Things are getting worse. First, the version I reported before was incorrect (taken from a client). Here's the server one.
$ ipa --version VERSION: 4.2.4, API_VERSION: 2.156 I did a dnf update (Fedora 23). The IPA upgrade failed. I tried running it again, manually, after a reboot: $ ipa-server-upgrade session memcached servers not running Upgrading IPA: [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]: starting directory server [5/8]: updating schema [6/8]: upgrading server Add failure attribute "cn" not allowed [7/8]: stopping directory server [8/8]: restoring configuration Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating mod_nss protocol versions] Protocol versions already updated [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command ''/bin/systemctl' 'start' 'httpd.service'' returned non-zero exit status 1 The ipaupgrade log only says that starting httpd failed. HTTPD log says: [Wed Jun 07 14:32:26.822478 2017] [core:notice] [pid 3182] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Wed Jun 07 14:32:26.823122 2017] [suexec:notice] [pid 3182] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Jun 07 14:32:26.823467 2017] [:warn] [pid 3182] NSSSessionCacheTimeout is deprecated. Ignoring. [Wed Jun 07 14:32:26.913923 2017] [:error] [pid 3182] SSL Library Error: -8181 Certificate has expired [Wed Jun 07 14:32:26.913942 2017] [:error] [pid 3182] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. Any suggestion? On Wed, 7 Jun 2017 at 13:17 Roberto Cornacchia <roberto.cornacc...@gmail.com> wrote: > Not being able to login to the admin console, I checked the httpd log and > found the following errors: > > [Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify > certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so > the server can start until the problem can be resolved. > [Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error: > -8181 Certificate has expired > [Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify > certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so > the server can start until the problem can be resolved. > [Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no > record of generation 47 of exiting child 10203 > > I also get an error during enrollment of a new client (which seems to > retrieve a valid certificate anyway): > > Password for ad...@hq.spinque.com: > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM > Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM > Valid From: Mon Mar 16 18:44:35 2015 UTC > Valid Until: Fri Mar 16 18:44:35 2035 UTC > > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: TCP connection reset by peer > > Services are up: > > $ ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > > Certificate monitoring seems ok: > > $ getcert list -d /etc/httpd/alias -n ipaCert > Number of certificates and requests being tracked: 8. > Request ID '20160501114633': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM > subject: CN=IPA RA,O=HQ.SPINQUE.COM > expires: 2019-01-26 19:41:51 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > Version: > > $ ipa --version > VERSION: 4.4.3, API_VERSION: 2.215 > > Could you please point me at what else to check? > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org