Hi,
I'm stuck since about a week when I updated to latest ipa-server. It seems to be the same problem as Ian had ("FreeIPA centos8 update Failed to authenticate to CA REST API"). He seem to resolve this using a replicate which I dont have.
Any ideas on how I get this to work?
ipa-server-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64 centos-linux-release-8.3-1.2011.el8.noarch
... IPA version error: data needs to be upgraded (expected version '4.8.7-13.module_el8.3.0+606+1e8766d7', current version '4.8.7-12.module_el8.3.0+511+8a502f20') .... [Migrating certificate profiles to LDAP] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API ...
2021-01-22T08:47:46Z DEBUG request GET https://ipa2.win.lan:8443/ca/rest/account/login 2021-01-22T08:47:46Z DEBUG request body '' 2021-01-22T08:47:47Z DEBUG response status 500 2021-01-22T08:47:47Z DEBUG response headers Content-Type: text/html;charset=utf-8
Content-Language: en Content-Length: 2234 Date: Fri, 22 Jan 2021 08:47:47 GMT Connection: close
2021-01-22T08:47:47Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 500 \xe2\x80\x93 Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> CA subsystem unavailable. Check CA debug log.</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: CA subsystem unavailable. Check CA debug log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>'
2021-01-22T08:47:47Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2021-01-22T08:47:47Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1805, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1670, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 414, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1954, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1960, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2021-01-22T08:47:47Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API
-- john
Den fre 22 jan. 2021 kl 09:54 skrev John Obaterspok john.obaterspok@gmail.com:
Hi,
I'm stuck since about a week when I updated to latest ipa-server. It seems to be the same problem as Ian had ("FreeIPA centos8 update Failed to authenticate to CA REST API"). He seem to resolve this using a replicate which I dont have.
[... snip ...]
[Migrating certificate profiles to LDAP] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API ...
...
CA subsystem unavailable. Check CA debug log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)...
Strange enough, it's working just fine now after the server was restarted after dnf-automatic update and scheduled reboot. Only thing I did prior to this was to replace old ipa server name from sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg + /etc/pki/pki-tomcat/ca/CS.cfg
The old server name was when I did a fedora xx to centos 8 migration using replica. I believe I followed the https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... guide
-- john
John Obaterspok via FreeIPA-users wrote:
Den fre 22 jan. 2021 kl 09:54 skrev John Obaterspok john.obaterspok@gmail.com:
Hi,
I'm stuck since about a week when I updated to latest ipa-server. It seems to be the same problem as Ian had ("FreeIPA centos8 update Failed to authenticate to CA REST API"). He seem to resolve this using a replicate which I dont have.
[... snip ...]
[Migrating certificate profiles to LDAP] IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API ...
...
CA subsystem unavailable. Check CA debug log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)...
Strange enough, it's working just fine now after the server was restarted after dnf-automatic update and scheduled reboot. Only thing I did prior to this was to replace old ipa server name from sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg + /etc/pki/pki-tomcat/ca/CS.cfg
The old server name was when I did a fedora xx to centos 8 migration using replica. I believe I followed the https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... guide
Do you remember what values you changed?
rob
Den tis 2 feb. 2021 kl 22:02 skrev Rob Crittenden rcritten@redhat.com:
Do you remember what values you changed?
Take this with a grain of salt as I have no idea what keys I changed. But, I had the following in my vim jumplist :)
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg pki_clone_uri=
/etc/pki/pki-tomcat/ca/CS.cfg master.ca.agent.host=
Searching for the old replicate also reveals several hits in CS.cfg.bak for master.ca.agent.host like: pki/pki-tomcat/ca/archives/CS.cfg.bak.20201208065404:929:master.ca.agent.host=...
The current ipa server was installed from replica on 2019-12-07 so the above entry should be pretty recent
-- john
freeipa-users@lists.fedorahosted.org
-
John Obaterspok -
Rob Crittenden