Hi, I suspect that you're hitting bz2350322 <https://bugzilla.redhat.com/show_bug.cgi?id=2350322>. If you follow the steps from comment 3 <https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c3> it should allow PKI endpoints to be accessible. flo
On Fri, Apr 18, 2025 at 3:01 PM Eric Ashley via FreeIPA-users < [email protected]> wrote: > Hi Florence, > > I've gotten so spoiled with xterm scrollback buffering that I has to run > it twice since I forgot to tee the console output. The VM running FreeIPA > is the 1 host I didn't configure to buffer credentials for a week. > > Here's the output of ipactl restart --ignore-service-failures: > > IPA version error: data needs to be upgraded (expected version > '4.12.2-13.fc42', current version '4.12.2-8.fc41') > Automatically running upgrade, for details see /var/log/ipaupgrade.log > Be patient, this may take a few minutes. > Automatic upgrade failed: Update complete > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Ensuring ephemeralRequest is enabled in KRA] > ephemeralRequest is already enabled > [Verifying that KDC configuration is using ipa-kdb backend] > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Enable sidgen and extdom plugins by default] > [Updating HTTPD service IPA configuration] > [Updating HTTPD service IPA WSGI configuration] > [Migrating from mod_nss to mod_ssl] > Already migrated to mod_ssl > [Moving HTTPD service keytab to gssproxy] > [Removing self-signed CA] > [Removing Dogtag 9 CA] > [Set OpenSSL engine or provider for BIND] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > dnssec-validation yes > [Add missing CA DNS records] > IPA CA DNS records already processed > named user config '/etc/named/ipa-ext.conf' already exists > named user config '/etc/named/ipa-options-ext.conf' already exists > named user config '/etc/named/ipa-logging-ext.conf' already exists > [Upgrading CA schema] > CA schema update complete > [Update certmonger certificate renewal configuration] > Certmonger certificate renewal configuration already up-to-date > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > [Authorizing RA Agent to modify profiles] > [Authorizing RA Agent to manage lightweight CAs] > [Ensuring Lightweight CAs container exists in Dogtag database] > [Enabling LWCA monitor] > [Adding default OCSP URI configuration] > [Disabling cert publishing] > [Ensuring CA is using LDAPProfileSubsystem] > [Migrating certificate profiles to LDAP] > [Ensuring presence of included profiles] > [Add default CA ACL] > Default CA ACL already added > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command > ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > RemoteRetrieveError: Failed to authenticate to CA REST API > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > information > > See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade > again > Aborting ipactl > Stopping ipa-dnskeysyncd Service > Stopping ods-enforcerd Service > Stopping ipa-ods-exporter Service > Stopping ipa-otpd Service > Stopping pki-tomcatd Service > Stopping ipa-custodia Service > Stopping httpd Service > Stopping named Service > Stopping kadmin Service > Stopping krb5kdc Service > Stopping Directory Service > > > I have the log available that I can email to you if necessary. I don't > have time to make it suitable for sending to the list, though, as it's > 49000+ lines. What are the next steps to get this back online. > > Best regards, > > > On 4/18/25 4:50 AM, Florence Blanc-Renaud wrote: > > Hi, > > On Thu, Apr 17, 2025 at 11:09 PM Eric Ashley via FreeIPA-users < > [email protected]> wrote: > >> Hello, >> >> I'm running the following new versions: >> >> Installed packages >> freeipa-client.x86_64 >> 4.12.2-13.fc42 updates >> freeipa-client-common.noarch >> 4.12.2-13.fc42 updates >> freeipa-common.noarch >> 4.12.2-13.fc42 updates >> freeipa-healthcheck.noarch >> 0.17-6.fc42 fedora >> freeipa-healthcheck-core.noarch >> 0.17-6.fc42 fedora >> freeipa-selinux.noarch >> 4.12.2-13.fc42 updates >> freeipa-server.x86_64 >> 4.12.2-13.fc42 updates >> freeipa-server-common.noarch >> 4.12.2-13.fc42 updates >> freeipa-server-dns.noarch >> 4.12.2-13.fc42 updates >> libcamera-ipa.x86_64 >> 0.4.0-4.fc42 fedora >> libipa_hbac.x86_64 >> 2.10.2-3.fc42 fedora >> python3-ipaclient.noarch >> 4.12.2-13.fc42 updates >> python3-ipalib.noarch >> 4.12.2-13.fc42 updates >> >> ipactl status reports the following: >> >> Directory Service: RUNNING >> krb5kdc Service: STOPPED >> kadmin Service: STOPPED >> named Service: STOPPED >> httpd Service: RUNNING >> ipa-custodia Service: STOPPED >> pki-tomcatd Service: RUNNING >> ipa-otpd Service: STOPPED >> ipa-ods-exporter Service: STOPPED >> ods-enforcerd Service: STOPPED >> ipa-dnskeysyncd Service: RUNNING >> 5 service(s) are not running >> > can you try > ipactl restart --ignore-service-failures > then check which services failed with ipactl status and report the output > here? > In your current output the KDC is stopped and any service using kerberos > for authentication will fail as a consequence. > > flo > > >> On initial boot, the system started the FreeIPA upgrade, which got >> through all the certificate checks with no issues, then reports the >> following errors (with retry): >> >> 2025-04-17T18:43:18Z INFO [Ensuring presence of included profiles] >> 2025-04-17T18:43:18Z DEBUG Discovery: available servers for service 