Hi,
I'm stuck since about a week when I updated to latest ipa-server. It
seems to be the same problem as Ian had ("FreeIPA centos8 update
Failed to authenticate to CA REST API"). He seem to resolve this using
a replicate which I dont have.
Any ideas on how I get this to work?
ipa-server-4.8.7-13.module_el8.3.0+606+1e8766d7.x86_64
centos-linux-release-8.3-1.2011.el8.noarch
...
IPA version error: data needs to be upgraded (expected version
'4.8.7-13.module_el8.3.0+606+1e8766d7', current version
'4.8.7-12.module_el8.3.0+511+8a502f20')
....
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
...
2021-01-22T08:47:46Z DEBUG request GET
https://ipa2.win.lan:8443/ca/rest/account/login
2021-01-22T08:47:46Z DEBUG request body ''
2021-01-22T08:47:47Z DEBUG response status 500
2021-01-22T08:47:47Z DEBUG response headers Content-Type:
text/html;charset=utf-8
Content-Language: en
Content-Length: 2234
Date: Fri, 22 Jan 2021 08:47:47 GMT
Connection: close
2021-01-22T08:47:47Z DEBUG response body (decoded): b'<!doctype
html><html lang="en"><head><title>HTTP Status 500 \xe2\x80\x93
Internal Server Error</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a
{color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 500 \xe2\x80\x93 Internal Server Error</h1><hr class="line"
/><p><b>Type</b> Exception Report</p><p><b>Message</b> CA subsystem
unavailable. Check CA debug log.</p><p><b>Description</b> The server
encountered an unexpected condition that prevented it from fulfilling
the
request.</p><p><b>Exception</b></p><pre>javax.ws.rs.ServiceUnavailableException:
CA subsystem unavailable. Check CA debug
log.\n\tcom.netscape.cms.tomcat.ProxyRealm.validateRealm(ProxyRealm.java:81)\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:149)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n\tcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\n\torg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)\n\torg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\torg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)\n\torg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre><p><b>Note</b>
The full stack trace of the root cause is available in the server
logs.</p><hr class="line" /><h3>Apache
Tomcat/9.0.30</h3></body></html>'
2021-01-22T08:47:47Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2021-01-22T08:47:47Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179,
in execute
return_value = self.run()
File
"/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1805, in upgrade
upgrade_configuration()
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 1670, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py",
line 414, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 1954, in migrate_profiles_to_ldap
_create_dogtag_profile(profile_id, profile_data, overwrite=False)
File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py",
line 1960, in _create_dogtag_profile
with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py",
line 1315, in __enter__
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate
to CA REST API'))
2021-01-22T08:47:47Z DEBUG The ipa-server-upgrade command failed,
exception: RemoteRetrieveError: Failed to authenticate to CA REST API
-- john
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
