The only expired cert was the HTTP in the dc1 server, dc2 had all the certs
valid:
Dc1:
ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20191218181440':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
expires: 2023-11-21 15:14:49 -03
principal name: krbtgt/tnu.com...@tnu.com.uy
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20191219011104':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
expires: 2023-11-21 15:13:39 -03
dns: dc1.tnu.com.uy
principal name: ldap/dc1.tnu.com...@tnu.com.uy
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20211217030046':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY
expires: 2023-12-18 00:01:22 -03
dns: dc1.tnu.com.uy
principal name: HTTP/dc1.tnu.com...@tnu.com.uy
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Dc2:
ipa-getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
principal name: krbtgt/tnu.com...@tnu.com.uy
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221130160326':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
principal name: ldap/dc2.tnu.com...@tnu.com.uy
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221130160327':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
principal name: HTTP/dc2.tnu.com...@tnu.com.uy
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
> El 30 nov. 2022, a las 18:50, Rob Crittenden <rcrit...@redhat.com> escribió:
>
> Juan Pablo Lorier wrote:
>> Ok, with the skip-version-check flag it starts correctly, but if I try
>> to restart the service without the flag, it fails in the same point. The
>> error is related to the upgrade process then. I’m upgrading from 4.7 to
>> 4.9 as I didn’t find any restriction in the documentation.
>> Is it possible that there’s an issue with that upgrade path?
>
> If is likely related to your expired certificates. Did you look to see
> if others besides the HTTP cert expired?
>
> rob
>
>> Thanks
>>
>>> El 30 nov. 2022, a las 16:21, Rob Crittenden <rcrit...@redhat.com
>>> <mailto:rcrit...@redhat.com>> escribió:
>>>
>>> Juan Pablo Lorier wrote:
>>>> Hi,
>>>>
>>>> Rob, the problem with ipactl --ignore-service-failures is that it always
>>>> try to upgrade from 4.7 to 4.9 first and it fails for that reason.
>>>
>>> $ man 8 ipactl
>>>
>>> --skip-version-check Skip version check
>>>
>>> rob
>>>
>>>>
>>>> I were able to move forward and get poi-tomcat running but I still can’t
>>>> finish the upgrade process.
>>>> Here are some more logs to see if you can see a lead to help me.
>>>> Regards
>>>>
>>>> */var/log/ipaupgrade.log*
>>>>
>>>> 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and
>>>> enabled; skipping
>>>> 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in LDAP
>>>> and enabled; skipping
>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and
>>>> enabled; skipping
>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert'
>>>> 2022-11-30T16:07:49Z DEBUG request GET
>>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login
>>>> 2022-11-30T16:07:49Z DEBUG request body ''
>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed:
>>>> Traceback (most recent call last):
>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271,
>>>> in _httplib_request
>>>> conn.request(method, path, body=request_body, headers=headers)
>>>> File "/usr/lib64/python3.6/http/client.py", line 1273, in request
>>>> self._send_request(method, url, body, headers, encode_chunked)
>>>> File "/usr/lib64/python3.6/http/client.py", line 1319, in _send_request
>>>> self.endheaders(body, encode_chunked=encode_chunked)
>>>> File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders
>>>> self._send_output(message_body, encode_chunked=encode_chunked)
>>>> File "/usr/lib64/python3.6/http/client.py", line 1044, in _send_output
>>>> self.send(msg)
>>>> File "/usr/lib64/python3.6/http/client.py", line 982, in send
>>>> self.connect()
>>>> File "/usr/lib64/python3.6/http/client.py", line 1441, in connect
>>>> server_hostname=server_hostname)
>>>> File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
>>>> _context=self, _session=session)
>>>> File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
>>>> self.do_handshake()
>>>> File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
>>>> self._sslobj.do_handshake()
>>>> File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
>>>> self._sslobj.do_handshake()
>>>> OSError: [Errno 0] Error
>>>> 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect
>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>>> 2022-11-30T16:07:54Z DEBUG File
>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in
>>>> execute
>>>> return_value = self.run()
>>>> File
>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>>> line 54, in run
>>>> server.upgrade()
>>>> File
>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>> line 2055, in upgrade
>>>> upgrade_configuration()
>>>> File
>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>> line 1908, in upgrade_configuration
>>>> ca_enable_ldap_profile_subsystem(ca)
>>>> File
