Hey, *pki-server subsystem-show ca *and *curl --cert /var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key https://`hostname`:8443/ca/rest/account/login* gave the expected results.
My thought was that there is no ca available during the update, and thats why I wanted to add the 2nd host as CA. I feel a bit nervous about posting both logs, because it feels hard to clean them up from some information. I gave my best. You can find both logs here: https://blktrace.kervyn.de/debug.2025-02-20.log.gz https://blktrace.kervyn.de/ipaupgrade.log.gz Am Do., 20. Feb. 2025 um 16:53 Uhr schrieb Florence Blanc-Renaud < [email protected]>: > Hi, > > On Wed, Feb 19, 2025 at 11:57 AM Boris <[email protected]> wrote: > >> Hi flo, >> >> `ipa cert-show 1` works on both IPA hosts and returns correct data, from >> what I can tell. >> > That's strange because cert-show is also authenticating to the CA REST API. > > >> `ipa config-show` gies the following: >> IPA masters: ipa1.redacted, ipa2.redacted >> IPA master capable of PKINIT: ipa2.redacted >> IPA CA servers: ipa1.redacted >> IPA CA renewal master: ipa1.redacted >> IPA DNS servers: ipa1.redacted, ipa2.redacted >> >> regarding the named crashes: I think the problem might be related to >> ldap. The last time the named daemons were in a restart/crash loop I >> restarted the ipa2 host which immediately resolved the problem. >> ipa1: >> bind-9.18.19-1.fc37.x86_64 >> bind-dyndb-ldap-11.10-17.fc37.x86_64 >> >> ipa2: >> bind-9.16.28-1.fc35.x86_64 >> bind-dyndb-ldap-11.9-12.fc35.x86_64 >> >> for the coredump I would need your guidance what to do, because I am not >> that firm with named debugging. >> >> Here are the last couple of line from the /var/log/ipaupgrade.log file. >> The update seems to go through, but it fails when it needs to authenticate >> with the CA REST API >> >> 2025-01-21T20:24:14Z DEBUG stderr= >> 2025-01-21T20:24:14Z DEBUG Starting external process >> 2025-01-21T20:24:14Z DEBUG args=['/bin/systemctl', 'start', >> 'certmonger.service'] >> 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 >> 2025-01-21T20:24:15Z DEBUG stdout= >> 2025-01-21T20:24:15Z DEBUG stderr= >> 2025-01-21T20:24:15Z DEBUG Starting external process >> 2025-01-21T20:24:15Z DEBUG args=['/bin/systemctl', 'is-active', >> 'certmonger.service'] >> 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 >> 2025-01-21T20:24:15Z DEBUG stdout=active >> >> 2025-01-21T20:24:15Z DEBUG stderr= >> 2025-01-21T20:24:15Z DEBUG Start of certmonger.service complete >> 2025-01-21T20:24:15Z DEBUG Starting external process >> 2025-01-21T20:24:15Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] >> 2025-01-21T20:24:15Z DEBUG Process finished, return code=1 >> 2025-01-21T20:24:15Z DEBUG stdout= >> 2025-01-21T20:24:15Z DEBUG stderr=ERROR: ERROR: No kra subsystem in >> instance pki-tomcat. >> >> 2025-01-21T20:24:15Z INFO [Update certmonger certificate renewal >> configuration] >> 2025-01-21T20:24:15Z DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2025-01-21T20:24:15Z DEBUG Starting external process >> 2025-01-21T20:24:15Z DEBUG args=['/usr/bin/certutil', '-d', >> 'sql:/etc/dirsrv/slapd-redacted/', '-L', '-n', 'Server-Cert', '-a', '-f', >> '/etc/dirsrv/slapd-redacted/pwdfile.txt'] >> 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 >> 2025-01-21T20:24:15Z DEBUG stdout=-----BEGIN CERTIFICATE----- >> redacted >> -----END CERTIFICATE----- >> >> 2025-01-21T20:24:15Z DEBUG stderr= >> 2025-01-21T20:24:15Z DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2025-01-21T20:24:15Z DEBUG Starting external process >> 2025-01-21T20:24:15Z DEBUG args=['/usr/bin/certutil', '-d', >> 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', >> '/etc/pki/pki-tomcat/alias/pwdfile.txt'] >> 2025-01-21T20:24:15Z DEBUG Process finished, return code=0 >> 2025-01-21T20:24:15Z DEBUG stdout= >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> caSigningCert cert-pki-ca CTu,Cu,Cu >> caSigningCert cert-pki-ca 6148bb27-6bd6-4a0a-b607-6ba538a6c401 u,u,u >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> auditSigningCert cert-pki-ca u,u,Pu >> Server-Cert cert-pki-ca u,u,u >> >> 2025-01-21T20:24:15Z DEBUG stderr= >> 2025-01-21T20:24:15Z INFO Certmonger certificate renewal configuration >> already up-to-date >> 2025-01-21T20:24:15Z INFO [Enable PKIX certificate path discovery and >> validation] >> 2025-01-21T20:24:15Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysupgrade/sysupgrade.state' >> 2025-01-21T20:24:15Z INFO PKIX already enabled >> 2025-01-21T20:24:15Z INFO [Authorizing RA Agent to modify profiles] >> 2025-01-21T20:24:15Z INFO [Authorizing RA Agent to manage lightweight CAs] >> 2025-01-21T20:24:15Z INFO [Ensuring Lightweight CAs container exists in >> Dogtag database] >> 2025-01-21T20:24:15Z INFO [Adding default OCSP URI configuration] >> 2025-01-21T20:24:15Z INFO [Disabling cert publishing] >> 2025-01-21T20:24:15Z INFO [Ensuring CA is using LDAPProfileSubsystem] >> 2025-01-21T20:24:15Z INFO [Migrating certificate profiles to LDAP] >> 2025-01-21T20:24:15Z DEBUG Profile 'AdminCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'DomainController' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'ECAdminCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'acmeServerCert' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caAdminCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caAgentFileSigning' is already in >> LDAP and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caAgentServerCert' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caAuditSigningCert' is already in >> LDAP and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caCACert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caCMCECUserCert' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caCMCECserverCert' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caCMCECsubsystemCert' is already in >> LDAP and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caCMCUserCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caCrossSignedCACert' is already in >> LDAP and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caDirBasedDualCert' is already in >> LDAP and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caDirPinUserCert' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caDirUserCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caDirUserRenewal' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caDualCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caDualRAuserCert' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caECAdminCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caECAgentServerCert' is already in >> LDAP and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caECDirPinUserCert' is already in >> LDAP and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caECDirUserCert' is already in LDAP >> and enabled; skipping >> 2025-01-21T20:24:15Z DEBUG Profile 'caECDualCert' is already in LDAP and >> enabled; skipping >> 2025-01-21T20:24:15Z INFO Migrating profile 'caECFullCMCSharedTokenCert' >> 2025-01-21T20:24:15Z DEBUG request GET >> https://ipa1.redacted:8443/ca/rest/account/login >> 2025-01-21T20:24:15Z DEBUG request body '' >> 2025-01-21T20:24:16Z DEBUG response status 404 >> 2025-01-21T20:24:16Z DEBUG response headers Content-Type: >> text/html;charset=utf-8 >> Content-Language: en >> Content-Length: 784 >> Date: Tue, 21 Jan 2025 20:24:16 GMT >> >> >> 2025-01-21T20:24:16Z DEBUG response body (decoded): b'<!doctype >> html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not >> Found</title><style type="text/css">body >> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b >> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 >> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} >> .line >> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP >> Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> >> Status Report</p><p><b>Message</b> The requested resource >> [/ca/rest/account/login] is not >> available</p><p><b>Description</b> The origin server did not find a current >> representation for the target resource or is not willing to disclose that >> one exists.</p><hr class="line" /><h3>Apache >> Tomcat/9.0.82</h3></body></html>' >> 2025-01-21T20:24:16Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2025-01-21T20:24:16Z DEBUG File >> "/usr/lib/python3.11/site-packages/ipapython/admintool.py", line 180, in >> execute >> return_value = self.run() >> ^^^^^^^^^^ >> File >> "/usr/lib/python3.11/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 54, in run >> server.upgrade() >> File >> "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", >> line 2061, in upgrade >> upgrade_configuration() >> File >> "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", >> line 1914, in upgrade_configuration >> ca_enable_ldap_profile_subsystem(ca) >> File >> "/usr/lib/python3.11/site-packages/ipaserver/install/server/upgrade.py", >> line 458, in ca_enable_ldap_profile_subsystem >> cainstance.migrate_profiles_to_ldap() >> File >> "/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", line >> 2155, in migrate_profiles_to_ldap >> _create_dogtag_profile(profile_id, profile_data, overwrite=False) >> File >> "/usr/lib/python3.11/site-packages/ipaserver/install/cainstance.py", line >> 2209, in _create_dogtag_profile >> with api.Backend.ra_certprofile as profile_api: >> File "/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py", >> line 1211, in __enter__ >> raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to >> CA REST API')) >> >> Can you check if the CA subsystem is enabled? > # *pki-server subsystem-show ca* > Subsystem ID: ca > Instance ID: pki-tomcat > Enabled: True > > If yes, try to authenticate to the rest API with curl: > # *curl --cert /var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key > https://`hostname`:8443/ca/rest/account/login* > {"id":"ipara","FullName":"ipara","Roles":["Certificate Manager > Agents","Enterprise ACME Administrators","Registration Manager > Agents","Security Domain Administrators"],"Attributes":{"Attribute":[]}} > > If the above commands are working, retry the upgrade with > # *ipa-server-upgrade* > and send us the full /var/log/ipaupgrade.log and > /var/log/pki/pki-tomcat/ca/debug.