On ke, 21 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
Hallo all
I have a strange issue with one of my ipa servers. after an upgrade
from fedora 35 to fedora 37 the ipa-server-upgrade failed on the
pki-tomcat part. The ipaupgrade.log says:
Did you do this upgrade as a jump right from 35 to 37? I am not sure
this is a right way to do it. We test individual upgrades 35-36-37 and
they work fine.
Anyway, your problem, based on the second email you sent, is that
memberof plugin in 389-ds misbehaves. We've seen few issues like that
recently reported so please open a bug against 389-ds-base in Fedora and
attach access/errors logs from the 389-ds instance.
2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET
https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT
2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype
html><html lang="de"><head><title>HTTP Status 404
\xe2\x80\x93 nicht
gefunden</title><style
type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2,
h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class="line"
/><p><b>Type</b>
Status Report</p><p><b>Message</b> The requested resource
[/ca/rest/account
/login] is not available</p><p><b>Beschreibung</b> The
origin
server did not find a current representation for the target resource
or is not willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-21T15:27:52Z DEBUG File
"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180,
in execute
return_value = self.run()
^^^^^^^^^^
File
"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run server.upgrade()
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 2061, in upgrade upgrade_configuration()
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 1914, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2155, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2209, in _create_dogtag_profile with
api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py",
line 1211, in __enter__ raise
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST
API'))
2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
The catalina logfile says:
21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal One or more
listeners failed to start. Full details will be found in the
appropriate container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal Context [/ca]
startup failed due to previous errors
the CA debug log file says:
2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to
ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Verbindungsaufbau abgelehnt
with many java traceback errors following. directory server is running
at this time and there is no connection reported at the given time.
ipa-healthceck does not give anny errors or warnings. Re-starting the
pki-tomcat server manually afterwards ist working fine and does not
give any errors. starting ipa in force mode gives no errors as well.
What can I do?
Regards
Martin
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland