ipactl start fails on a replica server
ipactl start
Upgrade fails and rolls back.
ipa starts
The package freeipa-server is not installed The package freeipa-client is not installed ipa-server-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64 ipa-client-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64 389-ds-base-1.4.3.30-6.module+el8.7.0+20830+6d1ef8be.x86_64 The package pki-ca is not installed krb5-server-1.18.2-22.0.1.el8_7.x86_64
ipactl restart IPA version error: data needs to be upgraded (expected version '4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b', current version '4.9.10-6.0.1.module+el8.7.0+20837+581a7c1e') Automatically running upgrade, for details see /var/log/ipaupgrade.log Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: saving configuration [2/9]: disabling listeners [3/9]: enabling DS global lock [4/9]: disabling Schema Compat [5/9]: starting directory server [6/9]: updating schema [7/9]: upgrading server Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod ifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc t modifications allowed. Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod ifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc t modifications allowed. [8/9]: stopping directory server [9/9]: restoring configuration Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification] [Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Certmonger certificate renewal configuration already up-to-date [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'caECServerCertWithSCT' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Commenting out the update in /usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py line 52.
/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py
Line 52 is a try statement in my tree. Can you provide the line(s) you commented out?
Hi, The first errors happen when the upgrade tries to update the replication agreements. Can you provide the output of ldapsearch -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" -s sub "(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=ipa,dc=test))"
ldapsearch -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" -s sub "(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=ipa,dc=test))"
(replace dc=ipa,dc=test with your base DN).
The last error, the one triggering the command failure, seems to happen when migrating the certificate profiles. Can you paste the content of /var/log/ipaupgrade.log?
/var/log/ipaupgrade.log
Also, this may be unrelated, but your versions show a partial upgrade: 389-ds package is from 8.7, while ipa-server from 8.8. We recommend to upgrade all the packages (yum update), not only the ipa ones (yum update ipa-server) because we do not test partial upgrades.
Sorry I was busy and it took me so long. Thanks for the help. The primary freeipa server has a strange failure, the kerberos cert being expired and doesn't let you log in to the web GUI. After several hours or days trying to fix it, my colleague gave up. Since it still runs, except for the login and the replica (this server) allows the login via web and we tried all suggestions we found, did not get help in the forum and don't have endless hours of spare time and backups of both servers this is the state for the last 10 months. Now, a week ago this new problem occurs. Till then everything worked 'fine'.
I commented out the whole try statement, the server.upgrade() alone did not work and I don't have time to have a detailed look into every function.
server.upgrade()
# try: # server.upgrade_check(self.options) # server.upgrade() # except RuntimeError as e: # raise admintool.ScriptError(str(e)
Can you provide the output of ldapsearch -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" -s sub "(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=ipa,dc=test))"
