OK. It seems the problem might be related with problem described here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841086 The proposed workaround is to run manually "pki-server-upgrade -v". I've tried it and it failed on SELinux processing (I don't use SELinux at all). After commenting out the SELinux part of upgrade, the upgrade finished and the ca contexts starts but fails with the same error returned via HTTP. From the /var/log/pki/pki-tomcat/ca/debug I've found it's missing /var/log/pki/pki-tomcat/ca/signedAudit directory and after created, the debug log shows problem connecting ldap server on port 636 caused by Bug#841477.
-- Michal Kašpar
