Juan Pablo Lorier wrote: > The only expired cert was the HTTP in the dc1 server, dc2 had all the > certs valid:
This does not show all of the tracked certificates. Use plain getcert which will show for for all CA helpers. rob > > *Dc1:* > > ipa-getcert list > Number of certificates and requests being tracked: 9. > Request ID '20191218181440': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY > expires: 2023-11-21 15:14:49 -03 > principal name: krbtgt/[email protected] > <mailto:krbtgt/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20191219011104': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY > expires: 2023-11-21 15:13:39 -03 > dns: dc1.tnu.com.uy > principal name: ldap/[email protected] > <mailto:ldap/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY > track: yes > auto-renew: yes > Request ID '20211217030046': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc1.tnu.com.uy-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc1.tnu.com.uy,O=TNU.COM.UY > expires: 2023-12-18 00:01:22 -03 > dns: dc1.tnu.com.uy > principal name: HTTP/[email protected] > <mailto:HTTP/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > *Dc2*: > > ipa-getcert list > Number of certificates and requests being tracked: 9. > Request ID '20200110015908': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:59:28 -03 > expires: 2023-12-13 22:59:28 -03 > principal name: krbtgt/[email protected] > <mailto:krbtgt/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20221130160326': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:10 -03 > expires: 2023-12-13 22:53:10 -03 > dns: dc2.tnu.com.uy > principal name: ldap/[email protected] > <mailto:ldap/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY > track: yes > auto-renew: yes > Request ID '20221130160327': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:26 -03 > expires: 2023-12-13 22:53:26 -03 > dns: dc2.tnu.com.uy > principal name: HTTP/[email protected] > <mailto:HTTP/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > >> El 30 nov. 2022, a las 18:50, Rob Crittenden <[email protected] >> <mailto:[email protected]>> escribió: >> >> Juan Pablo Lorier wrote: >>> Ok, with the skip-version-check flag it starts correctly, but if I try >>> to restart the service without the flag, it fails in the same point. The >>> error is related to the upgrade process then. I’m upgrading from 4.7 to >>> 4.9 as I didn’t find any restriction in the documentation. >>> Is it possible that there’s an issue with that upgrade path? >> >> If is likely related to your expired certificates. Did you look to see >> if others besides the HTTP cert expired? >> >> rob >> >>> Thanks >>> >>>> El 30 nov. 2022, a las 16:21, Rob Crittenden <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected]>> escribió: >>>> >>>> Juan Pablo Lorier wrote: >>>>> Hi, >>>>> >>>>> Rob, the problem with ipactl --ignore-service-failures is that it >>>>> always >>>>> try to upgrade from 4.7 to 4.9 first and it fails for that reason. >>>> >>>> $ man 8 ipactl >>>> >>>> --skip-version-check Skip version check >>>> >>>> rob >>>> >>>>> >>>>> I were able to move forward and get poi-tomcat running but I still >>>>> can’t >>>>> finish the upgrade process. >>>>> Here are some more logs to see if you can see a lead to help me. >>>>> Regards >>>>> >>>>> */var/log/ipaupgrade.log* >>>>> >>>>> 022-11-30T16:07:49Z DEBUG Profile 'AdminCert' is already in LDAP and >>>>> enabled; skipping >>>>> 2022-11-30T16:07:49Z DEBUG Profile 'DomainController' is already in >>>>> LDAP >>>>> and enabled; skipping >>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and >>>>> enabled; skipping >>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>>>> 2022-11-30T16:07:49Z DEBUG request GET >>>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>>>> 2022-11-30T16:07:49Z DEBUG request body '' >>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>>>> Traceback (most recent call last): >>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line >>>>> 271, >>>>> in _httplib_request >>>>> conn.request(method, path, body=request_body, headers=headers) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1273, in request >>>>> self._send_request(method, url, body, headers, encode_chunked) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1319, in >>>>> _send_request >>>>> self.endheaders(body, encode_chunked=encode_chunked) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1268, in endheaders >>>>> self._send_output(message_body, encode_chunked=encode_chunked) >>>>> File "/usr/lib64/python3.6/http/client.py", line 1044, in >>>>> _send_output >>>>> self.send(msg) >>>>> File "/usr/lib64/python3.6/http/client.py", line 982, in send >>>>> self.connect() >>>>> File "/usr/lib64/python3.6/http/client.py", line 1441, in connect >>>>> server_hostname=server_hostname) >>>>> File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket >>>>> _context=self, _session=session) >>>>> File "/usr/lib64/python3.6/ssl.py", line 776, in __init__ >>>>> self.do_handshake() >>>>> File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake >>>>> self._sslobj.do_handshake() >>>>> File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake >>>>> self._sslobj.do_handshake() >>>>> OSError: [Errno 0] Error >>>>> 2022-11-30T16:07:54Z ERROR IPA server upgrade failed: Inspect >>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>>> 2022-11-30T16:07:54Z DEBUG File >>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in >>>>> execute >>>>> return_value = self.run() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>> line 54, in run >>>>> server.upgrade() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 2055, in upgrade >>>>> upgrade_configuration() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 1908, in upgrade_configuration >>>>> ca_enable_ldap_profile_subsystem(ca) >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 458, in ca_enable_ldap_profile_subsystem >>>>> cainstance.migrate_profiles_to_ldap() >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", >>>>> line >>>>> 2111, in migrate_profiles_to_ldap >>>>> _create_dogtag_profile(profile_id, profile_data, overwrite=False) >>>>> File >>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", >>>>> line >>>>> 2165, in _create_dogtag_profile >>>>> with api.Backend.ra_certprofile as profile_api: >>>>> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", >>>>> line 1207, in __enter__ >>>>> method='GET' >>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line >>>>> 218, >>>>> in https_request >>>>> method=method, headers=headers) >>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line >>>>> 280, >>>>> in _httplib_request >>>>> raise NetworkError(uri=uri, error=str(e)) >>>>> >>>>> 2022-11-30T16:07:54Z DEBUG The ipa-server-upgrade command failed, >>>>> exception: NetworkError: cannot connect to >>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>>>> 2022-11-30T16:07:54Z ERROR Unexpected error - see >>>>> /var/log/ipaupgrade.log for details: >>>>> NetworkError: cannot connect to >>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>>>> 2022-11-30T16:07:54Z ERROR The ipa-server-upgrade command failed. See >>>>> /var/log/ipaupgrade.log for more information >>>>> >>>>> >>>>> *dirsrv/slapd-TNU-COM-UY/errors* >>>>> >>>>> [30/Nov/2022:13:07:31.005266795 -0300] - WARN - NSACLPlugin - acl_parse >>>>> - The ACL target cn=vaults,cn=kra,dc=tnu,dc=com,dc=uy does not exist >>>>> [30/Nov/2022:13:07:31.013396086 -0300] - WARN - NSACLPlugin - acl_parse >>>>> - The ACL target cn=ad,cn=etc,dc=tnu,dc=com,dc=uy does not exist >>>>> [30/Nov/2022:13:07:31.146541285 -0300] - WARN - NSACLPlugin - acl_parse >>>>> - The ACL target cn=automember rebuild membership,cn=tasks,cn=config >>>>> does not exist >>>>> [30/Nov/2022:13:07:31.157746196 -0300] - INFO - >>>>> slapi_vattrspi_regattr - >>>>> Because krbPwdPolicyReference is a new registered virtual attribute , >>>>> nsslapd-ignore-virtual-attrs was set to 'off' >>>>> [30/Nov/2022:13:07:31.220942729 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:07:31.228987499 -0300] - ERR - schema-compat-plugin - >>>>> schema-compat-plugin tree scan will start in about 5 seconds! >>>>> [30/Nov/2022:13:07:31.239215782 -0300] - INFO - slapd_daemon - slapd >>>>> started. Listening on All Interfaces port 389 for LDAP requests >>>>> [30/Nov/2022:13:07:31.243799999 -0300] - INFO - slapd_daemon - >>>>> Listening >>>>> on All Interfaces port 636 for LDAPS requests >>>>> [30/Nov/2022:13:07:31.247843022 -0300] - INFO - slapd_daemon - >>>>> Listening >>>>> on /var/run/slapd-TNU-COM-UY.socket for LDAPI requests >>>>> [30/Nov/2022:13:07:34.247399548 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:07:37.394441196 -0300] - ERR - schema-compat-plugin - >>>>> Finished plugin initialization. >>>>> [30/Nov/2022:13:07:40.289201853 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:07:52.558168008 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:08:15.688392872 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:09:03.721670435 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:10:39.764158267 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:13:51.830095186 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:18:51.938679815 