>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>> line 458, in ca_enable_ldap_profile_subsystem
>>>> cainstance.migrate_profiles_to_ldap()
>>>> File
>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>>>> 2111, in migrate_profiles_to_ldap
>>>> _create_dogtag_profile(profile_id, profile_data, overwrite=False)
>>>> File
>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line
>>>> 2165, in _create_dogtag_profile
>>>> with api.Backend.ra_certprofile as profile_api:
>>>> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py",
>>>> line 1207, in __enter__
>>>> method='GET'
>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 218,
>>>> in https_request
>>>> method=method, headers=headers)
>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 280,
>>>> in _httplib_request
>>>> raise NetworkError(uri=uri, error=str(e))
>>>>
>>>> 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed,
>>>> exception: NetworkError: cannot connect to
>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
>>>> 2022-11-30T16:07:54Z ERROR Unexpected error - see
>>>> /var/log/ipaupgrade.log for details:
>>>> NetworkError: cannot connect to
>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
>>>> 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See
>>>> /var/log/ipaupgrade.log for more information
>>>>
>>>>
>>>> *dirsrv/slapd-TNU-COM-UY/errors*
>>>>
>>>> [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse
>>>> - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist
>>>> [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse
>>>> - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist
>>>> [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse
>>>> - The ACL target cn=automember rebuild membership,cn=tasks,cn=config
>>>> does not exist
>>>> [30/Nov/2022:13:07:31.157746196 -0300] - INFO - slapi_vattrspi_regattr -
>>>> Because krbPwdPolicyReference is a new registered virtual attribute ,
>>>> nsslapd-ignore-virtual-attrs was set to 'off'
>>>> [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin -
>>>> schema-compat-plugin tree scan will start in about 5 seconds!
>>>> [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd
>>>> started. Listening on All Interfaces port 389 for LDAP requests
>>>> [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - Listening
>>>> on All Interfaces port 636 for LDAPS requests
>>>> [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - Listening
>>>> on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests
>>>> [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin -
>>>> Finished plugin initialization.
>>>> [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>> [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could
>>>> not get initial credentials for principal
>>>> [ldap/dc2.tnu.com...@tnu.com.uy
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>
>>>> <mailto:ldap/dc2.tnu.com...@tnu.com.uy>]
>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
>>>> KDC for requested realm)
>>>>
>>>> *localhost_access_log.2022-11-30.txt*
>>>>
>>>> 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 -
>>>> XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus
>>>> HTTP/1.1" 200 193
>>>> XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login
>>>> HTTP/1.1" 401 669
>>>>
>>>>
>>>>> El 23 nov. 2022, a las 18:42, Rob Crittenden <rcrit...@redhat.com
>>>>> <mailto:rcrit...@redhat.com>
>>>>> <mailto:rcrit...@redhat.com>> escribió:
>>>>>
>>>>> Run "ipactl --ignore-service-failures" and it should bring up all the
>>>>> services it can.
>>>>>
>>>>> rob
>>>>>
>>>>> Juan Pablo Lorier wrote:
>>>>>> Hi again,
>>>>>>
>>>>>> I used the ldapi from /etc/ipa/default.conf and I was able to get a
>>>>>> different reply:
>>>>>>
>>>>>> ldapsearch -Y GSSAPI -H
>>>>>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket
>>>>>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket>
>>>>>>
>>>>>> SASL/GSSAPI authentication started
>>>>>> ldap_sasl_interactive_bind_s: Local error (-2)
>>>>>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
>>>>>> GSS failure. Minor code may provide more information (Ticket expired)
>>>>>>
>>>>>> But if I try to renew the ticket, it fails:
>>>>>>
>>>>>> kinit admin
>>>>>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting
>>>>>> initial credentials
>>>>>>
>>>>>> The running DC is in 4.7 and it should reply to the kinit requests
>>>>>>
>>>>>>
>>>>>> I added the debug option to see if I can ge further information.
>>>>>>
>>>>>> ipactl restart
>>>>>> IPA version error: data needs to be upgraded (expected version
>>>>>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version
>>>>>> '4.7.1-11.module_el8.0.0+79+bbd20d7b')
>>>>>> Automatically running upgrade, for details see /var/log/ipaupgrade.log
>>>>>> Be patient, this may take a few minutes.
>>>>>> Automatic upgrade failed: Error caught updating
>>>>>> nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and
>>>>>> attributes are managed by topology plugin.No direct modifications
>>>>>> allowed.