'CA' >> are phobos.ipa.ab-data.us >> 2025-04-17T18:43:18Z DEBUG Discovery: using phobos.ipa.ab-data.us for >> 'CA' service >> 2025-04-17T18:43:18Z DEBUG request GET >> https://phobos.ipa.ab-data.us:443/ca/rest/account/login >> 2025-04-17T18:43:18Z DEBUG request body '' >> 2025-04-17T18:43:18Z DEBUG response status 404 >> 2025-04-17T18:43:18Z DEBUG response headers Date: Thu, 17 Apr 2025 >> 18:43:18 GMT >> Server: Apache/2.4.63 (Fedora Linux) OpenSSL/3.2.4 mod_wsgi/5.0.2 >> Python/3.13 mod_auth_gssapi/1.6.5 >> Content-Type: text/html;charset=utf-8 >> Content-Language: en >> Transfer-Encoding: chunked >> >> >> 2025-04-17T18:43:18Z DEBUG response body (decoded): b'<!doctype >> html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not >> Found</title><style type="text/css">body { >> font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b { >> color:white;background-color:#525D76;} h1 {font-size:22px;} h2 { >> font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} >> .line >> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP >> Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> >> Status Report</p><p><b>Message</b> The requested resource >> [/ca/rest/account/login] is not >> available</p><p><b>Description</b> The origin server did not find a current >> representation for the target resource or is not willing to disclose that >> one exists.</p><hr class="line" /><h3>Apache >> Tomcat/9.0.98</h3></body></html>' >> 2025-04-17T18:43:18Z DEBUG Overriding CA port: Failed to authenticate to >> CA REST API >> 2025-04-17T18:43:18Z DEBUG Profile 'KDCs_PKINIT_Certs' is already in >> LDAP; skipping >> 2025-04-17T18:43:18Z DEBUG Profile 'caIPAserviceCert' is already in LDAP; >> skipping >> 2025-04-17T18:43:18Z DEBUG Profile 'acmeIPAServerCert' is already in >> LDAP; skipping >> 2025-04-17T18:43:18Z DEBUG Profile 'IECUserRoles' is already in LDAP; >> skipping >> 2025-04-17T18:43:18Z INFO [Add default CA ACL] >> 2025-04-17T18:43:18Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysupgrade/sysupgrade.state' >> 2025-04-17T18:43:18Z INFO Default CA ACL already added >> 2025-04-17T18:43:18Z DEBUG Loading StateFile from >> '/var/lib/ipa/sysupgrade/sysupgrade.state' >> 2025-04-17T18:43:18Z DEBUG Discovery: available servers for service 'CA' >> are phobos.ipa.ab-data.us >> 2025-04-17T18:43:18Z DEBUG Discovery: using phobos.ipa.ab-data.us for >> 'CA' service >> 2025-04-17T18:43:18Z DEBUG request GET >> https://phobos.ipa.ab-data.us:8443/ca/rest/account/login >> 2025-04-17T18:43:18Z DEBUG request body '' >> 2025-04-17T18:43:18Z DEBUG response status 404 >> 2025-04-17T18:43:18Z DEBUG response headers Content-Type: >> text/html;charset=utf-8 >> Content-Language: en >> Content-Length: 784 >> Date: Thu, 17 Apr 2025 18:43:18 GMT >> >> >> 2025-04-17T18:43:18Z DEBUG response body (decoded): b'<!doctype >> html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not >> Found</title><style type="text/css">body { >> font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b { >> color:white;background-color:#525D76;} h1 {font-size:22px;} h2 { >> font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} >> .line >> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP >> Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> >> Status Report</p><p><b>Message</b> The requested resource >> [/ca/rest/account/login] is not >> available</p><p><b>Description</b> The origin server did not find a current >> representation for the target resource or is not willing to disclose that >> one exists.</p><hr class="line" /><h3>Apache >> Tomcat/9.0.98</h3></body></html>' >> 2025-04-17T18:43:18Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2025-04-17T18:43:18Z DEBUG File >> "/usr/lib/python3.13/site-packages/ipapython/admintool.py", line 219, in >> execute >> return_value = self.run() >> File >> "/usr/lib/python3.13/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 54, in run >> server.upgrade() >> ~~~~~~~~~~~~~~^^ >> File >> "/usr/lib/python3.13/site-packages/ipaserver/install/server/upgrade.py", >> line 2097, in upgrade >> upgrade_configuration() >> ~~~~~~~~~~~~~~~~~~~~~^^ >> File >> "/usr/lib/python3.13/site-packages/ipaserver/install/server/upgrade.py", >> line 1958, in upgrade_configuration >> cainstance.repair_profile_caIPAserviceCert() >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^ >> File >> "/usr/lib/python3.13/site-packages/ipaserver/install/cainstance.py", line >> 2166, in repair_profile_caIPAserviceCert >> with api.Backend.ra_certprofile as profile_api: >> ^^^^^^^^^^^^^^^^^^^^^^^^^^ >> File "/usr/lib/python3.13/site-packages/ipaserver/plugins/dogtag.py", >> line 610, in __enter__ >> raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to >> CA REST API')) >> >> 2025-04-17T18:43:18Z DEBUG The ipa-server-upgrade command failed, >> exception: RemoteRetrieveError: Failed to authenticate to CA REST API >> 2025-04-17T18:43:18Z ERROR Unexpected error - see /var/log/ipaupgrade.log >> for details: >> RemoteRetrieveError: Failed to authenticate to CA REST API >> 2025-04-17T18:43:18Z ERROR The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> >> Tomcat is active, all the certificates are current and in LDAP. I was >> unable to find anything similar in the archive. How to I go about getting >> this update to finish? >> >> Best regards, >> >> Eric >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
