Dear all, doing a yum update resulted in freeIPA failing during installation:
IPA version error: data needs to be upgraded (expected version '4.12.2-9.el9', current version '4.12.2-5.el9') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Enabling LWCA monitor] [Adding default OCSP URI configuration] [Disabling cert publishing] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'caECServerCertWithSCT' No file for profile 'caECServerCertWithSCT'; skipping Migrating profile 'caServerCertWithSCT' No file for profile 'caServerCertWithSCT'; skipping Migrating profile 'caServerKeygen_DirUserCert' No file for profile 'caServerKeygen_DirUserCert'; skipping Migrating profile 'caServerKeygen_UserCert' No file for profile 'caServerKeygen_UserCert'; skipping [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Details: 2025-01-29T06:37:43Z DEBUG Profile 'caSignedLogCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caSigningUserCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caSimpleCMCUserCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caStorageCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caSubsystemCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTPSCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTempTokenDeviceKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTempTokenUserEncryptionKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTempTokenUserSigningKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenDeviceKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenMSLoginEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserAuthKeyRenewal' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserDelegateAuthKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserDelegateSigningKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserEncryptionKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserEncryptionKeyRenewal' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserSigningKeyEnrollment' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserSigningKeyRenewal' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caTransportCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caUUIDdeviceCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caUserCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caUserSMIMEcapCert' is already in LDAP and enabled; skipping 2025-01-29T06:37:43Z INFO [Ensuring presence of included profiles] 2025-01-29T06:37:43Z DEBUG Discovery: available servers for service 'CA' are freeipa1.network.intranet, freeipa3.network.intranet, freeipa2.network.intranet 2025-01-29T06:37:43Z DEBUG Discovery: using freeipa1.network.intranet for 'CA' service 2025-01-29T06:37:43Z DEBUG request GET https://freeipa1.network.intranet:443/ca/rest/account/login 2025-01-29T06:37:43Z DEBUG request body '' 2025-01-29T06:37:43Z DEBUG response status 404 2025-01-29T06:37:43Z DEBUG response headers Date: Wed, 29 Jan 2025 06:37:43 GMT Server: Apache/2.4.62 (CentOS Stream) OpenSSL/3.2.2 mod_auth_gssapi/1.6.3 mod_wsgi/4.7.1 Python/3.9 Content-Type: text/html;charset=utf-8 Content-Language: en Transfer-Encoding: chunked 2025-01-29T06:37:43Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/ca/rest/account/login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.87</h3></body></html>' 2025-01-29T06:37:43Z DEBUG Overriding CA port: Failed to authenticate to CA REST API 2025-01-29T06:37:43Z DEBUG Profile 'KDCs_PKINIT_Certs' is already in LDAP; skipping 2025-01-29T06:37:43Z DEBUG Profile 'caIPAserviceCert' is already in LDAP; skipping 2025-01-29T06:37:43Z DEBUG Profile 'IECUserRoles' is already in LDAP; skipping 2025-01-29T06:37:43Z DEBUG Profile 'acmeIPAServerCert' is already in LDAP; skipping 2025-01-29T06:37:43Z INFO [Add default CA ACL] 2025-01-29T06:37:43Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2025-01-29T06:37:43Z INFO Default CA ACL already added 2025-01-29T06:37:43Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2025-01-29T06:37:43Z DEBUG Discovery: available servers for service 'CA' are freeipa1.network.intranet, freeipa2.network.intranet, freeipa3.network.intranet 2025-01-29T06:37:43Z DEBUG Discovery: using freeipa1.network.intranet for 'CA' service 2025-01-29T06:37:43Z DEBUG request GET https://freeipa1.network.intranet:8443/ca/rest/account/login 2025-01-29T06:37:43Z DEBUG request body '' 2025-01-29T06:37:43Z DEBUG response status 404 2025-01-29T06:37:43Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 784 Date: Wed, 29 Jan 2025 06:37:43 GMT 2025-01-29T06:37:43Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/ca/rest/account/login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.87</h3></body></html>' 2025-01-29T06:37:43Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2025-01-29T06:37:43Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in execute return_value = self.run() File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 2093, in upgrade upgrade_configuration() File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1954, in upgrade_configuration cainstance.repair_profile_caIPAserviceCert() File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 2161, in repair_profile_caIPAserviceCert with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.9/site-packages/ipaserver/plugins/dogtag.py", line 610, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) 2025-01-29T06:37:43Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2025-01-29T06:37:43Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2025-01-29T06:37:43Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Before yum update I can confirm that I could reach https://freeipa1.network.intranet:443/ca/rest/account/login and other pages without issues, however, after running it this does not work anymore. tomcatd and other services seems to be running. I tried the same update 2 weeks ago and it also failed, please advise, thanks! -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
