ca452a >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>>>>>>>> dse.ldif.ipa.767aba4a82811822 >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>>>>>>>> dse.ldif.ipa.814a4de587fc22ec >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>>>>>>>> dse.ldif.ipa.889036fc0907e7de >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>>>>>>>> dse.ldif.ipa.8fd2b7413b99dfa3 >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>>>>>>>> dse.ldif.ipa.958ca3a96922f2fd >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>>>>>>>> dse.ldif.ipa.bacd6d1d200348bf >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>>>>>>>> dse.ldif.ipa.bfadc14f0e609072 >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>>>>>>>> dse.ldif.ipa.f1e864261a119b6c >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>>>>>>>> dse.ldif.ipa.fa918bf07c17e2e8 >>>>>>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 >>>>>>>>> dse.ldif.modified.out >>>>>>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>>>>>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>>>>>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>>>>>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>>>>>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>>>>>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>>>>>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>>>>>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 >>>>>>>>> slapd-collations.conf >>>>>>>>> >>>>>>>>> >>>>>>>>> I can’t connect to the LDAP service: >>>>>>>>> >>>>>>>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>>>>>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >>>>>>>> >>>>>>>> You have to escape the socket path: >>>>>>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket >>>>>>>> >>>>>>>>> # less /var/log/ipaupgrade.log >>>>>>>>> >>>>>>>>> Server built: Jun 29 2021 22:00:15 UTC >>>>>>>>> Server number: 9.0.30.0 >>>>>>>>> OS Name: Linux >>>>>>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>>>>>>>> Architecture: amd64 >>>>>>>>> JVM Version: 1.8.0_322-b06 >>>>>>>>> JVM Vendor: Red Hat, Inc. >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr= >>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >>>>>>>>> 'kra'] >>>>>>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>>>>>>>> 2022-11-22T14:26:56Z DEBUG stdout= >>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>>>>>>>> instance pki-tomcat. >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>>>>>>>> &#39;pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>'] >>>>>>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>>>>>>>> 2022-11-22T14:26:57Z DEBUG stdout= >>>>>>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>>>>>>>> for pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>>>> process exited with error code. >>>>>>>>> See "systemctl status pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for >>>>>>>>> details. >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>>>>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade >>>>>>>>> manually. >>>>>>>>> 2022-11-22T14:26:57Z DEBUG File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >>>>>>>>> 180, in >>>>>>>>> execute >>>>>>>>> return_value = self.run() >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>>>>>> line 54, in run >>>>>>>>> server.upgrade() >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>>> line 2055, in upgrade >>>>>>>>> upgrade_configuration() >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>>> line 1783, in upgrade_configuration >>>>>>>>> ca.start('pki-tomcat') >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>>>>>>>> line 524, in start >>>>>>>>> self.service.start(instance_name, >>>>>>>>> capture_output=capture_output, >>>>>>>>> wait=wait) >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>>>>>>>> line 306, in start >>>>>>>>> skip_output=not capture_output) >>>>>>>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", >>>>>>>>> line >>>>>>>>> 600, in run >>>>>>>>> p.returncode, arg_string, output_log, error_log >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>>>>>>>> exception: CalledProcessError: CalledProcessError(Command >>>>>>>>> ['/bin/systemctl', 'start', &#39;pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit >>>>>>>>> status >>>>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>>>> process exited with error code.\nSee "systemctl status >>>>>>>>> pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>>>>> and "journalctl -xe" for details.\n') >>>>>>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>>>>>>>> /var/log/ipaupgrade.log for details: >>>>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>>>>>> 'start', &#39;pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit >>>>>>>>> status >>>>>>>>> 1: 'Job for pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>>>> process exited with error code.\nSee "systemctl status >>>>>>>>> pki-tomcatd(a)pki-tomcat.service >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>>>>> and "journalctl -xe" for details.\n') >>>>>>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command >>>>>>>>> failed. See >>>>>>>>> /var/log/ipaupgrade.log for more information >>>>>>>>> (END) >>>>>>>> >>>>>>>> The CA failed to start. This is often due to expired >>>>>>>> certificates that >>>>>>>> get exposed when an upgrade is done. Check that out. >>>>>>>> >>>>>>>>> #ipactl status >>>>>>>>> >>>>>>>>> Directory Service: RUNNING >>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>> kadmin Service: RUNNING >>>>>>>>> named Service: STOPPED >>>>>>>>> httpd Service: RUNNING >>>>>>>>> ipa-custodia Service: RUNNING >>>>>>>>> pki-tomcatd Service: STOPPED >>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>>> 2 service(s) are not running >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>>>>>>>>> <rcritten(a)redhat.com <mailto:rcritten@redhat.com> >>>>>>>>>> <mailto:rcritten@redhat.com> >>>>>>>>>> <mailto:rcritten@redhat.com> >>>>>>>>>> <mailto:rcritten@redhat.com>> escribió: >>>>>>>>>> >>>>>>>>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I have a production server that was not maintained and I see >>>>>>>>>>> that the >>>>>>>>>>> HTTP certificate has expired long ago. I tried to renew it >>>>>>>>>>> but I'm >>>>>>>>>>> not being agle to get it right. >>>>>>>>>>> >>>>>>>>>>> The initial status was: >>>>>>>>>>> >>>>>>>>>>> Request ID '20191219011208': >>>>>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>>>>>>> stuck: yes >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>>>> >>>>>>>>>>> Then following this thread >>>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >>>>>>>>>>> >>>>>>>>>>> I got it to this state: >>>>>>>>>>> >>>>>>>>>>> Request ID '20191219011208': >>>>>>>>>>> status: MONITORING >>>>>>>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed >>>>>>>>>>> request, >>>>>>>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>>>>>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>>>>>>>> SSL certificate problem: certificate has expired). >>>>>>>>>>> stuck: no >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>>>> >>>>>>>>>>> The post indicates that I have to put an old date in the >>>>>>>>>>> server to >>>>>>>>>>> get it renewed, but as the server is in production, it means >>>>>>>>>>> that all >>>>>>>>>>> clients will fail to log to the server. Evenmore, what time >>>>>>>>>>> should I >>>>>>>>>>> return to, before the certificate expiration or right after? >>>>>>>>>>> Thanks in advanc >>>>>>>>>> >>>>>>>>>> I'd guess that this affects a lot more than just the web server >>>>>>>>>> cert. >>>>>>>>>> getcert list will tell you. >>>>>>>>>> >>>>>>>>>> Depending on that outcome affect the suggested remediation. >>>>>>>>>> >>>>>>>>>> As for going back in time, you'd need a server outage to do this >>>>>>>>>> and it >>>>>>>>>> only would be backwards in time for a short time. Just long >>>>>>>>>> enough so >>>>>>>>>> the services could start with non-expired certificates to get them >>>>>>>>>> renewed. But there are other ways to do this that don't require >>>>>>>>>> fiddling >>>>>>>>>> with time. >>>>>>>>>> >>>>>>>>>> rob

