The only expired cert was the HTTP in the dc1 server, dc2 had all the certs valid:
Dc1: ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20191218181440': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:14:49 -03 principal name: krbtgt/tnu.com...@tnu.com.uy key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20191219011104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-11-21 15:13:39 -03 dns: dc1.tnu.com.uy principal name: ldap/dc1.tnu.com...@tnu.com.uy key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20211217030046': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY expires: 2023-12-18 00:01:22 -03 dns: dc1.tnu.com.uy principal name: HTTP/dc1.tnu.com...@tnu.com.uy key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Dc2: ipa-getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/tnu.com...@tnu.com.uy key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221130160326': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com...@tnu.com.uy key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221130160327': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com...@tnu.com.uy key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes > El 30 nov. 2022, a las 18:50, Rob Crittenden <rcrit...@redhat.com> escribió: > > Juan Pablo Lorier wrote: >> Ok, with the skip-version-check flag it starts correctly, but if I try >> to restart the service without the flag, it fails in the same point. The >> error is related to the upgrade process then. I’m upgrading from 4.7 to >> 4.9 as I didn’t find any restriction in the documentation. >> Is it possible that there’s an issue with that upgrade path? > > If is likely related to your expired certificates. Did you look to see > if others besides the HTTP cert expired? > > rob > >> Thanks >> >>> El 30 nov. 2022, a las 16:21, Rob Crittenden <rcrit...@redhat.com >>> <mailto:rcrit...@redhat.com>> escribió: >>> >>> Juan Pablo Lorier wrote: >>>> Hi, >>>> >>>> Rob, the problem with ipactl --ignore-service-failures is that it always >>>> try to upgrade from 4.7 to 4.9 first and it fails for that reason. >>> >>> $ man 8 ipactl >>> >>> --skip-version-check Skip version check >>> >>> rob >>> >>>> >>>> I were able to move forward and get poi-tomcat running but I still can’t >>>> finish the upgrade process. >>>> Here are some more logs to see if you can see a lead to help me. >>>> Regards >>>> >>>> */var/log/ipaupgrade.log* >>>> >>>> 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and >>>> enabled; skipping >>>> 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP >>>> and enabled; skipping >>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and >>>> enabled; skipping >>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>>> 2022-11-30T16:07:49Z DEBUG request GET >>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>>> 2022-11-30T16:07:49Z DEBUG request body '' >>>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>>> Traceback (most recent call last): >>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, >>>> in _httplib_request >>>> conn.request(method, path, body=request_body, headers=headers) >>>> File "/usr/lib64/python3.6/http/client.py", line 1273, in request >>>> self._send_request(method, url, body, headers, encode_chunked) >>>> File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request >>>> self.endheaders(body, encode_chunked=encode_chunked) >>>> File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders >>>> self._send_output(message_body, encode_chunked=encode_chunked) >>>> File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output >>>> self.send(msg) >>>> File "/usr/lib64/python3.6/http/client.py", line 982, in send >>>> self.connect() >>>> File "/usr/lib64/python3.6/http/client.py", line 1441, in connect >>>> server_hostname=server_hostname) >>>> File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket >>>> _context=self, _session=session) >>>> File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ >>>> self.do_handshake() >>>> File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake >>>> self._sslobj.do_handshake() >>>> File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake >>>> self._sslobj.do_handshake() >>>> OSError: [Errno 0] Error >>>> 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect >>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>> 2022-11-30T16:07:54Z DEBUG File >>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>>> execute >>>> return_value = self.run() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>> line 54, in run >>>> server.upgrade() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>> line 2055, in upgrade >>>> upgrade_configuration() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>> line 1908, in upgrade_configuration >>>> ca_enable_ldap_profile_subsystem(ca) >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>> line 458, in ca_enable_ldap_profile_subsystem >>>> cainstance.migrate_profiles_to_ldap() >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >>>> 2111, in migrate_profiles_to_ldap >>>> _create_dogtag_profile(profile_id, profile_data, overwrite=False) >>>> File >>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line >>>> 2165, in _create_dogtag_profile >>>> with api.Backend.ra_certprofile as profile_api: >>>> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", >>>> line 1207, in __enter__ >>>> method='GET' >>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218, >>>> in https_request >>>> method=method, headers=headers) >>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280, >>>> in _httplib_request >>>> raise NetworkError(uri=uri, error=str(e)) >>>> >>>> 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, >>>> exception: NetworkError: cannot