Hello all.
I'm trying to replace an ancient FreeIPA 4.5.0 master (and primary CA
master) on CentOS 7.4. I am having problems trying to make replicas with
FreeIPA 4.11, and past threads suggest the errors are due to
incompatibility of password hash algorithms, which are supposed to be fixed
on the older releases rather than the newer.
Therefore I'm trying to upgrade the old server to the current version in
the CentOS 7 repos, 4.6.8, to try to create fresh replicas from there. But
I'm having issues with the certmonger systemd service hanging, and breaking
ipa-server-upgrade--whether I update the whole CentOS to 7.9.2009, or just
ipa-server and its dependencies, the result is the same.
This is where ipa-server-upgrade breaks:
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start
certmonger.service' returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log
for more information
This is because certmonger.service hangs until timeout. That happens when
starting the service manually, too. Logs for certmonger.service are not
informative:
-- Subject: Unit certmonger.service has begun start-up
-- Unit certmonger.service has begun starting up.
Jan 31 14:38:59 vm-ipa-1.intra.viaboxxsystems.de systemd[1]:
certmonger.service start operation timed out. Terminating.
Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de systemd[1]:
certmonger.service stop-sigterm timed out. Killing.
Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de systemd[1]:
certmonger.service: main process exited, code=killed, status=9/KILL
-- Subject: Unit certmonger.service has failed
-- Unit certmonger.service has failed.
Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de systemd[1]: Unit
certmonger.service entered failed state.
Jan 31 14:40:29 vm-ipa-1.intra.viaboxxsystems.de systemd[1]:
certmonger.service failed.
r...@vm-ipa-1.intra.viaboxxsystems.de[lxc](e:0,1s)(j:0) ~
Running `certmonger -S -n -d 9` seems to run ok. The only difference in
the systemd service file is, I think, whatever it is that the BusName
setting does. dbus is running seemingly without issue, nothing on logs.
Restarting dbus.service doesn't help.
The machine is an LXC container with 4GiB RAM, which doesn't come close to
being exhausted when trying to restart certmonger. No OOM in logs.
I saw this thread about certmonger problems with ulimit in containers:
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
But the suggested workaround (make sure ulimit -n is the same in container
and host) doesn't apply because it's already the same for us.
How should I proceed from here?
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