El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen(a)jochen.org&gt; escribió: Hello Juan, Juan Pablo Lorier via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; writes: > You are right, there are several certificates stuck in dc2: > > getcert list ... > Request ID '20221130160320': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65... That has the commands to fix the issue. Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right? Jochen -- This space is intentionally left blank.

Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result: ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt

But it seems that the spa-server-upgrade brakes them again: named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates:   /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca   /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca   /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca   /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes > El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier(a)gmail.com > <mailto:jplorier@gmail.com>> escribió: > > Thanks Jochen, > > I tried following the post but the getcert command is complaining > about the syntax and I can’t find why. According to man page, the > parameters are right. > > I also tried to remove the certs and run spa-server-upgrade but it > generates new certs and fails at the same point (new certs are also > pending pin information) > It looks like I will need a way to unstuck those certs for the upgrade > to continue. > All suggestions are Wellcome :-) > Regards > >> El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen(a)jochen.org >> <mailto:jochen@jochen.org>> escribió: >> >> >> Hello Juan, >> >> Juan Pablo Lorier via FreeIPA-users >> <freeipa-users(a)lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> writes: >> >>> You are right, there are several certificates stuck in dc2: >>> >>> getcert list >> ... >>> Request ID '20221130160320': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> >> My google-fu point to that comment in an issue: >> https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65... >> That has the commands to fix the issue. >> >> Another possibility should be to stop-tracking the certificates and run >> ipa-server-upgrade which should restore the trackings. Right? >> >> Jochen >> >> -- >> This space is intentionally left blank. >

Hi Rob, I do manually add the pin and they get in MONITORING state, but the IPA server is not consistent because the upgrade never completes. If I try to run the upgrade, the process renews the certs and they go back to stuck state. Look at the upgrade output I sent and then you can see that those certs get into stuck because of the missing pin:

