Ok, thanks for being my rubber duck. I solved it while preparing an anonymized ipaupgrade.log for you.
I noticed that the failure I was looking at was actually a secondary failure after a first failed upgrade. The primary error was a result of a missing caECAdminCert.cfg (https://bugzilla.redhat.com/show_bug.cgi?id=1836806) which was apparently never patched for Fedora 29/30. Since I never saw the error message from the first failed automatic ipa-server-upgrade during/after Fedora release upgrade), I reran ipa-server-upgrade which then gave me a different error (the one I was trying to debug above). At some point when previously trying to fix the installation after the failed upgrade, I did see the caECAdminCert.cfg message, but I had tried adding the file and re-running ipa-server-upgrade and it did not fix it. It turns out that a failed ipa-server-upgrade is not rolled back and irreparably damages the existing configuration - maybe this should be explicitly noted? After noticing what was happening today, I rolled back to my pre-upgrade Fedora 29 snapshot, copied /usr/share/pki/ca/profiles/ca/caECAdminCert.cfg to /var/lib/pki/pki-tomcat/ca/profiles/ca/ and then ran the Fedora 29 -> 30 upgrade - something I now recall I had planned to do when I first saw that error but forgot (since I was busy excluding a real PKI/certificate error). Best wishes, Johannes _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue