10:10 a.m.
Hallo all
I have a strange issue with one of my ipa servers. after an upgrade from
fedora 35 to fedora 37 the ipa-server-upgrade failed on the pki-tomcat
part. The ipaupgrade.log says:
2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET
https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT
2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype
html><html lang="de"><head><title>HTTP Status 404
\xe2\x80\x93 nicht
gefunden</title><style
type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3,
b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class="line"
/><p><b>Type</b>
Status Report</p><p><b>Message</b> The requested resource
[/ca/rest/account
/login] is not available</p><p><b>Beschreibung</b> The
origin server
did not find a current representation for the target resource or is not
willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-21T15:27:52Z DEBUG File
"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in
execute
return_value = self.run()
^^^^^^^^^^
File
"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run server.upgrade()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 2061, in upgrade upgrade_configuration()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 1914, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2155, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2209, in _create_dogtag_profile with api.Backend.ra_certprofile
as profile_api:
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py",
line 1211, in __enter__ raise
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST
API'))
2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
The catalina logfile says:
21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal One or more
listeners failed to start. Full details will be found in the appropriate
container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal Context [/ca]
startup failed due to previous errors
the CA debug log file says:
2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to
ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Verbindungsaufbau abgelehnt
with many java traceback errors following. directory server is running
at this time and there is no connection reported at the given time.
ipa-healthceck does not give anny errors or warnings. Re-starting the
pki-tomcat server manually afterwards ist working fine and does not give
any errors. starting ipa in force mode gives no errors as well. What can
I do?
Regards
Martin
3:49 a.m.
Am 21.12.22 um 17:10 schrieb Martin (Lists) via FreeIPA-users:
Hallo all
I have a strange issue with one of my ipa servers. after an upgrade
from fedora 35 to fedora 37 the ipa-server-upgrade failed on the
pki-tomcat part. The ipaupgrade.log says:
2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET
https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT
2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype
html><html lang="de"><head><title>HTTP Status 404
\xe2\x80\x93 nicht
gefunden</title><style
type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2,
h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class="line"
/><p><b>Type</b>
Status Report</p><p><b>Message</b> The requested resource
[/ca/rest/account
/login] is not available</p><p><b>Beschreibung</b> The
origin
server did not find a current representation for the target resource
or is not willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-21T15:27:52Z DEBUG File
"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180,
in execute
return_value = self.run()
^^^^^^^^^^
File
"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run server.upgrade()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 2061, in upgrade upgrade_configuration()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 1914, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2155, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2209, in _create_dogtag_profile with
api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py",
line 1211, in __enter__ raise
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST
API'))
2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
The catalina logfile says:
21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal One or more
listeners failed to start. Full details will be found in the
appropriate container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal Context [/ca]
startup failed due to previous errors
the CA debug log file says:
2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to
ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Verbindungsaufbau abgelehnt
with many java traceback errors following. directory server is running
at this time and there is no connection reported at the given time.
ipa-healthceck does not give anny errors or warnings. Re-starting the
pki-tomcat server manually afterwards ist working fine and does not
give any errors. starting ipa in force mode gives no errors as well.
What can I do?
Regards
Martin
Hallo,
I tried the upgrade once again an found another error I missed before.
During LDAP updates there was an error stating:
ERROR: Add failure Server is unwilling to perform:
during updating the /usr/share/ipa/updates/55-pbacmemberof.update files.
Is this a problem? This update failed on both of my ipa servers (one is
only one week old, so there were no regular upgrades of ipa). Rerunning
ipa-ldap-updater alone with the update-file gives the same error.
Regards
Martin
5:51 a.m.
On ke, 21 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
Hallo all
I have a strange issue with one of my ipa servers. after an upgrade
from fedora 35 to fedora 37 the ipa-server-upgrade failed on the
pki-tomcat part. The ipaupgrade.log says:
Did you do this upgrade as a jump right from 35 to 37? I am not sure
this is a right way to do it. We test individual upgrades 35-36-37 and
they work fine.
Anyway, your problem, based on the second email you sent, is that
memberof plugin in 389-ds misbehaves. We've seen few issues like that
recently reported so please open a bug against 389-ds-base in Fedora and
attach access/errors logs from the 389-ds instance.