# extended LDIF # # LDAPv3 # base <cn=mapping tree,cn=config> with scope subtree # filter: (&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=ipa,dc=test)) # requesting: ALL # # servername-to-primaryservername, replica, dc\3Dipa\2Cdc\3Dtest , mapping tree, config dn: cn=servername-to-primaryservername,cn=replica,cn=dc\3Dipa\2Cdc\3Dtest ,cn=mapping tree,cn=config cn: servername-to-primaryservername description: servername to primaryservername ipaReplTopoManagedAgreementState: managed agreement - generated by topology pl ugin nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicaHost: primaryservername nsDS5ReplicaPort: 389 nsDS5ReplicaRoot: dc=ipa,dc=test nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds50ruv: {replicageneration} 5e0a15e3000000200000 nsds50ruv: {replica 6 ldap://primaryservername:389} 5e0a29c9000000060000 6 478b04b000000060000 nsds50ruv: {replica 37 ldap://servername-offline2:389} 63515d0c00010025000 0 63561e19000200250000 nsds50ruv: {replica 32 ldap://servername:389} 5e0a177c00010020000 0 647927ef000000200000 nsds50ruv: {replica 36 ldap://servername-offline1:389} 635150da00020024000 0 6355b881000200240000 nsds5ReplicaEnabled: on nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp nsds5replicaTimeout: 300 nsruvReplicaLastModified: {replica 6 ldap://primaryservername:389} 0000000 0 nsruvReplicaLastModified: {replica 37 ldap://servername-offline2:389} 0000 0000 nsruvReplicaLastModified: {replica 32 ldap://servername:389} 0000 0000 nsruvReplicaLastModified: {replica 36 ldap://servername-offline1:389} 0000 0000 objectClass: nsds5replicationagreement objectClass: ipaReplTopoManagedAgreement objectClass: top nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20230602172453Z nsds5replicaLastUpdateEnd: 20230602172453Z nsds5replicaChangesSentSinceStartup:: MzI6MjIvMjEg nsds5replicaLastUpdateStatus: Error (0) Replica acquired successfully: Increme ntal update succeeded nsds5replicaLastUpdateStatusJSON: {"state": "green", "ldap_rc": "0", "ldap_rc_ text": "Success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date": "2023-06-02T17:24:53Z", "message": "Error (0) Replica acquired successfully: Incremental update succeeded"} nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 19700101000000Z nsds5replicaLastInitEnd: 19700101000000Z # meToservername-offline1, replica, dc\3Dipa\2Cdc\3Dtest, mapp ing tree, config dn: cn=meToservername-offline1,cn=replica,cn=dc\3Dipa\2Cdc\3Dtest ,cn=mapping tree,cn=config cn: meToservername-offline1 description: me to servername-offline1 ipaReplTopoManagedAgreementState: managed agreement - controlled by topology p lugin nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicaHost: servername-offline1 nsDS5ReplicaPort: 389 nsDS5ReplicaRoot: dc=ipa,dc=test nsDS5ReplicaTransportInfo: LDAP nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds50ruv: {replicageneration} 5e0a15e3000000200000 nsds50ruv: {replica 36 ldap://servername-offline1:389} 635150da00020024000 0 63561f46000000240000 nsds50ruv: {replica 32 ldap://servername:389} 5e0a177c00010020000 0 6355dae1000300200000 nsds50ruv: {replica 6 ldap://primaryservername:389} 5e0a29c9000000060000 6 35422d9000100060000 nsds50ruv: {replica 37 ldap://servername-offline2:389} 63515d0c00010025000 0 63561e19000200250000 nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in ternalModifyTimestamp nsds5replicaTimeout: 120 nsruvReplicaLastModified: {replica 36 ldap://servername-offline1:389} 0000 0000 nsruvReplicaLastModified: {replica 32 ldap://servername:389} 0000 0000 nsruvReplicaLastModified: {replica 6 ldap://primaryservername:389} 0000000 0 nsruvReplicaLastModified: {replica 37 ldap://servername-offline2:389} 0000 0000 objectClass: nsds5replicationagreement objectClass: top objectClass: ipaReplTopoManagedAgreement nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 19700101000000Z nsds5replicaLastUpdateEnd: 19700101000000Z nsds5replicaChangesSentSinceStartup: nsds5replicaLastUpdateStatus: Error (-1) Problem connecting to replica - LDAP error: Can't contact LDAP server (connection error) nsds5replicaLastUpdateStatusJSON: {"state": "red", "ldap_rc": "-1", "ldap_rc_t ext": "Can't contact LDAP server", "repl_rc": "16", "repl_rc_text": "connecti on error", "date": "2023-06-02T17:33:57Z", "message": "Error (-1) Problem con necting to replica - LDAP error: Can't contact LDAP server (connection error) "} nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 19700101000000Z nsds5replicaLastInitEnd: 19700101000000Z # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
Can you paste the content of /var/log/ipaupgrade.log?
