Hi, On Tue, Apr 29, 2025 at 4:39 PM Ian Kumlien via FreeIPA-users < [email protected]> wrote:
> On Tue, Apr 29, 2025 at 4:30 PM Rob Crittenden <[email protected]> > wrote: > > > > Ian Kumlien wrote: > > > This and changing the permissions on certs pkiuser:pkiuser fixed it on > > > that machine, what remains is: > > > Error: Local roles CA, DNS, DNSKeySync do not match globally used > > > roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not > > > be complete enough to restore a fully functional, identical cluster. > > > The ipa-backup command failed. See /var/log/ipabackup.log for more > information > > > > What is unclear about the message? > > Alot - it broke by running ipa-cert-fix > > > An IPA backup is a disaster recovery tool. There is no need to use it to > > back up every single host in a cluster for the reason outlined. > > ipa-restore is used when things are completely hosed. It requires that > > any existing replicas need to be force re-initialized. > > It used to work, it worked until i ran ipa-cert-fix > > To me it sounds more like ipa-cert-fix did something that broke the > state of that node. > ipa-cert-fix does one change related to roles: it sets the host where it is executed as CA renewal master. It does not remove CA/DNS/DNSkeySync/KRA instance. Can you show the output of ipa config-show on your 2 nodes? flo > > > So the tool is warning that sure, you can back up the server (use > > --disable-role-check) but what's the point if it doesn't have all the > > services configured? If you restore a broken cluster on this host you > > will be missing things. > > > > rob > > > > > > > > On Mon, Apr 21, 2025 at 5:48 PM Rob Crittenden <[email protected]> > wrote: > > >> > > >> Ian Kumlien via FreeIPA-users wrote: > > >>> Hi, > > >>> > > >>> I have two freeipa servers that failed after the upgrade. > > >>> > > >>> On one, i managed to fix it with ipa-cert-fix since they had expired > > >>> again, but i'm now left with: > > >>> ipa-backup > > >>> Preparing backup on freeipa1.... > > >>> Error: Local roles CA, DNS, DNSKeySync do not match globally used > > >>> roles CA, DNS, DNSKeySync, KRA. A backup done on this host would not > > >>> be complete enough to restore a fully functional, identical cluster. > > >>> The ipa-backup command failed. See /var/log/ipabackup.log for more > information > > >>> > > >>> And on the other pki-tomcat doesn't start without ca_signing.csr > which > > >>> it never had according to backups... > > >>> > > >>> Any clues? > > >>> > > >> > > >> Several others have posted similar issues today so I'll cut and paste > > >> bits and pieces from them. > > >> > > >> I suspect that you're hitting bz2350322, > > >> https://bugzilla.redhat.com/show_bug.cgi?id=2350322 > > >> > > >> If you follow the steps from comment 3 it should allow PKI endpoints > to > > >> be accessible. > > >> > > >> Two things are needed: > > >> - link to the rewrite file > > >> - <valve> in tomcat configuration file > > >> > > >> Then you can run ipactl start which should run the upgrade again. > > >> > > >> rob > > >> > > > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