>> [Update certmonger certificate renewal configuration] >> Missing or incorrect tracking request for certificates: >>   /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >>   /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >>   /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >>   /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca >> Certmonger certificate renewal configuration updated > El 1 dic. 2022, a las 13:52, Rob Crittenden <rcritten(a)redhat.com > <mailto:rcritten@redhat.com>> escribió: > > Juan Pablo Lorier wrote: >> Ok, I fixed the certs following other ticket but using the pin file >> pointed in the link you sent me. >> Result: >> >> ipa-getcert start-tracking -i 20221201163932 -p >> /etc/pki/pki-tomcat/alias/pwdfile.txt > > I don't know what request 20221201163932 is but you need to add the pin > file to all of the CA-related trackers. > > rob > >> >> But it seems that the spa-server-upgrade brakes them again: >> >> named user config '/etc/named/ipa-ext.conf' already exists >> named user config '/etc/named/ipa-options-ext.conf' already exists >> named user config '/etc/named/ipa-logging-ext.conf' already exists >> [Upgrading CA schema] >> CA schema update complete >> [Update certmonger certificate renewal configuration] >> Missing or incorrect tracking request for certificates: >>   /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >>   /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >>   /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >>   /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca >> Certmonger certificate renewal configuration updated >> [Enable PKIX certificate path discovery and validation] >> PKIX already enabled >> [Authorizing RA Agent to modify profiles] >> [Authorizing RA Agent to manage lightweight CAs] >> [Ensuring Lightweight CAs container exists in Dogtag database] >> [Adding default OCSP URI configuration] >> [Disabling cert publishing] >> pki-tomcat configuration changed, restart pki-tomcat >> [Ensuring CA is using LDAPProfileSubsystem] >> [Migrating certificate profiles to LDAP] >> Migrating profile 'acmeServerCert' >> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >> command ipa-server-upgrade manually. >> Unexpected error - see /var/log/ipaupgrade.log for details: >> NetworkError: cannot connect to >> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >> more information >> >> >> >> >> >> Request ID '20221201164512': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer:  >> subject:  >> issued: unknown >> expires: unknown >> profile: caSignedLogCert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20221201164513': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer:  >> subject:  >> issued: unknown >> expires: unknown >> profile: caOCSPCert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20221201164514': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer:  >> subject:  >> issued: unknown >> expires: unknown >> profile: caSubsystemCert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20221201164515': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer:  >> subject:  >> issued: unknown >> expires: unknown >> profile: caCACert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> >>> El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier(a)gmail.com >>> <mailto:jplorier@gmail.com> >>> <mailto:jplorier@gmail.com>> escribió: >>> >>> Thanks Jochen, >>> >>> I tried following the post but the getcert command is complaining >>> about the syntax and I can’t find why. According to man page, the >>> parameters are right. >>> >>> I also tried to remove the certs and run spa-server-upgrade but it >>> generates new certs and fails at the same point (new certs are also >>> pending pin information) >>> It looks like I will need a way to unstuck those certs for the upgrade >>> to continue. >>> All suggestions are Wellcome :-) >>> Regards >>> >>>> El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen(a)jochen.org >>>> <mailto:jochen@jochen.org> >>>> <mailto:jochen@jochen.org>> escribió: >>>> >>>> >>>> Hello Juan, >>>> >>>> Juan Pablo Lorier via FreeIPA-users >>>> <freeipa-users(a)lists.fedorahosted.org >>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>> <mailto:freeipa-users@lists.fedorahosted.org>> writes: >>>> >>>>> You are right, there are several certificates stuck in dc2: >>>>> >>>>> getcert list >>>> ... >>>>> Request ID '20221130160320': >>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>> >>>> My google-fu point to that comment in an issue: >>>> https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65... >>>> That has the commands to fix the issue. >>>> >>>> Another possibility should be to stop-tracking the certificates and run >>>> ipa-server-upgrade which should restore the trackings. Right? >>>> >>>> Jochen >>>> >>>> --  >>>> This space is intentionally left blank.