2022-12-21T15:27:52Z INFO Migrating profile 'caECFullCMCSharedTokenCert'
2022-12-21T15:27:52Z DEBUG request GET
https://ipa1.server.org:8443/ca/rest/account/login
2022-12-21T15:27:52Z DEBUG request body ''
2022-12-21T15:27:52Z DEBUG response status 404
2022-12-21T15:27:52Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Wed, 21 Dec 2022 15:27:52 GMT
2022-12-21T15:27:52Z DEBUG response body (decoded): b'<!doctype
html><html lang="de"><head><title>HTTP Status 404
\xe2\x80\x93 nicht
gefunden</title><style
type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2,
h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;
} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 40
4 \xe2\x80\x93 nicht gefunden</h1><hr class="line"
/><p><b>Type</b>
Status Report</p><p><b>Message</b> The requested resource
[/ca/rest/account
/login] is not available</p><p><b>Beschreibung</b> The
origin
server did not find a current representation for the target resource
or is not willing to
disclose that one exists.</p><hr class="line" /><h3>Apache
Tomcat/9.0.68</h3></body></html>'
2022-12-21T15:27:52Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2022-12-21T15:27:52Z DEBUG File
"/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180,
in execute
return_value = self.run()
^^^^^^^^^^
File
"/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run server.upgrade()
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 2061, in upgrade upgrade_configuration()
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 1914, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py",
line 458, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2155, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File
"/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py",
line 2209, in _create_dogtag_profile with
api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py",
line 1211, in __enter__ raise
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST
API'))
2022-12-21T15:27:52Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
The catalina logfile says:
21-Dec-2022 16:27:26.946 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal One or more
listeners failed to start. Full details will be found in the
appropriate container log file
21-Dec-2022 16:27:26.948 SCHWERWIEGEND [main]
org.apache.catalina.core.StandardContext.startInternal Context [/ca]
startup failed due to previous errors
the CA debug log file says:
2022-12-21 16:27:26 [main] FINE: LdapBoundConnection: Connecting to
ipa1.server.org:636 with client cert auth
2022-12-21 16:27:26 [main] FINE:
ldapconn/PKISocketFactory.makeSSLSocket: begins
2022-12-21 16:27:26 [main] FINE: SignedAuditLogger: event
CLIENT_ACCESS_SESSION_ESTABLISH
2022-12-21 16:27:26 [main] SEVERE: Unable to create socket:
java.net.ConnectException: Verbindungsaufbau abgelehnt
with many java traceback errors following. directory server is running
at this time and there is no connection reported at the given time.
ipa-healthceck does not give anny errors or warnings. Re-starting the
pki-tomcat server manually afterwards ist working fine and does not
give any errors. starting ipa in force mode gives no errors as well.
What can I do?
Regards
Martin
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5:59 a.m.
Am 23.12.22 um 12:51 schrieb Alexander Bokovoy via FreeIPA-users:
On ke, 21 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
> Hallo all
>
> I have a strange issue with one of my ipa servers. after an upgrade
> from fedora 35 to fedora 37 the ipa-server-upgrade failed on the
> pki-tomcat part. The ipaupgrade.log says:
Did you do this upgrade as a jump right from 35 to 37? I am not sure
this is a right way to do it. We test individual upgrades 35-36-37 and
they work fine.
Yes, I did a direct upgrade from 35 to 37.
Anyway, your problem, based on the second email you sent, is that
memberof plugin in 389-ds misbehaves. We've seen few issues like that
recently reported so please open a bug against 389-ds-base in Fedora and
attach access/errors logs from the 389-ds instance.
I will open a bug. Thanks.
Regards
Martin
1:30 p.m.
On pe, 23 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
Am 23.12.22 um 12:51 schrieb Alexander Bokovoy via FreeIPA-users:
>On ke, 21 joulu 2022, Martin (Lists) via FreeIPA-users wrote:
>>Hallo all
>>
>>I have a strange issue with one of my ipa servers. after an
>>upgrade from fedora 35 to fedora 37 the ipa-server-upgrade failed
>>on the pki-tomcat part. The ipaupgrade.log says:
>
>Did you do this upgrade as a jump right from 35 to 37? I am not sure
>this is a right way to do it. We test individual upgrades 35-36-37 and
>they work fine.
Yes, I did a direct upgrade from 35 to 37.
>
>Anyway, your problem, based on the second email you sent, is that
>memberof plugin in 389-ds misbehaves. We've seen few issues like that
>recently reported so please open a bug against 389-ds-base in Fedora and
>attach access/errors logs from the 389-ds instance.
I will open a bug. Thanks.
From 389-ds developers:
-------
The problem (55-pbacmemberof.update) is that F37 was a rebase (in Nov)
that contained an incomplete fix for #5413 [1]. The #5413 was fixed in
two PR [2] and [3]. F37 contains [2] but not [3] that was fixed in Dec.
For F37 we need to a respin
[1] https://github.com/389ds/389-ds-base/issues/5413
[2] https://github.com/389ds/389-ds-base/commit/9db7a5adfaed49336ccee3bac4384...
[3] https://github.com/389ds/389-ds-base/commit/6aa7a6d5bf8b1d774087e8a5d0e14...
-------
Please open a Fedora bug so that it is updated.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
487
days inactive
489
days old
freeipa-users@lists.fedorahosted.org
4 comments
2 participants
participants (2)
-
Alexander Bokovoy -
Martin (Lists)