John Obaterspok via FreeIPA-users wrote: > Hi, > > I have been trying now for a month getting ipa-upgrade going on my > single host IPADOM. Any idea what to do would be greatly appreciated > > -- ipaupgrade log -- > 2021-05-04T04:25:02Z DEBUG args=['/bin/systemctl', 'stop', > '[email protected]'] > 2021-05-04T04:25:06Z DEBUG Process finished, return code=0 > 2021-05-04T04:25:06Z DEBUG stdout= > 2021-05-04T04:25:06Z DEBUG stderr= > 2021-05-04T04:25:06Z DEBUG Stop of [email protected] complete > 2021-05-04T04:25:06Z INFO [Fix DS schema file syntax] > 2021-05-04T04:25:06Z DEBUG Loading StateFile from > '/var/lib/ipa/sysupgrade/sysupgrade.state' > 2021-05-04T04:25:06Z INFO Syntax already fixed > 2021-05-04T04:25:06Z INFO [Removing RA cert from DS NSS database] > 2021-05-04T04:25:21Z DEBUG Loading StateFile from > '/var/lib/ipa/sysupgrade/sysupgrade.state' > 2021-05-04T04:25:21Z INFO RA cert already removed > 2021-05-04T04:25:21Z DEBUG Starting external process > 2021-05-04T04:25:21Z DEBUG args=['/bin/systemctl', 'start', > '[email protected]'] > 2021-05-04T04:25:24Z DEBUG Process finished, return code=0 > 2021-05-04T04:25:24Z DEBUG stdout= > 2021-05-04T04:25:24Z DEBUG stderr= > 2021-05-04T04:25:24Z DEBUG Starting external process > 2021-05-04T04:25:24Z DEBUG args=['/bin/systemctl', 'is-active', > '[email protected]'] > 2021-05-04T04:25:24Z DEBUG Process finished, return code=0 > 2021-05-04T04:25:24Z DEBUG stdout=active > > 2021-05-04T04:25:24Z DEBUG stderr= > 2021-05-04T04:25:24Z DEBUG wait_for_open_ports: localhost [389] timeout 120 > 2021-05-04T04:25:24Z DEBUG waiting for port: 389 > 2021-05-04T04:25:24Z DEBUG SUCCESS: port: 389 > 2021-05-04T04:25:24Z DEBUG Start of [email protected] complete > ... > 2021-05-04T04:25:41Z INFO [Migrating certificate profiles to LDAP] > 2021-05-04T04:26:01Z DEBUG Created connection context.ldap2_140042743094296 > 2021-05-04T04:26:01Z DEBUG flushing > ldapi://%2fvar%2frun%2fslapd-IPADOM-LAN.socket from SchemaCache > 2021-05-04T04:26:01Z DEBUG retrieving schema for SchemaCache > url=ldapi://%2fvar%2frun%2fslapd-IPADOM-LAN.socket > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f5e3d65c9b0> > 2021-05-04T04:26:02Z DEBUG Destroyed connection context.ldap2_140042743094296 > 2021-05-04T04:26:02Z DEBUG request GET > https://ipa2.ipadom.lan:8443/ca/rest/account/login > 2021-05-04T04:26:02Z DEBUG request body '' > 2021-05-04T04:26:02Z DEBUG response status 500 > 2021-05-04T04:26:02Z DEBUG response headers Content-Type: > text/html;charset=utf-8 > Content-Language: en > Content-Length: 2234 > Date: Tue, 04 May 2021 04:26:02 GMT > Connection: close > > 2021-05-04T04:26:02Z DEBUG response body (decoded):<..snip..> CA > subsystem unavailable. Check CA debug log > > ---------------- > 04-May-2021 06:26:02.535 SEVERE [https-jsse-nio-8443-exec-5] > org.apache.catalina.core.StandardHostValve.invoke Exception Processing > /ca/rest/account/login > javax.ws.rs.ServiceUnavailableException: CA subsystem > unavailable. Check CA debug log. > at > com.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81) > at > com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530) > at > com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > > > -- CA: -- > 2021-05-04 06:25:08 [main] FINE: ============================================ > 2021-05-04 06:25:08 [main] FINE: ===== DEBUG SUBSYSTEM INITIALIZED ======= > 2021-05-04 06:25:08 [main] FINE: ============================================ > 2021-05-04 06:25:08 [main] INFO: Initializing CA subsystem > 2021-05-04 06:25:08 [main] FINEST: Getting cs.state=1 > 2021-05-04 06:25:08 [main] FINEST: Getting > instanceRoot=/var/lib/pki/pki-tomcat > 2021-05-04 06:25:08 [main] FINEST: Getting instanceId=pki-tomcat > ... > 2021-05-04 06:25:10 [main] FINE: LdapBoundConnection: Connecting to > ipa2.ipadom.lan:636 with client cert auth > 2021-05-04 06:25:10 [main] FINE: ldapconn/PKISocketFactory.makeSSLSocket: > begins > 2021-05-04 06:25:10 [main] FINE: SignedAuditLogger: event > CLIENT_ACCESS_SESSION_ESTABLISH > 2021-05-04 06:25:10 [main] FINEST: Getting pidDir=/var/run/pki/tomcat > 2021-05-04 06:25:10 [main] FINEST: Getting pidDir=/var/run/pki/tomcat > 2021-05-04 06:25:10 [main] SEVERE: Unable to create socket: > java.net.ConnectException: Connection refused > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method)
Does your CA otherwise start? You can pass --skip-version-check to ipactl to skip the version check and just start the services. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