$DATE.log. > > flo > > 2025-01-21T20:24:16Z DEBUG The ipa-server-upgrade command failed, >> exception: RemoteRetrieveError: Failed to authenticate to CA REST API >> 2025-01-21T20:24:16Z ERROR Unexpected error - see /var/log/ipaupgrade.log >> for details: >> RemoteRetrieveError: Failed to authenticate to CA REST API >> 2025-01-21T20:24:16Z ERROR The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> >> Am Mi., 19. Feb. 2025 um 10:56 Uhr schrieb Florence Blanc-Renaud < >> [email protected]>: >> >>> Hi, >>> >>> in a previous message you mentioned that the directory manager password >>> is lost. You can follow this article to reset the DM password: >>> https://access.redhat.com/solutions/203473 >>> >>> Named crashes could be related to multiple issues: >>> - inconsistent versions between bind and bind-dyndb-ldap. Which versions >>> do you have? >>> - an insufficient number of threads >>> - an issue when reloading the zones >>> If you can gather a coredump and install the debug packages it could >>> help identify if you're hitting a known issue. >>> >>> You mentioned that ipa1 needs to be started with --force, can you tell >>> which service is failing and provide the logs? There should be also more >>> information in /var/log/ipaupgrade.log. >>> >>> In order to check the CA state, a useful command is 'ipa cert-show 1' as >>> it communicates with the CA to gather the certificate details. If this >>> command is failing (likely with "Failed to Authenticate to CA rest API") >>> you need to understand where the config is broken. >>> Start by checking which system is the CA renewal master: >>> ipa config-show >>> >>> The CA renewal master will be your priority. >>> >>> flo >>> >>> On Wed, Feb 19, 2025 at 10:25 AM Boris via FreeIPA-users < >>> [email protected]> wrote: >>> >>>> I think the CA is working, but I don't know for sure and how to verify >>>> it. At least there are no expired certs on both ipa hosts >>>> >>>> [root@ipa1 ~]# getcert list | grep expires >>>> expires: 2025-11-29 13:19:40 CET >>>> expires: 2025-04-15 16:27:34 CEST >>>> expires: 2025-04-15 16:26:44 CEST >>>> expires: 2025-04-15 16:27:14 CEST >>>> expires: 2037-08-19 16:11:12 CEST >>>> expires: 2025-04-15 16:27:54 CEST >>>> expires: 2025-04-15 16:27:04 CEST >>>> expires: 2040-02-12 12:46:50 CET >>>> expires: 2025-05-29 16:12:51 CEST >>>> expires: 2026-01-26 13:48:23 CET >>>> >>>> [root@ipa2 ~]# getcert list | grep expires >>>> expires: 2027-02-16 10:42:29 CET >>>> expires: 2027-02-16 10:42:51 CET >>>> expires: 2025-04-15 16:27:04 CEST >>>> expires: 2027-02-16 10:43:26 CET >>>> >>>> The healthcheck showed some "group is not correct" and "files are to >>>> permissive" which I resolved. >>>> Now I have these to checks which do not tell me anything >>>> "msg": "certmonger tracking request {key} found and is not >>>> expected on an IPA master." >>>> "msg": "No KDC workers defined in {sysconfig}" >>>> >>>> Am Di., 18. Feb. 2025 um 15:22 Uhr schrieb Rob Crittenden via >>>> FreeIPA-users <[email protected]>: >>>> >>>>> Boris wrote: >>>>> > Hi Rob, >>>>> > >>>>> > I have two hosts: ipa1 and ipa2 >>>>> > >>>>> > ipa1: >>>>> > Fedora 37 >>>>> > freeipa-server-4.10.1-1.fc37.x86_64 >>>>> > Managed suffixes: domain, ca >>>>> > running with ipactl start --force because the update is not working >>>>> (The >>>>> > ipa-server-upgrade command failed, exception: RemoteRetrieveError: >>>>> > Failed to authenticate to CA REST API). >>>>> > I tried to upgrade, but the upgrade did not go through. >>>>> >>>>> Your existing CA is having issues. I'd start by checking that your CA >>>>> certificates are still valid: getcert list | grep expires >>>>> >>>>> You might also try installing the freeipa-healthcheck package and >>>>> running ipa-healthcheck. Expect a lot of errors since it won't be able >>>>> to connect to the CA but it will also check the validity dates, etc. >>>>> >>>>> > ipa2: >>>>> > Fedora 35 >>>>> > freeipa-server-4.9.11-1.fc35.x86_64 >>>>> > Managed suffixes: domain >>>>> > >>>>> > So my thought process was: if it can not authenticate against the CA >>>>> > REST API, I need to add the CA capability to ipa2 >>>>> >>>>> You need to authenticate to the CA to create a clone of it. You can't >>>>> install another CA until you get your existing one working. >>>>> >>>>> rob >>>>> >>>>> >>>> -- >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to >>>> [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> >> >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