>>>>>> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
>>>>>> unwilling to perform: Entry and attributes are managed by topology
>>>>>> plugin.No direct modifications allowed.
>>>>>> Update complete
>>>>>> Upgrading the configuration of the IPA services
>>>>>> [Verifying that root certificate is published]
>>>>>> [Migrate CRL publish directory]
>>>>>> CRL tree already moved
>>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>>>>>> command ipa-server-upgrade manually.
>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
>>>>>> 'start', 'pki-tomcatd@pki-tomcat.service
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit status
>>>>>> 1: 'Job for pki-tomcatd@pki-tomcat.service
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control
>>>>>> process exited with error code.\nSee "systemctl status
>>>>>> pki-tomcatd@pki-tomcat.service <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>"
>>>>>> and "journalctl -xe" for details.\n')
>>>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>>>>>> more information
>>>>>>
>>>>>> See the upgrade log for more details and/or run
>>>>>> /usr/sbin/ipa-server-upgrade again
>>>>>> Stopping ipa-dnskeysyncd Service
>>>>>> Stopping ipa-otpd Service
>>>>>> Stopping pki-tomcatd Service
>>>>>> Stopping ipa-custodia Service
>>>>>> Stopping httpd Service
>>>>>> Stopping named Service
>>>>>> Stopping kadmin Service
>>>>>> Stopping krb5kdc Service
>>>>>> Stopping Directory Service
>>>>>> Aborting ipactl
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>>
>>>>>>> El 23 nov. 2022, a las 11:50, Rob Crittenden <rcrit...@redhat.com
>>>>>>> <mailto:rcrit...@redhat.com>
>>>>>>> <mailto:rcrit...@redhat.com>
>>>>>>> <mailto:rcrit...@redhat.com>> escribió:
>>>>>>>
>>>>>>> Juan Pablo Lorier wrote:
>>>>>>>> Hi Rob,
>>>>>>>>
>>>>>>>> Thanks for the reply. As I didn’t know other way but to go back in
>>>>>>>> time,
>>>>>>>> I just did it and now the server is running 100%.
>>>>>>>>
>>>>>>>> This was all part of an update from 4.7 to 4.9. According to the
>>>>>>>> documentation, it was just a matter to def update but it seems
>>>>>>>> that is
>>>>>>>> not such a happy path.>
>>>>>>>> I updated the second server but it’s not able to finalize the update
>>>>>>>> process. DNS is failing to start:
>>>>>>>>
>>>>>>>> # systemctl status ipa-dnskeysyncd.service
>>>>>>>>
>>>>>>>>
>>>>>>>> *●*ipa-dnskeysyncd.service - IPA key daemon
>>>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service;
>>>>>>>> disabled; vendor preset: disabled)
>>>>>>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h
>>>>>>>> 14min ago
>>>>>>>> Main PID: 250496 (ipa-dnskeysyncd)
>>>>>>>> Tasks: 1 (limit: 23652)
>>>>>>>> Memory: 68.4M
>>>>>>>> CGroup: /system.slice/ipa-dnskeysyncd.service
>>>>>>>> └─250496 /usr/libexec/platform-python -I
>>>>>>>> /usr/libexec/ipa/ipa-dnskeysyncd
>>>>>>>>
>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client
>>>>>>>> step 1
>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI client
>>>>>>>> step 2
>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]:
>>>>>>>> ipa-dnskeysyncd:
>>>>>>>> INFO Commencing sync process
>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]:
>>>>>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done,
>>>>>>>> sychronizing with ODS and BIND
>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>>>>> *Configuration.cpp(96): Missing log.level in configuration. Using
>>>>>>>> default value: INFO*
>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>>>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration.
>>>>>>>> Using
>>>>>>>> default value: ALL*
>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>>>>> *Configuration.cpp(124): Missing slots.removable in configuration.
>>>>>>>> Using
>>>>>>>> default value: false*
>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client
>>>>>>>> step 1
>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI client
>>>>>>>> step 1
>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> GSSAPI client step 1
>>>>>>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service
>>>>>>>>
>>>>>>>>
>>>>>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22
>>>>>>>> 12:40:17 -03. --
>>>>>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon.
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing all plugin modules in ipaserver.plugins...