Hi Rob, All dates are good once I add the pin manually. The only problem is the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I don’t know what is not right with the certs. Maybe you can point me in a direction to look at the logs. Let me share the getcert list once I manually fixed the pin:

>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and >>>> enabled; skipping >>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>>> 2022-11-30T16:07:49Z DEBUG request GET >>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>>> 2022-11-30T16:07:49Z DEBUG request body '' >>>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>>> Traceback (most recent call last): >>>>   File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line

Hi Jochen and thanks for your reply. My knowledge in CA is not much so I will try to follow as much as I can. The only error I don’t know if is ok to be there is the kra error mentioned in the logs. What I did was comparing the files in the request directory before and after the upgrade with the 4 certs in stuck state and the files were the same. I then removed the files in the directory and run the upgrade again which created new files and the new 4 certs again in stuck state. At last, I fixed the certs and run again the upgrade. Here are the fixed certs, dir content, etc for the last try:

 getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command:  post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202140756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Audit,O=TNU.COM.UY issued: 2021-11-09 15:11:14 -03 expires: 2023-10-30 15:11:14 -03 key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=OCSP Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:12:03 -03 expires: 2023-10-30 15:12:03 -03 eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:11:13 -03 expires: 2023-10-30 15:11:13 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=Certificate Authority,O=TNU.COM.UY issued: 2022-08-26 14:25:16 -03 expires: 2042-08-26 14:25:16 -03 key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140801': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202140802': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command:  post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202140803': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command:  post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes # ll /var/lib/certmonger/requests total 64 -rw------- 1 root root 4598 Dec  2 11:27 20221202140756 -rw------- 1 root root 4785 Dec  2 11:27 20221202140757 -rw------- 1 root root 4798 Dec  2 11:27 20221202140758 -rw------- 1 root root 4851 Dec  2 11:27 20221202140759 -rw------- 1 root root 4983 Dec  2 11:08 20221202140800 -rw------- 1 root root 4610 Dec  2 11:08 20221202140801 -rw------- 1 root root 5373 Dec  2 11:08 20221202140802 -rw------- 1 root root 5272 Dec  2 11:08 20221202140803 # cat req_temp/requests/20221202140756 id=20221202140756 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_token=NSS Certificate DB key_nickname=auditSigningCert cert-pki-ca key_pin_file=/etc/pki/pki-tomcat/alias/pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_token=NSS Certificate DB cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_issuer_der=303531133011060355040A0C0A544E552E434F4D2E5559311E301C06035504030C15436572746966696361746520417574686F72697479 cert_issuer=CN=Certificate Authority,O=TNU.COM.UY cert_serial=14 cert_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 cert_subject=CN=CA Audit,O=TNU.COM.UY cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 cert_not_before=20211109181114 cert_not_after=20231030181114 cert_ku=11 cert_is_ca=0 cert_ca_path_length=-1 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 template_subject=CN=CA Audit,O=TNU.COM.UY template_ku=11 template_is_ca=0 template_ca_path_length=-1 template_profile=caSignedLogCert template_no_ocsp_check=0 state=MONITORING autorenew=1 monitor=1 ca_name=IPA submitted=19700101000000 cert=-----BEGIN CERTIFICATE-----  MIIDKjCCAhKgAwIBAgIBFDANBgkqhkiG9w0BAQsFAD # ipa-server-upgrade  Upgrading IPA:. Estimated time: 1 minute 30 seconds   [1/11]: stopping directory server   [2/11]: saving configuration   [3/11]: disabling listeners   [4/11]: enabling DS global lock   [5/11]: disabling Schema Compat   [6/11]: starting directory server   [7/11]: updating schema   [8/11]: upgrading server Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed.   [9/11]: stopping directory server   [10/11]: restoring configuration   [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates:   /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca   /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca   /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca   /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information # getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY <mailto:krbtgt/TNU.COM.UY@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command:  post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202175657': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175658': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175659': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175700': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer:  subject:  issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175701': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175702': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202175703': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command:  post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202175704': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy(a)TNU.COM.UY <mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command:  post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes # ll /var/lib/certmonger/requests total 48 -rw------- 1 root root 1029 Dec  2 14:56 20221202175658 -rw------- 1 root root 1021 Dec  2 14:57 20221202175658-1 -rw------- 1 root root 1020 Dec  2 14:57 20221202175659 -rw------- 1 root root 1013 Dec  2 14:57 20221202175700 -rw------- 1 root root 4983 Dec  2 14:57 20221202175701 -rw------- 1 root root 4610 Dec  2 14:57 20221202175702 -rw------- 1 root root 5373 Dec  2 14:57 20221202175703 -rw------- 1 root root 5272 Dec  2 14:57 20221202175704  