Ian Kumlien wrote: > This and changing the permissions on certs pkiuser:pkiuser fixed it on > that machine, what remains is: > Error: Local roles CA, DNS, DNSKeySync do not match globally used > roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not > be complete enough to restore a fully functional, identical cluster. > The ipa-backup command failed. See /var/log/ipabackup.log for more information
What is unclear about the message? An IPA backup is a disaster recovery tool. There is no need to use it to back up every single host in a cluster for the reason outlined. ipa-restore is used when things are completely hosed. It requires that any existing replicas need to be force re-initialized. So the tool is warning that sure, you can back up the server (use --disable-role-check) but what's the point if it doesn't have all the services configured? If you restore a broken cluster on this host you will be missing things. rob > > On Mon, Apr 21, 2025 at 5:48 PM Rob Crittenden <rcrit...@redhat.com> wrote: >> >> Ian Kumlien via FreeIPA-users wrote: >>> Hi, >>> >>> I have two freeipa servers that failed after the upgrade. >>> >>> On one, i managed to fix it with ipa-cert-fix since they had expired >>> again, but i'm now left with: >>> ipa-backup >>> Preparing backup on freeipa1.... >>> Error: Local roles CA, DNS, DNSKeySync do not match globally used >>> roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not >>> be complete enough to restore a fully functional, identical cluster. >>> The ipa-backup command failed. See /var/log/ipabackup.log for more >>> information >>> >>> And on the other pki-tomcat doesn't start without ca_signing.csr which >>> it never had according to backups... >>> >>> Any clues? >>> >> >> Several others have posted similar issues today so I'll cut and paste >> bits and pieces from them. >> >> I suspect that you're hitting bz2350322, >> https://bugzilla.redhat.com/show_bug.cgi?id=2350322 >> >> If you follow the steps from comment 3 it should allow PKI endpoints to >> be accessible. >> >> Two things are needed: >> - link to the rewrite file >> - <valve> in tomcat configuration file >> >> Then you can run ipactl start which should run the upgrade again. >> >> rob >> > -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