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.aci
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.automember
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.automount
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseldap
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseuser
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.batch
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.ca
>>>>>>>> <http://ipaserver.plugins.ca/>
>>>>>>>> <http://ipaserver.plugins.ca/>
>>>>>>>> <http://ipaserver.plugins.ca
>>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>>
>>>>>>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/>
>>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>>
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.caacl
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.cert
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.certmap
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.certprofile
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.config
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.delegation
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dns
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dnsserver
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dogtag
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.domainlevel
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.group
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbac
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacrule
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbactest
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.host
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hostgroup
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.idrange
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.idviews
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.internal
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.join
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.ldap2
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.location
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.migration
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.misc
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.netgroup
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otp
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG ipaserver.plugins.otp is not a valid plugin module
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otpconfig
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otptoken
>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]:
>>>>>>>> ipalib.plugable:
>>>>>>>> DEBUG importing plugin module ipaserver.plugins.passwd
>>>>>>>
>>>>>>> There should be quite a bit more after that.
>>>>>>>
>>>>>>>>
>>>>>>>> #less /var/log/dirsrv/slapd-*/access
>>>>>>>>
>>>>>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0
>>>>>>>> tag=101
>>>>>>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290
>>>>>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH
>>>>>>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0
>>>>>>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
>>>>>>>> krbMaxRenewab
>>>>>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife
>>>>>>>> krbAuthIndMaxRenewableAge"
>>>>>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0
>>>>>>>> tag=101
>>>>>>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403
>>>>>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn=""
>>>>>>>> method=sasl version=3 mech=GSSAPI
>>>>>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14
>>>>>>>> tag=97
>>>>>>>> nentries=0 wtime=0.000071973 optime=0.002531582
>>>>>>>> etime=0.002602416, SASL
>>>>>>>> bind in progress
>>>>>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn=""
>>>>>>>> method=sasl version=3 mech=GSSAPI
>>>>>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14
>>>>>>>> tag=97
>>>>>>>> nentries=0 wtime=0.000058962 optime=0.001451477
>>>>>>>> etime=0.001509337, SASL
>>>>>>>> bind in progress
>>>>>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn=""
>>>>>>>> method=sasl version=3 mech=GSSAPI
>>>>>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0
>>>>>>>> tag=97
>>>>>>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026
>>>>>>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=
>>>>>>>> com,dc=uy"
>>>>>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH
>>>>>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2
>>>>>>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))"
>>>>>>>> attrs="objectClass cn fqdn serverHostN
>>>>>>>> ame memberOf ipaSshPubKey ipaUniqueID"
>>>>>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0
>>>>>>>> tag=101
>>>>>>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994
>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH
>>>>>>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy"
>>>>>>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaU
>>>>>>>> niqueID"
>>>>>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0
>>>>>>>> tag=101
>>>>>>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094
>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH
>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>>>>>>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))"
>>>>>>>> attrs="objectClass ipaUniqueID cn memb
>>>>>>>> er entryusn"
>>>>>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0
>>>>>>>> tag=101
>>>>>>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481
>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH
>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2
>>>>>>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC
>>>>>>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro
>>>>>>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))"
>>>>>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt
>>>>>>>> ipaSudoRunAs
>>>>>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU
>>>>>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory
>>>>>>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory
>>>>>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e
>>>>>>>> xternalUser entryusn"
>>>>>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0
>>>>>>>> tag=101
>>>>>>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132
>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1
>>>>>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT
>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>>>>>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT
