Before a system upgrade i checked with "ipa-server-upgrade" if everything is right but i get the error "loading configuration: crypto failure" in the named-pkcs11 service
get the message:
Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] Updated entry cn=replica,cn=dc\=ipa\,dc\=example\,dc\=net,cn=mapping tree,cn=config [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'named-pkcs11.service'] returned non-zero exit status 1: 'Job for named-pkcs11.service failed because the control process exited with error code.\nSee "systemctl status named-pkcs11.service" and "journalctl -xe" for details.\n') The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
The status of named-pkcs11:
● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sun 2021-12-19 11:25:49 CET; 7s ago Process: 3178 ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE) Process: 3174 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disable> Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: none:105: 'max-cache-size 90%' - setting to 2462MB (out of 2736MB) Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: configuring command channel from '/etc/rndc.key' Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: command channel listening on 127.0.0.1#953 Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: configuring command channel from '/etc/rndc.key' Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: command channel listening on ::1#953 Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: loading configuration: crypto failure Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: exiting (due to fatal error) Dec 19 11:25:49 hn-dlp.ipa.example.net systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1 Dec 19 11:25:49 hn-dlp.ipa.example.net systemd[1]: named-pkcs11.service: Failed with result 'exit-code'. Dec 19 11:25:49 hn-dlp.ipa.example.net systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
in "ipa-server-upgrade" the service "named-pkcs11.service" can't start.
in "ipa-server-upgrade" the service "named-pkcs11.service" start.
$ uname -r 4.18.0-305.17.1.el8_4.x86_64
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 389-ds-base-1.4.3.16-13.module_el8.4.0+804+98b1df0d.x86_64 pki-ca-10.10.5-3.module_el8.4.0+816+beb6e9a3.noarch krb5-server-1.18.2-8.el8.x86_64
For test i upgraded the system to the latest version but i get the same error
Login to comment on this ticket.