cat /var/lib/certmonger/requests/20221202175658 id=20221202175657 key_type=UNSPECIFIED key_gen_type=RSA key_size=0 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_nickname=auditSigningCert cert-pki-ca key_perms=0 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_is_ca=0 template_ca_path_length=0 template_profile=caSignedLogCert template_no_ocsp_check=0 state=NEWLY_ADDED_NEED_KEYINFO_READ_PIN autorenew=1 monitor=1 ca_name=dogtag-ipa-ca-renew-agent submitted=19700101000000 pre_certsave_command=/usr/libexec/ipa/certmonger/stop_pkicad pre_certsave_uid=0 post_certsave_command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" post_certsave_uid=0 UPGRADELOG: 2022-11-30T16:03:16Z DEBUG stderr= 2022-11-30T16:03:16Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:16Z DEBUG Starting external process 2022-11-30T16:03:16Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=1 2022-11-30T16:03:17Z DEBUG stdout= 2022-11-30T16:03:17Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat. 2022-11-30T16:03:17Z INFO [Update certmonger certificate renewal configuration] 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TNU-COM-UY/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout=-----BEGIN CERTIFICATE----- Xxxx -----END CERTIFICATE----- 2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout= Certificate Nickname                                         Trust Attributes                                                              SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca                                    u,u,u auditSigningCert cert-pki-ca                                 u,u,Pu ocspSigningCert cert-pki-ca                                  u,u,u Server-Cert cert-pki-ca                                      u,u,u caSigningCert cert-pki-ca                                    CTu,Cu,Cu TNU.COM.UY IPA CA                                            CTu,Cu,Cu TNU.COM.UY IPA CA                                            CTu,Cu,Cu 2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:19Z INFO Missing or incorrect tracking request for certificates: 2022-11-30T16:03:19Z INFO   /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO   /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO   /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca 2022-11-30T16:03:19Z INFO   /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO   /etc/pki/pki-tomcat/alias:Server-Cert cert-pki-ca 2022-11-30T16:03:19Z INFO   /var/lib/ipa/ra-agent.pem 2022-11-30T16:03:19Z INFO   /var/lib/ipa/certs/httpd.crt 2022-11-30T16:03:19Z DEBUG Configuring certmonger to stop tracking system certificates for CA 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'dbus.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active 2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout= 2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active 2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:20Z DEBUG Starting external process 2022-11-30T16:03:20Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:20Z DEBUG Process finished, return code=1 2022-11-30T16:03:20Z DEBUG stdout= 2022-11-30T16:03:20Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat. > El 1 dic. 2022, a las 20:14, Jochen Kellner <jochen(a)jochen.org > <mailto:jochen@jochen.org>> escribió: > > Juan Pablo Lorier via FreeIPA-users > <freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> writes: > >> Hi Rob, >> >> All dates are good once I add the pin manually. The only problem is >> the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run >> the updater. I don’t know what is not right with the certs. Maybe you >> can point me in a direction to look at the logs. Let me share the >> getcert list once I manually fixed the pin: > > Can you perhaps compare the requests for one certificate before and > after the upgrade? The requests are stored in > /var/lib/certmonger/requests. Let's focus on one certificate first, > for example: > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca' > > I'd try something like that: > - save /var/lib/certmonger/requests somewhere > - try the upgrade once again > - save /var/lib/certmonger/requests again, somwhere else > - compare and see what the differences really are > > Depending on the differences - and needs some creative thinking: > - reset the system to the state before the upgrade > - stop certmonger > - replace /var/lib/certmonger/requests with the second copy (from after >  the upgrade) > - We need to get certmonger and ipa-server-upgrade be happy with these >  requests, so the request don't get changed during the next upgrade. > > I've had a look at the logs of the last ipaupgrade.log. For each > certificcate I see: > 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal > configuration] > ... > 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration > already up-to-date > > I guess the second line for you says something like "...config > updated". We need to see, if the lines between have some clues for us. > > In a post upthread you posted the console output: > Missing or incorrect tracking request for certificates: >  /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >  /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >  /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >  /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca > Certmonger certificate renewal configuration updated > > Also upthread you posted: >>>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in >>>>>> LDAP and >>>>>> enabled; skipping >>>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>>>>> 2022-11-30T16:07:49Z DEBUG request GET >>>>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>>>>> 2022-11-30T16:07:49Z DEBUG request body '' >>>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>>>>> Traceback (most recent call last): >>>>>>   File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line > > In my upgrade log this is after updating/checing the certmonger > requests. So my guess is there's something strange with your > configuration in /var/lib/certmonger/requests. > > So, can you provide more of your ipaupgrade.log where the certmonger > requests are checked/updated and one request before/after? > > Jochen > > -- > This space is intentionally left blank.