>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>>>>>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0
>>>>>>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071
>>>>>>>> etime=0.000956734
>>>>>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0
>>>>>>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137
>>>>>>>> etime=0.001489204
>>>>>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT
>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
>>>>>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0
>>>>>>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180
>>>>>>>> etime=0.003098843
>>>>>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT
>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
>>>>>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0
>>>>>>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639
>>>>>>>> etime=0.002897696
>>>>>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT
>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>>>>>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT
>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>>>>>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0
>>>>>>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708
>>>>>>>> etime=0.001372435
>>>>>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0
>>>>>>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836
>>>>>>>> etime=0.001748601
>>>>>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT
>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
>>>>>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0
>>>>>>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843
>>>>>>>> etime=0.015402108
>>>>>>>>
>>>>>>>>
>>>>>>>> I see that after the update, the files were changed:
>>>>>>>>
>>>>>>>>
>>>>>>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY*
>>>>>>>> /etc/dirsrv/slapd-TNU-COM-UY:
>>>>>>>> total 4208
>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem
>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem
>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022
>>>>>>>> TNU.COM.UY20IPA20CA.pem
>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db
>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig
>>>>>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf
>>>>>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif
>>>>>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak
>>>>>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55
>>>>>>>> dse.ldif.ipa.1cf1fe204fd69494
>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01
>>>>>>>> dse.ldif.ipa.1dd1d38cbd8d26ae
>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26
>>>>>>>> dse.ldif.ipa.21662457cb42c116
>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47
>>>>>>>> dse.ldif.ipa.256a5d66e550a957
>>>>>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35
>>>>>>>> dse.ldif.ipa.274744b10eed3d9b
>>>>>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09
>>>>>>>> dse.ldif.ipa.385fb48f5462219c
>>>>>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020
>>>>>>>> dse.ldif.ipa.6b71b47d73ca452a
>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38
>>>>>>>> dse.ldif.ipa.767aba4a82811822
>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07
>>>>>>>> dse.ldif.ipa.814a4de587fc22ec
>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49
>>>>>>>> dse.ldif.ipa.889036fc0907e7de
>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47
>>>>>>>> dse.ldif.ipa.8fd2b7413b99dfa3
>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42
>>>>>>>> dse.ldif.ipa.958ca3a96922f2fd
>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48
>>>>>>>> dse.ldif.ipa.bacd6d1d200348bf
>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24
>>>>>>>> dse.ldif.ipa.bfadc14f0e609072
>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23
>>>>>>>> dse.ldif.ipa.f1e864261a119b6c
>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42
>>>>>>>> dse.ldif.ipa.fa918bf07c17e2e8
>>>>>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 dse.ldif.modified.out
>>>>>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK
>>>>>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif
>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db
>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig
>>>>>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt
>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt
>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig
>>>>>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt
>>>>>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig
>>>>>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema
>>>>>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak
>>>>>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 slapd-collations.conf
>>>>>>>>
>>>>>>>>
>>>>>>>> I can’t connect to the LDAP service:
>>>>>>>>
>>>>>>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket
>>>>>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>>>>>>>
>>>>>>> You have to escape the socket path:
>>>>>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket
>>>>>>>
>>>>>>>> # less /var/log/ipaupgrade.log
>>>>>>>>
>>>>>>>> Server built: Jun 29 2021 22:00:15 UTC
>>>>>>>> Server number: 9.0.30.0
>>>>>>>> OS Name: Linux
>>>>>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64
>>>>>>>> Architecture: amd64
>>>>>>>> JVM Version: 1.8.0_322-b06
>>>>>>>> JVM Vendor: Red Hat, Inc.
>>>>>>>>
>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=
>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process
>>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show',
>>>>>>>> 'kra']
>>>>>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1
>>>>>>>> 2022-11-22T14:26:56Z DEBUG stdout=
>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in
>>>>>>>> instance pki-tomcat.
>>>>>>>>
>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process
>>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start',
>>>>>>>> 'pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>']
>>>>>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1
>>>>>>>> 2022-11-22T14:26:57Z DEBUG stdout=
>>>>>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job
>>>>>>>> for pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control
>>>>>>>> process exited with error code.
>>>>>>>> See "systemctl status pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>" and "journalctl -xe" for
>>>>>>>> details.