connect to >>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>>> 2022-11-30T16:07:54Z ERROR Unexpected error - see >>>> /var/log/ipaupgrade.log for details: >>>> NetworkError: cannot connect to >>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>>> 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See >>>> /var/log/ipaupgrade.log for more information >>>> >>>> >>>> *dirsrv/slapd-TNU-COM-UY/errors* >>>> >>>> [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse >>>> - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist >>>> [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse >>>> - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist >>>> [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse >>>> - The ACL target cn=automember rebuild membership,cn=tasks,cn=config >>>> does not exist >>>> [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr - >>>> Because krbPwdPolicyReference is a new registered virtual attribute , >>>> nsslapd-ignore-virtual-attrs was set to 'off' >>>> [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - >>>> schema-compat-plugin tree scan will start in about 5 seconds! >>>> [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd >>>> started. Listening on All Interfaces port 389 for LDAP requests >>>> [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening >>>> on All Interfaces port 636 for LDAPS requests >>>> [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening >>>> on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests >>>> [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - >>>> Finished plugin initialization. >>>> [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could >>>> not get initial credentials for principal >>>> [ldap/dc2.tnu.com...@tnu.com.uy >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy> >>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>] >>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>> KDC for requested realm) >>>> >>>> *localhost_access_log.2022-11-30.txt* >>>> >>>> 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - >>>> XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus >>>> HTTP/1.1" 200 193 >>>> XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login >>>> HTTP/1.1" 401 669 >>>> >>>> >>>>> El 23 nov. 2022, a las 18:42, Rob Crittenden <rcrit...@redhat.com >>>>> <mailto:rcrit...@redhat.com> >>>>> <mailto:rcrit...@redhat.com>> escribió: >>>>> >>>>> Run "ipactl --ignore-service-failures" and it should bring up all the >>>>> services it can. >>>>> >>>>> rob >>>>> >>>>> Juan Pablo Lorier wrote: >>>>>> Hi again, >>>>>> >>>>>> I used the ldapi from /etc/ipa/default.conf and I was able to get a >>>>>> different reply: >>>>>> >>>>>> ldapsearch -Y GSSAPI -H >>>>>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket >>>>>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket> >>>>>> >>>>>> SASL/GSSAPI authentication started >>>>>> ldap_sasl_interactive_bind_s: Local error (-2) >>>>>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (Ticket expired) >>>>>> >>>>>> But if I try to renew the ticket, it fails: >>>>>> >>>>>> kinit admin >>>>>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting >>>>>> initial credentials >>>>>> >>>>>> The running DC is in 4.7 and it should reply to the kinit requests >>>>>> >>>>>> >>>>>> I added the debug option to see if I can ge further information. >>>>>> >>>>>> ipactl restart >>>>>> IPA version error: data needs to be upgraded (expected version >>>>>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version >>>>>> '4.7.1-11.module_el8.0.0+79+bbd20d7b') >>>>>> Automatically running upgrade, for details see /var/log/ipaupgrade.log >>>>>> Be patient, this may take a few minutes. >>>>>> Automatic upgrade failed: Error caught updating >>>>>> nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and >>>>>> attributes are managed by topology plugin.No direct modifications >>>>>> allowed. >>>>>> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is >>>>>> unwilling to perform: Entry and attributes are managed by topology >>>>>> plugin.No direct modifications allowed. >>>>>> Update complete >>>>>> Upgrading the configuration of the IPA services >>>>>> [Verifying that root certificate is published] >>>>>> [Migrate CRL publish directory] >>>>>> CRL tree already moved >>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >>>>>> command ipa-server-upgrade manually. >>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>>> 'start', 'pki-tomcatd@pki-tomcat.service >>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status >>>>>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>> process exited with error code.\nSee "systemctl status >>>>>> pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service> >>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>> and "journalctl -xe" for details.\n') >>>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>>> more information >>>>>> >>>>>> See the upgrade log for more details and/or run >>>>>> /usr/sbin/ipa-server-upgrade again >>>>>> Stopping ipa-dnskeysyncd Service >>>>>> Stopping ipa-otpd Service >>>>>> Stopping pki-tomcatd Service >>>>>> Stopping ipa-custodia Service >>>>>> Stopping httpd Service >>>>>> Stopping named Service >>>>>> Stopping kadmin Service >>>>>> Stopping krb5kdc Service >>>>>> Stopping Directory Service >>>>>> Aborting ipactl >>>>>> >>>>>> Regards >>>>>> >>>>>> >>>>>>> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcrit...@redhat.com >>>>>>> <mailto:rcrit...@redhat.com> >>>>>>> <mailto:rcrit...@redhat.com> >>>>>>> <mailto:rcrit...