Hi Florence,I added the link. Running the same |ipactl| command line produced the exact same console output and the 'Updated 1" occurrences in |ipaupdate.log| are on the exact same line numbers. There is no reference to |/ca/rest/account/login| or /ca/account/login in the Apache config files for IPA under |/etc/httpd/conf.d|.
Just for reference this server was initially installed as follows, with regular consistent upgrades:
2020-07-24T16:36:04Z DEBUG Logging to /var/log/ipaserver-install.log
2020-07-24T16:36:04Z DEBUG ipa-server-install was invoked with arguments [] and
options: {'unattended': False, 'ip_addresses': None, 'domain_name': None,
'realm_name': None, 'host_name': None, 'ca_cert_files': None, 'domain_level':
None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': False,
'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False,
'no_ui_redirect': False, 'dirsrv_config_file': None, 'dirsrv_cert_files': None,
'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None,
'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False,
'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False,
'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_dns_sshfp':
False, 'external_ca': False, 'external_ca_type': None, 'external_ca_profile':
None, 'external_cert_files': None, 'subject_base': None, 'ca_subject': None,
'ca_signing_algorithm': None, 'pki_config_override': None,
'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False,
'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders':
False, 'auto_forwarders': False, 'forward_policy': None,
'no_dnssec_validation': False, 'no_host_dns': False, 'enable_compat': False,
'netbios_name': None, 'no_msdcs': False, 'rid_base': None,
'secondary_rid_base': None, 'ignore_topology_disconnect': False,
'ignore_last_of_role': False, 'verbose': False, 'quiet': False, 'log_file':
None, 'uninstall': False}
2020-07-24T16:36:04Z DEBUG IPA version 4.8.7-1.fc32
I'm by no means proficient with LDAP and FreeIPA. I can muddle through
the basic features that I use. The same error info is in the log I
emailed separately. What should I try next? I would never have thought
to search for Dogtag bugs on bugzilla.
Best regards, Eric On 4/18/25 9:26 AM, Florence Blanc-Renaud wrote:
Hi,I suspect that you're hitting bz2350322 <https://bugzilla.redhat.com/show_bug.cgi?id=2350322>. If you follow the steps from comment 3 <https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c3> it should allow PKI endpoints to be accessible.floOn Fri, Apr 18, 2025 at 3:01 PM Eric Ashley via FreeIPA-users <[email protected]> wrote:Hi Florence, I've gotten so spoiled with xterm scrollback buffering that I has to run it twice since I forgot to |tee| the console output. The VM running FreeIPA is the 1 host I didn't configure to buffer credentials for a week. Here's the output of |ipactl restart --ignore-service-failures:| IPA version error: data needs to be upgraded (expected version '4.12.2-13.fc42', current version '4.12.2-8.fc41') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: Update complete Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Ensuring ephemeralRequest is enabled in KRA] ephemeralRequest is already enabled [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Set OpenSSL engine or provider for BIND] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Enabling LWCA monitor] [Adding default OCSP URI configuration] [Disabling cert publishing] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl Stopping ipa-dnskeysyncd Service Stopping ods-enforcerd Service Stopping ipa-ods-exporter Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service I have the log available that I can email to you if necessary. I don't have time to make it suitable for sending to the list, though, as it's 49000+ lines. What are the next steps to get this back online. Best regards, On 4/18/25 4:50 AM, Florence Blanc-Renaud wrote:-- _______________________________________________Hi, On Thu, Apr 17, 2025 at 11:09 PM Eric Ashley via FreeIPA-users <[email protected]> wrote: Hello, I'm running the following new versions: |Installed packages freeipa-client.x86_64 4.12.2-13.fc42 updates freeipa-client-common.noarch 4.12.2-13.fc42 updates freeipa-common.noarch 4.12.2-13.fc42 updates freeipa-healthcheck.noarch 0.17-6.fc42 fedora freeipa-healthcheck-core.noarch 0.17-6.fc42 fedora freeipa-selinux.noarch 4.12.2-13.fc42 updates freeipa-server.x86_64 4.12.2-13.fc42 updates freeipa-server-common.noarch 4.12.2-13.fc42 updates freeipa-server-dns.noarch 4.12.2-13.fc42 updates libcamera-ipa.x86_64 0.4.0-4.fc42 fedora libipa_hbac.x86_64 2.10.2-3.fc42 fedora python3-ipaclient.noarch 4.12.2-13.fc42 updates|| ||python3-ipalib.noarch 