I'm not realy sure where one run starts and the other ends, but that's a lot of code:
2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout= 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@DOMAINNAME.service'] 2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout=active 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z DEBUG wait_for_open_ports: localhost [389] timeout 120 2023-05-26T10:39:47Z DEBUG waiting for port: 389 2023-05-26T10:39:47Z DEBUG SUCCESS: port: 389 2023-05-26T10:39:47Z DEBUG Start of dirsrv@DOMAINNAME.service complete 2023-05-26T10:39:47Z DEBUG Created connection context.ldap2_140530175559720 2023-05-26T10:39:47Z INFO [Enable sidgen and extdom plugins by default] 2023-05-26T10:39:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:47Z DEBUG sidgen and extdom plugins are enabled already 2023-05-26T10:39:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:47Z DEBUG graceperiod is enabled already 2023-05-26T10:39:47Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOMAINNAME.socket from SchemaCache 2023-05-26T10:39:47Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAINNAME.socket conn=<ldap.ldapobject.SimpleLDAPO bject object at 0x7fcfba96e470> 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', 'stop', 'httpd.service'] 2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout= 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z DEBUG Stop of httpd.service complete 2023-05-26T10:39:47Z INFO [Updating HTTPD service IPA configuration] 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout= 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/sbin/restorecon', '/etc/systemd/system/httpd.service.d/ipa.conf'] 2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout= 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload'] 2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout= 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z INFO [Updating HTTPD service IPA WSGI configuration] 2023-05-26T10:39:47Z INFO Nothing to do for configure_httpd_wsgi_conf 2023-05-26T10:39:47Z INFO [Migrating from mod_nss to mod_ssl] 2023-05-26T10:39:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:47Z INFO Already migrated to mod_ssl 2023-05-26T10:39:47Z INFO [Moving HTTPD service keytab to gssproxy] 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout= 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf'] 2023-05-26T10:39:47Z DEBUG Process finished, return code=0 2023-05-26T10:39:47Z DEBUG stdout= 2023-05-26T10:39:47Z DEBUG stderr= 2023-05-26T10:39:47Z DEBUG Starting external process 2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service'] 2023-05-26T10:39:48Z DEBUG Process finished, return code=0 2023-05-26T10:39:48Z DEBUG stdout= 2023-05-26T10:39:48Z DEBUG stderr= 2023-05-26T10:39:48Z DEBUG Starting external process 2023-05-26T10:39:48Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service'] 2023-05-26T10:39:48Z DEBUG Process finished, return code=0 2023-05-26T10:39:48Z DEBUG stdout=active 2023-05-26T10:39:48Z DEBUG stderr= 2023-05-26T10:39:48Z DEBUG Restart of gssproxy.service complete 2023-05-26T10:39:48Z DEBUG Starting external process 2023-05-26T10:39:48Z DEBUG args=['/bin/systemctl', 'start', 'httpd.service'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout= 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'is-active', 'httpd.service'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout=active 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z DEBUG Start of httpd.service complete 2023-05-26T10:39:49Z INFO [Removing self-signed CA] 2023-05-26T10:39:49Z DEBUG Self-signed CA is not installed 2023-05-26T10:39:49Z INFO [Removing Dogtag 9 CA] 2023-05-26T10:39:49Z DEBUG Dogtag is version 10 or above 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z INFO [Checking for deprecated KDC configuration files] 2023-05-26T10:39:49Z INFO [Checking for deprecated backups of Samba configuration files] 2023-05-26T10:39:49Z DEBUG raw: ca_is_enabled(version='2.251') 2023-05-26T10:39:49Z DEBUG ca_is_enabled(version='2.251') 2023-05-26T10:39:49Z DEBUG raw: kra_is_enabled(version='2.251') 2023-05-26T10:39:49Z DEBUG kra_is_enabled(version='2.251') 2023-05-26T10:39:49Z DEBUG Cleaning up after pkispawn for the CA subsystem 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2023-05-26T10:39:49Z DEBUG Removing /root/.dogtag/pki-tomcat/ca 2023-05-26T10:39:49Z INFO [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration] 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'dedicated keytab file', '/etc/samba/samba.keytab'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout= 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z INFO [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification] 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'getparm', 'global', 'max smbd processes'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout=1000 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z INFO [Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration] 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'server role', 'IPA PRIMARY DOMAIN CONTROLLER'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout= 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z INFO dnssec-validation yes 2023-05-26T10:39:49Z INFO [Add missing CA DNS records] 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z INFO IPA CA DNS records already processed 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=3 2023-05-26T10:39:49Z DEBUG stdout=inactive 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'start', 'named-pkcs11.service'] 2023-05-26T10:39:50Z DEBUG Process finished, return code=0 2023-05-26T10:39:50Z DEBUG stdout= 