Hi, in a previous message you mentioned that the directory manager password is lost. You can follow this article to reset the DM password: https://access.redhat.com/solutions/203473
Named crashes could be related to multiple issues: - inconsistent versions between bind and bind-dyndb-ldap. Which versions do you have? - an insufficient number of threads - an issue when reloading the zones If you can gather a coredump and install the debug packages it could help identify if you're hitting a known issue. You mentioned that ipa1 needs to be started with --force, can you tell which service is failing and provide the logs? There should be also more information in /var/log/ipaupgrade.log. In order to check the CA state, a useful command is 'ipa cert-show 1' as it communicates with the CA to gather the certificate details. If this command is failing (likely with "Failed to Authenticate to CA rest API") you need to understand where the config is broken. Start by checking which system is the CA renewal master: ipa config-show The CA renewal master will be your priority. flo On Wed, Feb 19, 2025 at 10:25 AM Boris via FreeIPA-users < [email protected]> wrote: > I think the CA is working, but I don't know for sure and how to verify it. > At least there are no expired certs on both ipa hosts > > [root@ipa1 ~]# getcert list | grep expires > expires: 2025-11-29 13:19:40 CET > expires: 2025-04-15 16:27:34 CEST > expires: 2025-04-15 16:26:44 CEST > expires: 2025-04-15 16:27:14 CEST > expires: 2037-08-19 16:11:12 CEST > expires: 2025-04-15 16:27:54 CEST > expires: 2025-04-15 16:27:04 CEST > expires: 2040-02-12 12:46:50 CET > expires: 2025-05-29 16:12:51 CEST > expires: 2026-01-26 13:48:23 CET > > [root@ipa2 ~]# getcert list | grep expires > expires: 2027-02-16 10:42:29 CET > expires: 2027-02-16 10:42:51 CET > expires: 2025-04-15 16:27:04 CEST > expires: 2027-02-16 10:43:26 CET > > The healthcheck showed some "group is not correct" and "files are to > permissive" which I resolved. > Now I have these to checks which do not tell me anything > "msg": "certmonger tracking request {key} found and is not expected > on an IPA master." > "msg": "No KDC workers defined in {sysconfig}" > > Am Di., 18. Feb. 2025 um 15:22 Uhr schrieb Rob Crittenden via > FreeIPA-users <[email protected]>: > >> Boris wrote: >> > Hi Rob, >> > >> > I have two hosts: ipa1 and ipa2 >> > >> > ipa1: >> > Fedora 37 >> > freeipa-server-4.10.1-1.fc37.x86_64 >> > Managed suffixes: domain, ca >> > running with ipactl start --force because the update is not working (The >> > ipa-server-upgrade command failed, exception: RemoteRetrieveError: >> > Failed to authenticate to CA REST API). >> > I tried to upgrade, but the upgrade did not go through. >> >> Your existing CA is having issues. I'd start by checking that your CA >> certificates are still valid: getcert list | grep expires >> >> You might also try installing the freeipa-healthcheck package and >> running ipa-healthcheck. Expect a lot of errors since it won't be able >> to connect to the CA but it will also check the validity dates, etc. >> >> > ipa2: >> > Fedora 35 >> > freeipa-server-4.9.11-1.fc35.x86_64 >> > Managed suffixes: domain >> > >> > So my thought process was: if it can not authenticate against the CA >> > REST API, I need to add the CA capability to ipa2 >> >> You need to authenticate to the CA to create a clone of it. You can't >> install another CA until you get your existing one working. >> >> rob >> >> > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