@redhat.com>> escribió: >>>>>>> >>>>>>> Juan Pablo Lorier wrote: >>>>>>>> Hi Rob, >>>>>>>> >>>>>>>> Thanks for the reply. As I didn’t know other way but to go back in >>>>>>>> time, >>>>>>>> I just did it and now the server is running 100%. >>>>>>>> >>>>>>>> This was all part of an update from 4.7 to 4.9. According to the >>>>>>>> documentation, it was just a matter to def update but it seems >>>>>>>> that is >>>>>>>> not such a happy path.> >>>>>>>> I updated the second server but it’s not able to finalize the update >>>>>>>> process. DNS is failing to start: >>>>>>>> >>>>>>>> # systemctl status ipa-dnskeysyncd.service >>>>>>>> >>>>>>>> >>>>>>>> *●*ipa-dnskeysyncd.service - IPA key daemon >>>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>>>>>>> disabled; vendor preset: disabled) >>>>>>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>>>>>>> 14min ago >>>>>>>> Main PID: 250496 (ipa-dnskeysyncd) >>>>>>>> Tasks: 1 (limit: 23652) >>>>>>>> Memory: 68.4M >>>>>>>> CGroup: /system.slice/ipa-dnskeysyncd.service >>>>>>>> └─250496 /usr/libexec/platform-python -I >>>>>>>> /usr/libexec/ipa/ipa-dnskeysyncd >>>>>>>> >>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>>>>>> step 1 >>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client >>>>>>>> step 2 >>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>>> ipa-dnskeysyncd: >>>>>>>> INFO Commencing sync process >>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>>>>>>> sychronizing with ODS and BIND >>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>> *Configuration.cpp(96): Missing log.level in configuration. Using >>>>>>>> default value: INFO* >>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>>>>>>> Using >>>>>>>> default value: ALL* >>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>> *Configuration.cpp(124): Missing slots.removable in configuration. >>>>>>>> Using >>>>>>>> default value: false* >>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>>>>>> step 1 >>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client >>>>>>>> step 1 >>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> GSSAPI client step 1 >>>>>>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>>>>>>> >>>>>>>> >>>>>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>>>>>>> 12:40:17 -03. -- >>>>>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing all plugin modules in ipaserver.plugins... >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.aci >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.automember >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.automount >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseldap >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseuser >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.batch >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.ca >>>>>>>> <http://ipaserver.plugins.ca/> >>>>>>>> <http://ipaserver.plugins.ca/> >>>>>>>> <http://ipaserver.plugins.ca >>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.caacl >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.cert >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.certmap >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.certprofile >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.config >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.delegation >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.dns >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.dogtag >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.group >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbac >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbactest >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.host >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.idrange >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.idviews >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.internal >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.join >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.location >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.migration >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.misc >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.netgroup >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.otp >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.otptoken >>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>> ipalib.plugable: >>>>>>>> DEBUG importing plugin module ipaserver.plugins.passwd >>>>>>> >>>>>>> There should be quite a bit more after that. >>>>>>> >>>>>>>> >>>>>>>> #less /var/log/dirsrv/slapd-*/access >>>>>>>> >>>>>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>>>>>>> tag=101 >>>>>>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>>>>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>>>>>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>>>>>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>>>>>>> krbMaxRenewab >>>>>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife >>>>>>>> krbAuthIndMaxRenewableAge" >>>>>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>>>>>>> tag=101 >>>>>>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>>>>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>>>>>>> tag=97 >>>>>>>> nentries=0 wtime=0.000071973 optime=0.002531582 >>>>>>>> etime=0.002602416, SASL >>>>>>>> bind in progress >>>>>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>>>>>>> tag=97 >>>>>>>> nentries=0 wtime=0.000058962 optime=0.001451477 >>>>>>>> etime=0.001509337, SASL >>>>>>>> bind in progress >>>>>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >>>>>>>> tag=97 >>>>>>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>>>>>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>>>>>>> com,dc=uy" >>>>>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>>>>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>>>>>>> attrs="objectClass cn fqdn serverHostN >>>>>>>> ame memberOf ipaSshPubKey ipaUniqueID" >>>>>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>>>>>>> tag=101 >>>>>>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>>>>>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>>>>>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU >>>>>>>> niqueID" >>>>>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>>>>>>> tag=101 >>>>>>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>>>>>>> attrs="objectClass ipaUniqueID cn memb >>>>>>>> er entryusn" >>>>>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>>>>>>> tag=101 >>>>>>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>>>>>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>>>>>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>>>>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>>>>>>> ipaSudoRunAs >>>>>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>>>>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>>>>>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>>>>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>>>>>>> xternalUser entryusn" >>>>>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>>>>>>> tag=101 >>>>>>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>>>>>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>>>>>>> etime=0.000956734 >>>>>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>>>>>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>>>>>>> etime=0.001489204 >>>>>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>>>>>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>>>>>>> etime=0.003098843 >>>>>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>>>>>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>>>>>>> etime=0.002897696 >>>>>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>>>>>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>>>>>>> etime=0.001372435 >>>>>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>>>>>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>>>>>>> etime=0.001748601 >>>>>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>>>>>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>>>>>>> etime=0.015402108 >>>>>>>> >>>>>>>> >>>>>>>> I see that after the update, the files were changed: >>>>>>>> >>>>>>>> >>>>>>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>>>>>>> /etc/dirsrv/slapd-TNU-COM-UY: >>>>>>>> total 4208 >>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >>>>>>>> TNU.COM.UY20IPA20CA.pem >>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>>>>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>>>>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>>>>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>>>>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>>>>>>> dse.ldif.ipa.1cf1fe204fd69494 >>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>>>>>>> dse.ldif.ipa.1dd1d38cbd8d26ae >>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>>>>>>> dse.ldif.ipa.21662457cb42c116 >>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>>>>>>> dse.ldif.ipa.256a5d66e550a957 >>>>>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>>>>>>> dse.ldif.ipa.274744b10eed3d9b >>>>>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>>>>>>> dse.ldif.ipa.385fb48f5462219c >>>>>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>>>>>>> dse.ldif.ipa.6b71b47d73ca452a >>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>>>>>>> dse.ldif.ipa.767aba4a82811822 >>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>>>>>>> dse.ldif.ipa.814a4de587fc22ec >>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>>>>>>> dse.ldif.ipa.889036fc0907e7de >>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>>>>>>> dse.ldif.ipa.8fd2b7413b99dfa3 >>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>>>>>>> dse.ldif.ipa.958ca3a96922f2fd >>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>>>>>>> dse.ldif.ipa.bacd6d1d200348bf >>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>>>>>>> dse.ldif.ipa.bfadc14f0e609072 >>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>>>>>>> dse.ldif.ipa.f1e864261a119b6c >>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>>>>>>> dse.ldif.ipa.fa918bf07c17e2e8 >>>>>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out >>>>>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>>>>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>>>>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>>>>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>>>>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>>>>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>>>>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>>>>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>>>>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>>>>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf >>>>>>>> >>>>>>>> >>>>>>>> I can’t connect to the LDAP service: >>>>>>>> >>>>>>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>>>>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >>>>>>> >>>>>>> You have to escape the socket path: >>>>>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket >>>>>>> >>>>>>>> # less /var/log/ipaupgrade.log >>>>>>>> >>>>>>>> Server built: Jun 29 2021 22:00:15 UTC >>>>>>>> Server number: 9.0.30.0 >>>>>>>> OS Name: Linux >>>>>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>>>>>>> Architecture: amd64 >>>>>>>> JVM Version: 1.8.0_322-b06 >>>>>>>> JVM Vendor: Red Hat, Inc. >>>>>>>> >>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr= >>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >>>>>>>> 'kra'] >>>>>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>>>>>>> 2022-11-22T14:26:56Z DEBUG stdout= >>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>>>>>>> instance