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:23:52.045235332 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> [30/Nov/2022:13:28:52.149932619 -0300] - ERR - set_krb5_creds - Could >>>>> not get initial credentials for principal >>>>> [ldap/[email protected] >>>>> <mailto:ldap/[email protected]> >>>>> <mailto:ldap/[email protected]>] >>>>> in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >>>>> KDC for requested realm) >>>>> >>>>> *localhost_access_log.2022-11-30.txt* >>>>> >>>>> 127.0.0.1 - - [30/Nov/2022:13:07:54 -0300] "-" 400 - >>>>> XXX - - [30/Nov/2022:13:10:51 -0300] "POST /ca/admin/ca/getStatus >>>>> HTTP/1.1" 200 193 >>>>> XXX - - [30/Nov/2022:14:19:14 -0300] "GET /ca/rest/account/login >>>>> HTTP/1.1" 401 669 >>>>> >>>>> >>>>>> El 23 nov. 2022, a las 18:42, Rob Crittenden <[email protected] >>>>>> <mailto:[email protected]> >>>>>> <mailto:[email protected]>> escribió: >>>>>> >>>>>> Run "ipactl --ignore-service-failures" and it should bring up all the >>>>>> services it can. >>>>>> >>>>>> rob >>>>>> >>>>>> Juan Pablo Lorier wrote: >>>>>>> Hi again, >>>>>>> >>>>>>> I used the ldapi from /etc/ipa/default.conf and I was able to get a >>>>>>> different reply: >>>>>>> >>>>>>> ldapsearch -Y GSSAPI -H >>>>>>> ldapi://%2fvar%2frun%2fslapd\-TNU\-COM\-UY.socket >>>>>>> <ldapi:///var/run/slapd%5C-TNU%5C-COM%5C-UY.socket> >>>>>>> >>>>>>> SASL/GSSAPI authentication started >>>>>>> ldap_sasl_interactive_bind_s: Local error (-2) >>>>>>> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>>> GSS failure. Minor code may provide more information (Ticket >>>>>>> expired) >>>>>>> >>>>>>> But if I try to renew the ticket, it fails: >>>>>>> >>>>>>> kinit admin >>>>>>> kinit: Cannot contact any KDC for realm 'TNU.COM.UY' while getting >>>>>>> initial credentials >>>>>>> >>>>>>> The running DC is in 4.7 and it should reply to the kinit requests >>>>>>> >>>>>>> >>>>>>> I added the debug option to see if I can ge further information. >>>>>>> >>>>>>> ipactl restart >>>>>>> IPA version error: data needs to be upgraded (expected version >>>>>>> '4.9.10-6.module_el8.7.0+1209+42bcbcde', current version >>>>>>> '4.7.1-11.module_el8.0.0+79+bbd20d7b') >>>>>>> Automatically running upgrade, for details see >>>>>>> /var/log/ipaupgrade.log >>>>>>> Be patient, this may take a few minutes. >>>>>>> Automatic upgrade failed: Error caught updating >>>>>>> nsDS5ReplicatedAttributeList: Server is unwilling to perform: >>>>>>> Entry and >>>>>>> attributes are managed by topology plugin.No direct modifications >>>>>>> allowed. >>>>>>> Error caught updating nsDS5ReplicatedAttributeListTotal: Server is >>>>>>> unwilling to perform: Entry and attributes are managed by topology >>>>>>> plugin.No direct modifications allowed. >>>>>>> Update complete >>>>>>> Upgrading the configuration of the IPA services >>>>>>> [Verifying that root certificate is published] >>>>>>> [Migrate CRL publish directory] >>>>>>> CRL tree already moved >>>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >>>>>>> command ipa-server-upgrade manually. >>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>>>> 'start', '[email protected] >>>>>>> <mailto:[email protected]> >>>>>>> <mailto:[email protected]> >>>>>>> <mailto:[email protected]>'] returned non-zero exit >>>>>>> status >>>>>>> 1: 'Job for [email protected] >>>>>>> <mailto:[email protected]> >>>>>>> <mailto:[email protected]> >>>>>>> <mailto:[email protected]> failed because the control >>>>>>> process exited with error code.\nSee "systemctl status >>>>>>> [email protected] >>>>>>> <mailto:[email protected]> >>>>>>> <mailto:[email protected]> >>>>>>> <mailto:[email protected]>" >>>>>>> and "journalctl -xe" for details.\n') >>>>>>> The ipa-server-upgrade command failed. See >>>>>>> /var/log/ipaupgrade.log for >>>>>>> more information >>>>>>> >>>>>>> See the upgrade log for more details and/or run >>>>>>> /usr/sbin/ipa-server-upgrade again >>>>>>> Stopping ipa-dnskeysyncd Service >>>>>>> Stopping ipa-otpd Service >>>>>>> Stopping pki-tomcatd Service >>>>>>> Stopping ipa-custodia Service >>>>>>> Stopping httpd Service >>>>>>> Stopping named Service >>>>>>> Stopping kadmin Service >>>>>>> Stopping krb5kdc Service >>>>>>> Stopping Directory Service >>>>>>> Aborting ipactl >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> >>>>>>>> El 23 nov. 2022, a las 11:50, Rob Crittenden <[email protected] >>>>>>>> <mailto:[email protected]> >>>>>>>> <mailto:[email protected]> >>>>>>>> <mailto:[email protected]>> escribió: >>>>>>>> >>>>>>>> Juan Pablo Lorier wrote: >>>>>>>>> Hi Rob, >>>>>>>>> >>>>>>>>> Thanks for the reply. As I didn’t know other way but to go back in >>>>>>>>> time, >>>>>>>>> I just did it and now the server is running 100%. >>>>>>>>> >>>>>>>>> This was all part of an update from 4.7 to 4.9. According to the >>>>>>>>> documentation, it was just a matter to def update but it seems >>>>>>>>> that is >>>>>>>>> not such a happy path.> >>>>>>>>> I updated the second server but it’s not able to finalize the >>>>>>>>> update >>>>>>>>> process. DNS is failing to start: >>>>>>>>> >>>>>>>>> # systemctl status ipa-dnskeysyncd.service >>>>>>>>> >>>>>>>>> >>>>>>>>> *●*ipa-dnskeysyncd.service - IPA key daemon >>>>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipa-dnskeysyncd.service; >>>>>>>>> disabled; vendor preset: disabled) >>>>>>>>> Active: *active (running)*since Tue 2022-11-22 11:27:16 -03; 1h >>>>>>>>> 14min ago >>>>>>>>> Main PID: 250496 (ipa-dnskeysyncd) >>>>>>>>> Tasks: 1 (limit: 23652) >>>>>>>>> Memory: 68.4M >>>>>>>>> CGroup: /system.slice/ipa-dnskeysyncd.service >>>>>>>>> └─250496 /usr/libexec/platform-python -I >>>>>>>>> /usr/libexec/ipa/ipa-dnskeysyncd >>>>>>>>> >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>>>>>>>> client >>>>>>>>> step 1 >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy platform-python[250496]: GSSAPI >>>>>>>>> client >>>>>>>>> step 2 >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>>>> ipa-dnskeysyncd: >>>>>>>>> INFO Commencing sync process >>>>>>>>> Nov 22 11:27:19 dc2.tnu.com.uy ipa-dnskeysyncd[250496]: >>>>>>>>> ipaserver.dnssec.keysyncer: INFO Initial LDAP dump is done, >>>>>>>>> sychronizing with ODS and BIND >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> *Configuration.cpp(96): Missing log.level in configuration. Using >>>>>>>>> default value: INFO* >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> *Configuration.cpp(96): Missing slots.mechanisms in configuration. >>>>>>>>> Using >>>>>>>>> default value: ALL* >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> *Configuration.cpp(124): Missing slots.removable in configuration. >>>>>>>>> Using >>>>>>>>> default value: false* >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>>>>>>>> client >>>>>>>>> step 1 >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: GSSAPI >>>>>>>>> client >>>>>>>>> step 1 >>>>>>>>> Nov 22 11:27:21 dc2.tnu.com.uy platform-python[250503]: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> GSSAPI client step 1 >>>>>>>>> [root@dc2 sysconfig]# journalctl -u ipa-dnskeysyncd.service >>>>>>>>> >>>>>>>>> >>>>>>>>> -- Logs begin at Mon 2022-11-21 13:40:16 -03, end at Tue 2022-11-22 >>>>>>>>> 12:40:17 -03. -- >>>>>>>>> Nov 21 13:50:21 dc2.tnu.com.uy systemd[1]: Started IPA key daemon. >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing all plugin modules in ipaserver.plugins... >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.aci >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.automember >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.automount >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseldap >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG ipaserver.plugins.baseldap is not a valid plugin module >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.baseuser >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.batch >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.ca >>>>>>>>> <http://ipaserver.plugins.ca/> >>>>>>>>> <http://ipaserver.plugins.ca/> >>>>>>>>> <http://ipaserver.plugins.ca >>>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>>>> <http://ipaserver.plugins.ca <http://ipaserver.plugins.ca/> >>>>>>>>> <http://ipaserver.plugins.ca/> <http://ipaserver.plugins.ca/>> >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.caacl >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.cert >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.certmap >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.certprofile >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.config >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.delegation >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dns >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dnsserver >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.dogtag >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.domainlevel >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.group >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbac >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG ipaserver.plugins.hbac is not a valid plugin module >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacrule >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvc >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbacsvcgroup >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hbactest >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.host >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.hostgroup >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.idrange >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.idviews >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.internal >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.join >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.krbtpolicy >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.ldap2 >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.location >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.migration >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.misc >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.netgroup >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otp >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG ipaserver.plugins.otp is not a valid plugin module >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otpconfig >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.otptoken >>>>>>>>> Nov 21 13:50:22 dc2.tnu.com.uy ipa-dnskeysyncd[55662]: >>>>>>>>> ipalib.plugable: >>>>>>>>> DEBUG importing plugin module ipaserver.plugins.passwd >>>>>>>> >>>>>>>> There should be quite a bit more after that. >>>>>>>> >>>>>>>>> >>>>>>>>> #less /var/log/dirsrv/slapd-*/access >>>>>>>>> >>>>>>>>> [22/Nov/2022:12:25:17.037709016 -0300] conn=4 op=68 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000108886 optime=0.000198759 etime=0.000306290 >>>>>>>>> [22/Nov/2022:12:25:17.037805882 -0300] conn=4 op=69 SRCH >>>>>>>>> base="cn=TNU.COM.UY,cn=kerberos,dc=tnu,dc=com,dc=uy" scope=0 >>>>>>>>> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife >>>>>>>>> krbMaxRenewab >>>>>>>>> leAge krbTicketFlags krbAuthIndMaxTicketLife >>>>>>>>> krbAuthIndMaxRenewableAge" >>>>>>>>> [22/Nov/2022:12:25:17.037864654 -0300] conn=4 op=69 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000086049 optime=0.000059372 etime=0.000144403 >>>>>>>>> [22/Nov/2022:12:25:17.038694566 -0300] conn=70 op=1 BIND dn="" >>>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>>> [22/Nov/2022:12:25:17.041220534 -0300] conn=70 op=1 RESULT err=14 >>>>>>>>> tag=97 >>>>>>>>> nentries=0 wtime=0.000071973 optime=0.002531582 >>>>>>>>> etime=0.002602416, SASL >>>>>>>>> bind in progress >>>>>>>>> [22/Nov/2022:12:25:17.041605307 -0300] conn=70 op=2 BIND dn="" >>>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>>> [22/Nov/2022:12:25:17.043051708 -0300] conn=70 op=2 RESULT err=14 >>>>>>>>> tag=97 >>>>>>>>> nentries=0 wtime=0.000058962 optime=0.001451477 >>>>>>>>> etime=0.001509337, SASL >>>>>>>>> bind in progress >>>>>>>>> [22/Nov/2022:12:25:17.043334177 -0300] conn=70 op=3 BIND dn="" >>>>>>>>> method=sasl version=3 mech=GSSAPI >>>>>>>>> [22/Nov/2022:12:25:17.044050149 -0300] conn=70 op=3 RESULT err=0 >>>>>>>>> tag=97 >>>>>>>>> nentries=0 wtime=0.000114469 optime=0.000719743 etime=0.000833026 >>>>>>>>> dn="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc= >>>>>>>>> com,dc=uy" >>>>>>>>> [22/Nov/2022:12:25:17.044564033 -0300] conn=70 op=4 SRCH >>>>>>>>> base="cn=accounts,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>>> filter="(&(objectClass=ipaHost)(fqdn=dc2.tnu.com.uy))" >>>>>>>>> attrs="objectClass cn fqdn serverHostN >>>>>>>>> ame memberOf ipaSshPubKey ipaUniqueID" >>>>>>>>> [22/Nov/2022:12:25:17.045209553 -0300] conn=70 op=4 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000107524 optime=0.000653663 etime=0.000758994 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.045911285 -0300] conn=70 op=5 SRCH >>>>>>>>> base="fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy" >>>>>>>>> scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf >>>>>>>>> ipaU >>>>>>>>> niqueID" >>>>>>>>> [22/Nov/2022:12:25:17.048468717 -0300] conn=70 op=5 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=1 wtime=0.000092854 optime=0.002558537 etime=0.002649094 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.048994273 -0300] conn=70 op=6 SRCH >>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>>> filter="(&(objectClass=ipasudocmdgrp)(entryusn>=6699034))" >>>>>>>>> attrs="objectClass ipaUniqueID cn memb >>>>>>>>> er entryusn" >>>>>>>>> [22/Nov/2022:12:25:17.049250900 -0300] conn=70 op=6 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=0 wtime=0.000115180 optime=0.000258196 etime=0.000371481 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.049587874 -0300] conn=70 op=7 SRCH >>>>>>>>> base="cn=sudo,dc=tnu,dc=com,dc=uy" scope=2 >>>>>>>>> filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(&(!(memberHost=*))(cn=defaults))(hostC >>>>>>>>> ategory=ALL)(memberHost=fqdn=dc2.tnu.com.uy,cn=computers,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=ipaservers,cn=hostgroups,cn=accounts,dc=tnu,dc=com,dc=uy)(memberHost=cn=servidores,cn=hostgro >>>>>>>>> ups,cn=accounts,dc=tnu,dc=com,dc=uy))(entryusn>=6699034))" >>>>>>>>> attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt >>>>>>>>> ipaSudoRunAs >>>>>>>>> ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberU >>>>>>>>> ser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory >>>>>>>>> userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory >>>>>>>>> ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup e >>>>>>>>> xternalUser entryusn" >>>>>>>>> [22/Nov/2022:12:25:17.050004910 -0300] conn=70 op=7 RESULT err=0 >>>>>>>>> tag=101 >>>>>>>>> nentries=0 wtime=0.000112679 optime=0.000418158 etime=0.000529132 >>>>>>>>> notes=P details="Paged Search" pr_idx=0 pr_cookie=-1 >>>>>>>>> [22/Nov/2022:12:25:17.773779678 -0300] conn=8 op=2805 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.773797832 -0300] conn=9 op=2799 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.774537011 -0300] conn=8 op=2805 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000194721 optime=0.000766071 >>>>>>>>> etime=0.000956734 >>>>>>>>> [22/Nov/2022:12:25:17.774962087 -0300] conn=9 op=2799 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000326560 optime=0.001178137 >>>>>>>>> etime=0.001489204 >>>>>>>>> [22/Nov/2022:12:25:17.784485979 -0300] conn=8 op=2806 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.787446789 -0300] conn=8 op=2806 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000133089 optime=0.002969180 >>>>>>>>> etime=0.003098843 >>>>>>>>> [22/Nov/2022:12:25:17.791783674 -0300] conn=9 op=2800 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:17.794547349 -0300] conn=9 op=2800 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000131720 optime=0.002769639 >>>>>>>>> etime=0.002897696 >>>>>>>>> [22/Nov/2022:12:25:20.800111547 -0300] conn=8 op=2807 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:20.800124147 -0300] conn=9 op=2801 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:20.801239126 -0300] conn=9 op=2801 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000245657 optime=0.001129708 >>>>>>>>> etime=0.001372435 >>>>>>>>> [22/Nov/2022:12:25:20.801553738 -0300] conn=8 op=2807 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.000293789 optime=0.001457836 >>>>>>>>> etime=0.001748601 >>>>>>>>> [22/Nov/2022:12:25:20.812469634 -0300] conn=8 op=2808 EXT >>>>>>>>> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop" >>>>>>>>> [22/Nov/2022:12:25:20.817059357 -0300] conn=8 op=2808 RESULT err=0 >>>>>>>>> tag=120 nentries=0 wtime=0.010809128 optime=0.004600843 >>>>>>>>> etime=0.015402108 >>>>>>>>> >>>>>>>>> >>>>>>>>> I see that after the update, the files were changed: >>>>>>>>> >>>>>>>>> >>>>>>>>> [root@dc2 sysconfig]# ll /etc/dirsrv/slapd-TNU-COM-UY* >>>>>>>>> /etc/dirsrv/slapd-TNU-COM-UY: >>>>>>>>> total 4208 >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1804 Jan 21 2022 Server-Cert-Key.pem >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1829 Jan 21 2022 Server-Cert.pem >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 1464 Jan 21 2022 >>>>>>>>> TNU.COM.UY20IPA20CA.pem >>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 cert9.db >>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 cert9.db.orig >>>>>>>>> -r--r-----. 1 dirsrv dirsrv 1729 Jan 9 2020 certmap.conf >>>>>>>>> -rw-------. 1 dirsrv dirsrv 208355 Nov 22 11:27 dse.ldif >>>>>>>>> -rw-------. 1 dirsrv dirsrv 205809 Nov 22 11:26 dse.ldif.bak >>>>>>>>> -rw-r--r--. 1 dirsrv root 208440 Nov 22 10:55 >>>>>>>>> dse.ldif.ipa.1cf1fe204fd69494 >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:01 >>>>>>>>> dse.ldif.ipa.1dd1d38cbd8d26ae >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:26 >>>>>>>>> dse.ldif.ipa.21662457cb42c116 >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:47 >>>>>>>>> dse.ldif.ipa.256a5d66e550a957 >>>>>>>>> -rw-------. 1 dirsrv root 195350 Nov 21 13:35 >>>>>>>>> dse.ldif.ipa.274744b10eed3d9b >>>>>>>>> -rw-------. 1 dirsrv root 203050 Nov 21 19:09 >>>>>>>>> dse.ldif.ipa.385fb48f5462219c >>>>>>>>> -rw-------. 1 dirsrv root 156705 Jan 9 2020 >>>>>>>>> dse.ldif.ipa.6b71b47d73ca452a >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:38 >>>>>>>>> dse.ldif.ipa.767aba4a82811822 >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 21 21:07 >>>>>>>>> dse.ldif.ipa.814a4de587fc22ec >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 10:49 >>>>>>>>> dse.ldif.ipa.889036fc0907e7de >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:47 >>>>>>>>> dse.ldif.ipa.8fd2b7413b99dfa3 >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 13:42 >>>>>>>>> dse.ldif.ipa.958ca3a96922f2fd >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:48 >>>>>>>>> dse.ldif.ipa.bacd6d1d200348bf >>>>>>>>> -rw-------. 1 dirsrv root 208355 Nov 22 11:24 >>>>>>>>> dse.ldif.ipa.bfadc14f0e609072 >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 14:23 >>>>>>>>> dse.ldif.ipa.f1e864261a119b6c >>>>>>>>> -rw-------. 1 dirsrv root 202234 Nov 21 15:42 >>>>>>>>> dse.ldif.ipa.fa918bf07c17e2e8 >>>>>>>>> -rw-r--r--. 1 dirsrv root 208167 Nov 22 11:26 >>>>>>>>> dse.ldif.modified.out >>>>>>>>> -rw-r--r--. 1 dirsrv dirsrv 208167 Nov 22 11:26 dse.ldif.startOK >>>>>>>>> -r--r-----. 1 dirsrv dirsrv 36009 Jan 9 2020 dse_original.ldif >>>>>>>>> -rw-r-----. 1 dirsrv root 36864 Dec 12 2021 key4.db >>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 28672 Jan 9 2020 key4.db.orig >>>>>>>>> -r--------. 1 dirsrv dirsrv 67 Jan 9 2020 pin.txt >>>>>>>>> -rw-r-----. 1 dirsrv dirsrv 561 Nov 22 11:26 pkcs11.txt >>>>>>>>> -rw-rw----. 1 dirsrv dirsrv 556 Jan 9 2020 pkcs11.txt.orig >>>>>>>>> -rw-------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt >>>>>>>>> -r--------. 1 dirsrv dirsrv 41 Jan 9 2020 pwdfile.txt.orig >>>>>>>>> drwxrwx---. 2 dirsrv dirsrv 4096 Nov 22 11:26 schema >>>>>>>>> drwxr-x---. 2 dirsrv root 25 Nov 21 18:59 schema.bak >>>>>>>>> -rw-r--r--. 1 dirsrv root 15142 Nov 21 18:59 >>>>>>>>> slapd-collations.conf >>>>>>>>> >>>>>>>>> >>>>>>>>> I can’t connect to the LDAP service: >>>>>>>>> >>>>>>>>> # ldapsearch -Y GSSAPI -H ldapi://var/run/slapd-TNU-COM-UY.socket >>>>>>>>> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >>>>>>>> >>>>>>>> You have to escape the socket path: >>>>>>>> ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-TEST.socket >>>>>>>> >>>>>>>>> # less /var/log/ipaupgrade.log >>>>>>>>> >>>>>>>>> Server built: Jun 29 2021 22:00:15 UTC >>>>>>>>> Server number: 9.0.30.0 >>>>>>>>> OS Name: Linux >>>>>>>>> OS Version: 4.18.0-348.7.1.el8_5.x86_64 >>>>>>>>> Architecture: amd64 >>>>>>>>> JVM Version: 1.8.0_322-b06 >>>>>>>>> JVM Vendor: Red Hat, Inc. >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr= >>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['pki-server', 'subsystem-show', >>>>>>>>> 'kra'] >>>>>>>>> 2022-11-22T14:26:56Z DEBUG Process finished, return code=1 >>>>>>>>> 2022-11-22T14:26:56Z DEBUG stdout= >>>>>>>>> 2022-11-22T14:26:56Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >>>>>>>>> instance pki-tomcat. >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:56Z DEBUG Starting external process >>>>>>>>> 2022-11-22T14:26:56Z DEBUG args=['/bin/systemctl', 'start', >>>>>>>>> '[email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]>'] >>>>>>>>> 2022-11-22T14:26:57Z DEBUG Process finished, return code=1 >>>>>>>>> 2022-11-22T14:26:57Z DEBUG stdout= >>>>>>>>> 2022-11-22T14:26:57Z DEBUG stderr=Job >>>>>>>>> for [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> failed because the control >>>>>>>>> process exited with error code. >>>>>>>>> See "systemctl status [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]>" and "journalctl -xe" for >>>>>>>>> details. >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:57Z ERROR IPA server upgrade failed: Inspect >>>>>>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade >>>>>>>>> manually. >>>>>>>>> 2022-11-22T14:26:57Z DEBUG File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line >>>>>>>>> 180, in >>>>>>>>> execute >>>>>>>>> return_value = self.run() >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>>>>>> line 54, in run >>>>>>>>> server.upgrade() >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>>> line 2055, in upgrade >>>>>>>>> upgrade_configuration() >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>>> line 1783, in upgrade_configuration >>>>>>>>> ca.start('pki-tomcat') >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", >>>>>>>>> line 524, in start >>>>>>>>> self.service.start(instance_name, >>>>>>>>> capture_output=capture_output, >>>>>>>>> wait=wait) >>>>>>>>> File >>>>>>>>> "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", >>>>>>>>> line 306, in start >>>>>>>>> skip_output=not capture_output) >>>>>>>>> File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", >>>>>>>>> line >>>>>>>>> 600, in run >>>>>>>>> p.returncode, arg_string, output_log, error_log >>>>>>>>> >>>>>>>>> 2022-11-22T14:26:57Z DEBUG The ipa-server-upgrade command failed, >>>>>>>>> exception: CalledProcessError: CalledProcessError(Command >>>>>>>>> ['/bin/systemctl', 'start', '[email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]>'] returned non-zero exit >>>>>>>>> status >>>>>>>>> 1: 'Job for [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> failed because the control >>>>>>>>> process exited with error code.\nSee "systemctl status >>>>>>>>> [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]>" >>>>>>>>> and "journalctl -xe" for details.\n') >>>>>>>>> 2022-11-22T14:26:57Z ERROR Unexpected error - see >>>>>>>>> /var/log/ipaupgrade.log for details: >>>>>>>>> CalledProcessError: CalledProcessError(Command ['/bin/systemctl', >>>>>>>>> 'start', '[email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]>'] returned non-zero exit >>>>>>>>> status >>>>>>>>> 1: 'Job for [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> failed because the control >>>>>>>>> process exited with error code.\nSee "systemctl status >>>>>>>>> [email protected] >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]> >>>>>>>>> <mailto:[email protected]>" >>>>>>>>> and "journalctl -xe" for details.\n') >>>>>>>>> 2022-11-22T14:26:57Z ERROR The ipa-server-upgrade command >>>>>>>>> failed. See >>>>>>>>> /var/log/ipaupgrade.log for more information >>>>>>>>> (END) >>>>>>>> >>>>>>>> The CA failed to start. This is often due to expired >>>>>>>> certificates that >>>>>>>> get exposed when an upgrade is done. Check that out. >>>>>>>> >>>>>>>>> #ipactl status >>>>>>>>> >>>>>>>>> Directory Service: RUNNING >>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>> kadmin Service: RUNNING >>>>>>>>> named Service: STOPPED >>>>>>>>> httpd Service: RUNNING >>>>>>>>> ipa-custodia Service: RUNNING >>>>>>>>> pki-tomcatd Service: STOPPED >>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>>> 2 service(s) are not running >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>>> El 22 nov. 2022, a las 11:43, Rob Crittenden >>>>>>>>>> <[email protected] <mailto:[email protected]> >>>>>>>>>> <mailto:[email protected]> >>>>>>>>>> <mailto:[email protected]> >>>>>>>>>> <mailto:[email protected]>> escribió: >>>>>>>>>> >>>>>>>>>> Juan Pablo Lorier via FreeIPA-users wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I have a production server that was not maintained and I see >>>>>>>>>>> that the >>>>>>>>>>> HTTP certificate has expired long ago. I tried to renew it >>>>>>>>>>> but I'm >>>>>>>>>>> not being agle to get it right. >>>>>>>>>>> >>>>>>>>>>> The initial status was: >>>>>>>>>>> >>>>>>>>>>> Request ID '20191219011208': >>>>>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>>>>>>> stuck: yes >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>>>> >>>>>>>>>>> Then following this thread >>>>>>>>>>> https://lists.fedorahosted.org/archives/list/[email protected]/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/ >>>>>>>>>>> >>>>>>>>>>> I got it to this state: >>>>>>>>>>> >>>>>>>>>>> Request ID '20191219011208': >>>>>>>>>>> status: MONITORING >>>>>>>>>>> ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed >>>>>>>>>>> request, >>>>>>>>>>> will retry: -504 (HTTP POST to URL 'https://XXXX/ipa/xml' failed. >>>>>>>>>>> libcurl failed even to execute the HTTP transaction, explaining: >>>>>>>>>>> SSL certificate problem: certificate has expired). >>>>>>>>>>> stuck: no >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/XXXXX-443-RSA' >>>>>>>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>>>>>>> >>>>>>>>>>> The post indicates that I have to put an old date in the >>>>>>>>>>> server to >>>>>>>>>>> get it renewed, but as the server is in production, it means >>>>>>>>>>> that all >>>>>>>>>>> clients will fail to log to the server. Evenmore, what time >>>>>>>>>>> should I >>>>>>>>>>> return to, before the certificate expiration or right after? >>>>>>>>>>> Thanks in advanc >>>>>>>>>> >>>>>>>>>> I'd guess that this affects a lot more than just the web server >>>>>>>>>> cert. >>>>>>>>>> getcert list will tell you. >>>>>>>>>> >>>>>>>>>> Depending on that outcome affect the suggested remediation. >>>>>>>>>> >>>>>>>>>> As for going back in time, you'd need a server outage to do this >>>>>>>>>> and it >>>>>>>>>> only would be backwards in time for a short time. Just long >>>>>>>>>> enough so >>>>>>>>>> the services could start with non-expired certificates to get them >>>>>>>>>> renewed. But there are other ways to do this that don't require >>>>>>>>>> fiddling >>>>>>>>>> with time. >>>>>>>>>> >>>>>>>>>> rob >>> >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