2023-05-26T10:39:50Z DEBUG stderr= 2023-05-26T10:39:50Z DEBUG Starting external process 2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:50Z DEBUG Process finished, return code=0 2023-05-26T10:39:50Z DEBUG stdout=active 2023-05-26T10:39:50Z DEBUG stderr= 2023-05-26T10:39:50Z DEBUG Start of named-pkcs11.service complete 2023-05-26T10:39:50Z DEBUG /etc/named.conf is unmodified 2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-ext.conf' already exists 2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-options-ext.conf' already exists 2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-logging-ext.conf' already exists 2023-05-26T10:39:50Z DEBUG Starting external process 2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:50Z DEBUG Process finished, return code=0 2023-05-26T10:39:50Z DEBUG stdout=active 2023-05-26T10:39:50Z DEBUG stderr= 2023-05-26T10:39:50Z DEBUG Starting external process 2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'restart', 'named-pkcs11.service'] 2023-05-26T10:39:51Z DEBUG Process finished, return code=0 2023-05-26T10:39:51Z DEBUG stdout= 2023-05-26T10:39:51Z DEBUG stderr= 2023-05-26T10:39:51Z DEBUG Starting external process 2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:51Z DEBUG Process finished, return code=0 2023-05-26T10:39:51Z DEBUG stdout=active 2023-05-26T10:39:51Z DEBUG stderr= 2023-05-26T10:39:51Z DEBUG Restart of named-pkcs11.service complete 2023-05-26T10:39:51Z DEBUG Starting external process 2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'stop', 'named-pkcs11.service'] 2023-05-26T10:39:51Z DEBUG Process finished, return code=0 2023-05-26T10:39:51Z DEBUG stdout= 2023-05-26T10:39:51Z DEBUG stderr= 2023-05-26T10:39:51Z DEBUG Stop of named-pkcs11.service complete 2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:51Z INFO [Upgrading CA schema] 2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif 2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif 2023-05-26T10:39:52Z DEBUG with: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' ) 2023-05-26T10:39:52Z DEBUG Schema modlist: [(0, 'attributetypes', [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority k" b"ey nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN " b"'user-defined' )"])] 2023-05-26T10:39:52Z DEBUG update_entry modlist [(0, 'attributetypes', [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' )"])] 2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/acme/database/ldap/schema.ldif 2023-05-26T10:39:52Z DEBUG Replace: ( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X- ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-O RIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4. 9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.1 1' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'use r defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI NGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR IGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI GIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX N ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR IGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI GIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX N ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR IGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI GIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'dedicated keytab file', '/etc/samba/samba.keytab'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout= 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z INFO [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification] 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'getparm', 'global', 'max smbd processes'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout=1000 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z INFO [Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration] 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'server role', 'IPA PRIMARY DOMAIN CONTROLLER'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=0 2023-05-26T10:39:49Z DEBUG stdout= 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z INFO dnssec-validation yes 2023-05-26T10:39:49Z INFO [Add missing CA DNS records] 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z INFO IPA CA DNS records already processed 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:49Z DEBUG Process finished, return code=3 2023-05-26T10:39:49Z DEBUG stdout=inactive 2023-05-26T10:39:49Z DEBUG stderr= 2023-05-26T10:39:49Z DEBUG Starting external process 2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'start', 'named-pkcs11.service'] 2023-05-26T10:39:50Z DEBUG Process finished, return code=0 2023-05-26T10:39:50Z DEBUG stdout= 2023-05-26T10:39:50Z DEBUG stderr= 2023-05-26T10:39:50Z DEBUG Starting external process 2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:50Z DEBUG Process finished, return code=0 2023-05-26T10:39:50Z DEBUG stdout=active 2023-05-26T10:39:50Z DEBUG stderr= 2023-05-26T10:39:50Z DEBUG Start of named-pkcs11.service complete 2023-05-26T10:39:50Z DEBUG /etc/named.conf is unmodified 2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-ext.conf' already exists 2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-options-ext.conf' already exists 2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-logging-ext.conf' already exists 2023-05-26T10:39:50Z DEBUG Starting external process 2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:50Z DEBUG Process finished, return code=0 2023-05-26T10:39:50Z DEBUG stdout=active 2023-05-26T10:39:50Z DEBUG stderr= 2023-05-26T10:39:50Z DEBUG Starting external process 2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'restart', 