4.12.2-13.fc42 updates| |ipactl status |reports the following: Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED pki-tomcatd Service: RUNNING ipa-otpd Service: STOPPED ipa-ods-exporter Service: STOPPED ods-enforcerd Service: STOPPED ipa-dnskeysyncd Service: RUNNING 5 service(s) are not running can you try ipactl restart --ignore-service-failures then check which services failed with ipactl status and report the output here? In your current output the KDC is stopped and any service using kerberos for authentication will fail as a consequence. flo On initial boot, the system started the FreeIPA upgrade, which got through all the certificate checks with no issues, then reports the following errors (with retry): |2025-04-17T18:43:18Z INFO [Ensuring presence of included profiles] 2025-04-17T18:43:18Z DEBUG Discovery: available servers for service 'CA' are phobos.ipa.ab-data.us <http://phobos.ipa.ab-data.us> 2025-04-17T18:43:18Z DEBUG Discovery: using phobos.ipa.ab-data.us <http://phobos.ipa.ab-data.us> for 'CA' service 2025-04-17T18:43:18Z DEBUG request GET https://phobos.ipa.ab-data.us:443/ca/rest/account/login <https://phobos.ipa.ab-data.us:443/ca/rest/account/login> 2025-04-17T18:43:18Z DEBUG request body '' 2025-04-17T18:43:18Z DEBUG response status 404 2025-04-17T18:43:18Z DEBUG response headers Date: Thu, 17 Apr 2025 18:43:18 GMT Server: Apache/2.4.63 (Fedora Linux) OpenSSL/3.2.4 mod_wsgi/5.0.2 Python/3.13 mod_auth_gssapi/1.6.5 Content-Type: text/html;charset=utf-8 Content-Language: en Transfer-Encoding: chunked 2025-04-17T18:43:18Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/ca/rest/account/login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>' 2025-04-17T18:43:18Z DEBUG Overriding CA port: Failed to authenticate to CA REST API 2025-04-17T18:43:18Z DEBUG Profile 'KDCs_PKINIT_Certs' is already in LDAP; skipping 2025-04-17T18:43:18Z DEBUG Profile 'caIPAserviceCert' is already in LDAP; skipping 2025-04-17T18:43:18Z DEBUG Profile 'acmeIPAServerCert' is already in LDAP; skipping 2025-04-17T18:43:18Z DEBUG Profile 'IECUserRoles' is already in LDAP; skipping 2025-04-17T18:43:18Z INFO [Add default CA ACL] 2025-04-17T18:43:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2025-04-17T18:43:18Z INFO Default CA ACL already added 2025-04-17T18:43:18Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2025-04-17T18:43:18Z DEBUG Discovery: available servers for service 'CA' are phobos.ipa.ab-data.us <http://phobos.ipa.ab-data.us> 2025-04-17T18:43:18Z DEBUG Discovery: using phobos.ipa.ab-data.us <http://phobos.ipa.ab-data.us> for 'CA' service 2025-04-17T18:43:18Z DEBUG request GET https://phobos.ipa.ab-data.us:8443/ca/rest/account/login 2025-04-17T18:43:18Z DEBUG request body '' 2025-04-17T18:43:18Z DEBUG response status 404 2025-04-17T18:43:18Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 784 Date: Thu, 17 Apr 2025 18:43:18 GMT 2025-04-17T18:43:18Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/ca/rest/account/login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>' 2025-04-17T18:43:18Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2025-04-17T18:43:18Z DEBUG File "/usr/lib/python3.13/site-packages/ipapython/admintool.py", line 219, in execute return_value = self.run() File "/usr/lib/python3.13/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() ~~~~~~~~~~~~~~^^ File "/usr/lib/python3.13/site-packages/ipaserver/install/server/upgrade.py", line 2097, in upgrade upgrade_configuration() ~~~~~~~~~~~~~~~~~~~~~^^ File "/usr/lib/python3.13/site-packages/ipaserver/install/server/upgrade.py", line 1958, in upgrade_configuration cainstance.repair_profile_caIPAserviceCert() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^ File "/usr/lib/python3.13/site-packages/ipaserver/install/cainstance.py", line 2166, in repair_profile_caIPAserviceCert with api.Backend.ra_certprofile as profile_api: ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.13/site-packages/ipaserver/plugins/dogtag.py", line 610, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) 2025-04-17T18:43:18Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2025-04-17T18:43:18Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2025-04-17T18:43:18Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information| Tomcat is active, all the certificates are current and in LDAP. I was unable to find anything similar in the archive. How to I go about getting this update to finish? Best regards, Eric-- _______________________________________________FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issueFreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
binbS2YVEJfoy.bin
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