>>>>>>>>
>>>>>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect
>>>>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>>>>>>> 2022-11-22T14:26:57Z DEBUG File
>>>>>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line
>>>>>>>> 180, in
>>>>>>>> execute
>>>>>>>> return_value = self.run()
>>>>>>>> File
>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>>>>>>> line 54, in run
>>>>>>>> server.upgrade()
>>>>>>>> File
>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>>>>> line 2055, in upgrade
>>>>>>>> upgrade_configuration()
>>>>>>>> File
>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
>>>>>>>> line 1783, in upgrade_configuration
>>>>>>>> ca.start('pki-tomcat')
>>>>>>>> File
>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py",
>>>>>>>> line 524, in start
>>>>>>>> self.service.start(instance_name, capture_output=capture_output,
>>>>>>>> wait=wait)
>>>>>>>> File
>>>>>>>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py",
>>>>>>>> line 306, in start
>>>>>>>> skip_output=not capture_output)
>>>>>>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line
>>>>>>>> 600, in run
>>>>>>>> p.returncode, arg_string, output_log, error_log
>>>>>>>>
>>>>>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed,
>>>>>>>> exception: CalledProcessError: CalledProcessError(Command
>>>>>>>> ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit
>>>>>>>> status
>>>>>>>> 1: 'Job for pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control
>>>>>>>> process exited with error code.\nSee "systemctl status
>>>>>>>> pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>"
>>>>>>>> and "journalctl -xe" for details.\n')
>>>>>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see
>>>>>>>> /var/log/ipaupgrade.log for details:
>>>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl',
>>>>>>>> 'start', 'pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>'] returned non-zero exit
>>>>>>>> status
>>>>>>>> 1: 'Job for pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service> failed because the control
>>>>>>>> process exited with error code.\nSee "systemctl status
>>>>>>>> pki-tomcatd@pki-tomcat.service
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>
>>>>>>>> <mailto:pki-tomcatd@pki-tomcat.service>"
>>>>>>>> and "journalctl -xe" for details.\n')
>>>>>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command failed. See
>>>>>>>> /var/log/ipaupgrade.log for more information
>>>>>>>> (END)
>>>>>>>
>>>>>>> The CA failed to start. This is often due to expired certificates that
>>>>>>> get exposed when an upgrade is done. Check that out.
>>>>>>>
>>>>>>>> #ipactl status
>>>>>>>>
>>>>>>>> Directory Service: RUNNING
>>>>>>>> krb5kdc Service: RUNNING
>>>>>>>> kadmin Service: RUNNING
>>>>>>>> named Service: STOPPED
>>>>>>>> httpd Service: RUNNING
>>>>>>>> ipa-custodia Service: RUNNING
>>>>>>>> pki-tomcatd Service: STOPPED
>>>>>>>> ipa-otpd Service: RUNNING
>>>>>>>> ipa-dnskeysyncd Service: RUNNING
>>>>>>>> 2 service(s) are not running
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden
>>>>>>>>> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>>>>>>>>> <mailto:rcrit...@redhat.com>
>>>>>>>>> <mailto:rcrit...@redhat.com>
>>>>>>>>> <mailto:rcrit...@redhat.com>> escribió:
>>>>>>>>>
>>>>>>>>> Juan Pablo Lorier via FreeIPA-users wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I have a production server that was not maintained and I see
>>>>>>>>>> that the
>>>>>>>>>> HTTP certificate has expired long ago. I tried to renew it but I'm
>>>>>>>>>> not being agle to get it right.
>>>>>>>>>>
>>>>>>>>>> The initial status was:
>>>>>>>>>>
>>>>>>>>>> Request ID '20191219011208':
>>>>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>>>>>>>> stuck: yes
>>>>>>>>>> key pair storage:
>>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key'
>>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>>>>>>>
>>>>>>>>>> Then following this thread
>>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/
>>>>>>>>>>
>>>>>>>>>> I got it to this state:
>>>>>>>>>>
>>>>>>>>>> Request ID '20191219011208':
>>>>>>>>>> status: MONITORING
>>>>>>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request,
>>>>>>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed.
>>>>>>>>>> libcurl failed even to execute the HTTP transaction, explaining:
>>>>>>>>>> SSL certificate problem: certificate has expired).
>>>>>>>>>> stuck: no
>>>>>>>>>> key pair storage:
>>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA'
>>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>>>>>>>
>>>>>>>>>> The post indicates that I have to put an old date in the server to
>>>>>>>>>> get it renewed, but as the server is in production, it means
>>>>>>>>>> that all
>>>>>>>>>> clients will fail to log to the server. Evenmore, what time
>>>>>>>>>> should I
>>>>>>>>>> return to, before the certificate expiration or right after?
>>>>>>>>>> Thanks in advanc
>>>>>>>>>
>>>>>>>>> I'd guess that this affects a lot more than just the web server
>>>>>>>>> cert.
>>>>>>>>> getcert list will tell you.
>>>>>>>>>
>>>>>>>>> Depending on that outcome affect the suggested remediation.
>>>>>>>>>
>>>>>>>>> As for going back in time, you'd need a server outage to do this
>>>>>>>>> and it
>>>>>>>>> only would be backwards in time for a short time. Just long
>>>>>>>>> enough so
>>>>>>>>> the services could start with non-expired certificates to get them
>>>>>>>>> renewed. But there are other ways to do this that don't require
>>>>>>>>> fiddling
>>>>>>>>> with time.
>>>>>>>>>
>>>>>>>>> rob
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