pki-tomcat. >>>>>>>> >>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>>>>>>> 'pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] >>>>>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>>>>>>> 2022-11-22T14:26:57Z DEBUG stdout= >>>>>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>>>>>>> for pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>>> process exited with error code. >>>>>>>> See "systemctl status pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for >>>>>>>> details. >>>>>>>> >>>>>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>>>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>>>>>> 2022-11-22T14:26:57Z DEBUG File >>>>>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >>>>>>>> 180, in >>>>>>>> execute >>>>>>>> return_value = self.run() >>>>>>>> File >>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>>>>> line 54, in run >>>>>>>> server.upgrade() >>>>>>>> File >>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>> line 2055, in upgrade >>>>>>>> upgrade_configuration() >>>>>>>> File >>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>> line 1783, in upgrade_configuration >>>>>>>> ca.start('pki-tomcat') >>>>>>>> File >>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>>>>>>> line 524, in start >>>>>>>> self.service.start(instance_name, capture_output=capture_output, >>>>>>>> wait=wait) >>>>>>>> File >>>>>>>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>>>>>>> line 306, in start >>>>>>>> skip_output=not capture_output) >>>>>>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line >>>>>>>> 600, in run >>>>>>>> p.returncode, arg_string, output_log, error_log >>>>>>>> >>>>>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>>>>>>> exception: CalledProcessError: CalledProcessError(Command >>>>>>>> ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit >>>>>>>> status >>>>>>>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>>> process exited with error code.\nSee "systemctl status >>>>>>>> pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>>>> and "journalctl -xe" for details.\n') >>>>>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>>>>>>> /var/log/ipaupgrade.log for details: >>>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>>>>> 'start', 'pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit >>>>>>>> status >>>>>>>> 1: 'Job for pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control >>>>>>>> process exited with error code.\nSee "systemctl status >>>>>>>> pki-tomcatd@pki-tomcat.service >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> >>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>" >>>>>>>> and "journalctl -xe" for details.\n') >>>>>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See >>>>>>>> /var/log/ipaupgrade.log for more information >>>>>>>> (END) >>>>>>> >>>>>>> The CA failed to start. This is often due to expired certificates that >>>>>>> get exposed when an upgrade is done. Check that out. >>>>>>> >>>>>>>> #ipactl status >>>>>>>> >>>>>>>> Directory Service: RUNNING >>>>>>>> krb5kdc Service: RUNNING >>>>>>>> kadmin Service: RUNNING >>>>>>>> named Service: STOPPED >>>>>>>> httpd Service: RUNNING >>>>>>>> ipa-custodia Service: RUNNING >>>>>>>> pki-tomcatd Service: STOPPED >>>>>>>> ipa-otpd Service: RUNNING >>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>> 2 service(s) are not running >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>>>>>>>> <rcrit...@redhat.com <mailto:rcrit...@redhat.com> >>>>>>>>> <mailto:rcrit...@redhat.com> >>>>>>>>> <mailto:rcrit...@redhat.com> >>>>>>>>> <mailto:rcrit...@redhat.com>> escribió: >>>>>>>>> >>>>>>>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I have a production server that was not maintained and I see >>>>>>>>>> that the >>>>>>>>>> HTTP certificate has expired long ago. I tried to renew it but I'm >>>>>>>>>> not being agle to get it right. >>>>>>>>>> >>>>>>>>>> The initial status was: >>>>>>>>>> >>>>>>>>>> Request ID '20191219011208': >>>>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>>>>>> stuck: yes >>>>>>>>>> key pair storage: >>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>>> >>>>>>>>>> Then following this thread >>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/ >>>>>>>>>> >>>>>>>>>> I got it to this state: >>>>>>>>>> >>>>>>>>>> Request ID '20191219011208': >>>>>>>>>> status: MONITORING >>>>>>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, >>>>>>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>>>>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>>>>>>> SSL certificate problem: certificate has expired). >>>>>>>>>> stuck: no >>>>>>>>>> key pair storage: >>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>>> >>>>>>>>>> The post indicates that I have to put an old date in the server to >>>>>>>>>> get it renewed, but as the server is in production, it means >>>>>>>>>> that all >>>>>>>>>> clients will fail to log to the server. Evenmore, what time >>>>>>>>>> should I >>>>>>>>>> return to, before the certificate expiration or right after? >>>>>>>>>> Thanks in advanc >>>>>>>>> >>>>>>>>> I'd guess that this affects a lot more than just the web server >>>>>>>>> cert. >>>>>>>>> getcert list will tell you. >>>>>>>>> >>>>>>>>> Depending on that outcome affect the suggested remediation. >>>>>>>>> >>>>>>>>> As for going back in time, you'd need a server outage to do this >>>>>>>>> and it >>>>>>>>> only would be backwards in time for a short time. Just long >>>>>>>>> enough so >>>>>>>>> the services could start with non-expired certificates to get them >>>>>>>>> renewed. But there are other ways to do this that don't require >>>>>>>>> fiddling >>>>>>>>> with time. >>>>>>>>> >>>>>>>>> rob >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue