Nico Maas via FreeIPA-users wrote: > Dear all, > doing a yum update resulted in freeIPA failing during installation: > > > > IPA version error: data needs to be upgraded (expected version > '4.12.2-9.el9', current version '4.12.2-5.el9') > Automatically running upgrade, for details see /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that KDC configuration is using ipa-kdb backend] > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Enable sidgen and extdom plugins by default] > [Updating HTTPD service IPA configuration] > [Updating HTTPD service IPA WSGI configuration] > Nothing to do for configure_httpd_wsgi_conf > [Migrating from mod_nss to mod_ssl] > Already migrated to mod_ssl > [Moving HTTPD service keytab to gssproxy] > [Removing self-signed CA] > [Removing Dogtag 9 CA] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > dnssec-validation yes > [Add missing CA DNS records] > IPA CA DNS records already processed > named user config '/etc/named/ipa-ext.conf' already exists > named user config '/etc/named/ipa-options-ext.conf' already exists > named user config '/etc/named/ipa-logging-ext.conf' already exists > [Upgrading CA schema] > CA schema update complete > [Update certmonger certificate renewal configuration] > Certmonger certificate renewal configuration already up-to-date > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > [Authorizing RA Agent to modify profiles] > [Authorizing RA Agent to manage lightweight CAs] > [Ensuring Lightweight CAs container exists in Dogtag database] > [Enabling LWCA monitor] > [Adding default OCSP URI configuration] > [Disabling cert publishing] > [Ensuring CA is using LDAPProfileSubsystem] > [Migrating certificate profiles to LDAP] > Migrating profile 'caECServerCertWithSCT' > No file for profile 'caECServerCertWithSCT'; skipping > Migrating profile 'caServerCertWithSCT' > No file for profile 'caServerCertWithSCT'; skipping > Migrating profile 'caServerKeygen_DirUserCert' > No file for profile 'caServerKeygen_DirUserCert'; skipping > Migrating profile 'caServerKeygen_UserCert' > No file for profile 'caServerKeygen_UserCert'; skipping > [Ensuring presence of included profiles] > [Add default CA ACL] > Default CA ACL already added > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command > ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > RemoteRetrieveError: Failed to authenticate to CA REST API > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > information > > See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade > again > > > > Details: > 2025-01-29T06:37:43Z DEBUG Profile 'caSignedLogCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caSigningUserCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caSimpleCMCUserCert' is already in LDAP > and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caStorageCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caSubsystemCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTPSCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTempTokenDeviceKeyEnrollment' is > already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTempTokenUserEncryptionKeyEnrollment' > is already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTempTokenUserSigningKeyEnrollment' is > already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenDeviceKeyEnrollment' is already in > LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenMSLoginEnrollment' is already in > LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserAuthKeyRenewal' is already in > LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserDelegateAuthKeyEnrollment' is > already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserDelegateSigningKeyEnrollment' > is already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserEncryptionKeyEnrollment' is > already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserEncryptionKeyRenewal' is > already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserSigningKeyEnrollment' is > already in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTokenUserSigningKeyRenewal' is already > in LDAP and enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caTransportCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caUUIDdeviceCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caUserCert' is already in LDAP and > enabled; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caUserSMIMEcapCert' is already in LDAP > and enabled; skipping > 2025-01-29T06:37:43Z INFO [Ensuring presence of included profiles] > 2025-01-29T06:37:43Z DEBUG Discovery: available servers for service 'CA' are > freeipa1.network.intranet, freeipa3.network.intranet, > freeipa2.network.intranet > 2025-01-29T06:37:43Z DEBUG Discovery: using freeipa1.network.intranet for > 'CA' service > 2025-01-29T06:37:43Z DEBUG request GET > https://freeipa1.network.intranet:443/ca/rest/account/login > 2025-01-29T06:37:43Z DEBUG request body '' > 2025-01-29T06:37:43Z DEBUG response status 404 > 2025-01-29T06:37:43Z DEBUG response headers Date: Wed, 29 Jan 2025 06:37:43 > GMT > Server: Apache/2.4.62 (CentOS Stream) OpenSSL/3.2.2 mod_auth_gssapi/1.6.3 > mod_wsgi/4.7.1 Python/3.9 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Transfer-Encoding: chunked > > > 2025-01-29T06:37:43Z DEBUG response body (decoded): b'<!doctype html><html > lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style > type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} > .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Message</b> The requested resource > [/ca/rest/account/login] is not > available</p><p><b>Description</b> The origin server did not find a current > representation for the target resource or is not willing to disclose that one > exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.87</h3></body></html>' > 2025-01-29T06:37:43Z DEBUG Overriding CA port: Failed to authenticate to CA > REST API > 2025-01-29T06:37:43Z DEBUG Profile 'KDCs_PKINIT_Certs' is already in LDAP; > skipping > 2025-01-29T06:37:43Z DEBUG Profile 'caIPAserviceCert' is already in LDAP; > skipping > 2025-01-29T06:37:43Z DEBUG Profile 'IECUserRoles' is already in LDAP; skipping > 2025-01-29T06:37:43Z DEBUG Profile 'acmeIPAServerCert' is already in LDAP; > skipping > 2025-01-29T06:37:43Z INFO [Add default CA ACL] > 2025-01-29T06:37:43Z DEBUG Loading StateFile from > '/var/lib/ipa/sysupgrade/sysupgrade.state' > 2025-01-29T06:37:43Z INFO Default CA ACL already added > 2025-01-29T06:37:43Z DEBUG Loading StateFile from > '/var/lib/ipa/sysupgrade/sysupgrade.state' > 2025-01-29T06:37:43Z DEBUG Discovery: available servers for service 'CA' are > freeipa1.network.intranet, freeipa2.network.intranet, > freeipa3.network.intranet > 2025-01-29T06:37:43Z DEBUG Discovery: using freeipa1.network.intranet for > 'CA' service > 2025-01-29T06:37:43Z DEBUG request GET > https://freeipa1.network.intranet:8443/ca/rest/account/login > 2025-01-29T06:37:43Z DEBUG request body '' > 2025-01-29T06:37:43Z DEBUG response status 404 > 2025-01-29T06:37:43Z DEBUG response headers Content-Type: > text/html;charset=utf-8 > Content-Language: en > Content-Length: 784 > Date: Wed, 29 Jan 2025 06:37:43 GMT > > > 2025-01-29T06:37:43Z DEBUG response body (decoded): b'<!doctype html><html > lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style > type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} > .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Message</b> The requested resource > [/ca/rest/account/login] is not > available</p><p><b>Description</b> The origin server did not find a current > representation for the target resource or is not willing to disclose that one > exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.87</h3></body></html>' > 2025-01-29T06:37:43Z ERROR IPA server upgrade failed: Inspect > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. > 2025-01-29T06:37:43Z DEBUG File > "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in > execute > return_value = self.run() > File > "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 54, in run > server.upgrade() > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line > 2093, in upgrade > upgrade_configuration() > File > "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line > 1954, in upgrade_configuration > cainstance.repair_profile_caIPAserviceCert() > File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", > line 2161, in repair_profile_caIPAserviceCert > with api.Backend.ra_certprofile as profile_api: > File "/usr/lib/python3.9/site-packages/ipaserver/plugins/dogtag.py", line > 610, in __enter__ > raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA > REST API')) > > 2025-01-29T06:37:43Z DEBUG The ipa-server-upgrade command failed, exception: > RemoteRetrieveError: Failed to authenticate to CA REST API > 2025-01-29T06:37:43Z ERROR Unexpected error - see /var/log/ipaupgrade.log for > details: > RemoteRetrieveError: Failed to authenticate to CA REST API > 2025-01-29T06:37:43Z ERROR The ipa-server-upgrade command failed. See > /var/log/ipaupgrade.log for more information > > > > > > Before yum update I can confirm that I could reach > https://freeipa1.network.intranet:443/ca/rest/account/login and other pages > without issues, however, after running it this does not work anymore. tomcatd > and other services seems to be running. I tried the same update 2 weeks ago > and it also failed, please advise, thanks!
How did you confirm this prior to the upgrade? Are your certificates still valid? getcert list | grep expires Perhaps try installing and running ipa-healthcheck to look for issues. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