'named-pkcs11.service'] 2023-05-26T10:39:51Z DEBUG Process finished, return code=0 2023-05-26T10:39:51Z DEBUG stdout= 2023-05-26T10:39:51Z DEBUG stderr= 2023-05-26T10:39:51Z DEBUG Starting external process 2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service'] 2023-05-26T10:39:51Z DEBUG Process finished, return code=0 2023-05-26T10:39:51Z DEBUG stdout=active 2023-05-26T10:39:51Z DEBUG stderr= 2023-05-26T10:39:51Z DEBUG Restart of named-pkcs11.service complete 2023-05-26T10:39:51Z DEBUG Starting external process 2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'stop', 'named-pkcs11.service'] 2023-05-26T10:39:51Z DEBUG Process finished, return code=0 2023-05-26T10:39:51Z DEBUG stdout= 2023-05-26T10:39:51Z DEBUG stderr= 2023-05-26T10:39:51Z DEBUG Stop of named-pkcs11.service complete 2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-05-26T10:39:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:51Z INFO [Upgrading CA schema] 2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif 2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif 2023-05-26T10:39:52Z DEBUG Replace: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.26 SINGLE-VALUE X-ORIGIN ( 'user-defined' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' ) 2023-05-26T10:39:52Z DEBUG Schema modlist: [(0, 'attributetypes', [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority k" b"ey nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN " b"'user-defined' )"])] 2023-05-26T10:39:52Z DEBUG update_entry modlist [(0, 'attributetypes', [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' )"])] 2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/acme/database/ldap/schema.ldif 2023-05-26T10:39:52Z DEBUG Replace: ( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X- ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-O RIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4. 9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.1 1' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'use r defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI NGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN GLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR IGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI GIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:52Z DEBUG with: ( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1 .3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:52Z DEBUG Schema modlist: [(0, 'attributetypes', [b"( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6" b".1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDER" b'ING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SI' b"NGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.1" b"21.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI" b"NGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN '" b"IPA v4.9.11' )", b"( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch" b" SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11" b"' )", b"( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNT" b"AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )", b"( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6." b"1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMat" b'ch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121' b".1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMa" b'tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1' b"5 X-ORIGIN 'IPA v4.9.11' )", b"( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORI" b"GIN 'IPA v4.9.11' )", b"( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN " b"'IPA v4.9.11' )", b"( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA" b" v4.9.11' )", b"( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA" b" v4.9.11' )", b"( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-" b"ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALIT" b'Y booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN' b" 'IPA v4.9.11' )", b"( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDER" b'ING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SI' b"NGLE-VALUE X-ORIGIN 'IPA v4.9.11' )"])] 2023-05-26T10:39:53Z DEBUG update_entry modlist [(0, 'attributetypes', [b"( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generaliz edTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN 'IPA v4.9.11' )", b"( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )", b"( acmeEnabled-oid NAME 'acmeEnabled ' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQ UALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( ac meAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI N 'IPA v4.9.11' )", b"( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAccountId-oid NAME 'acmeA ccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b" ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15 X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466. 115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrde ringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )"])] 2023-05-26T10:39:53Z DEBUG Replace: ( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeCreated $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:53Z DEBUG with: ( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeCreated $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:53Z DEBUG Replace: ( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccountId $ acmeCreated $ acmeAccountKey $ acm eStatus ) MAY acmeAccountContact X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:53Z DEBUG with: ( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccountId $ acmeCreated $ acmeAccountKey $ acm eStatus ) MAY acmeAccountContact X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:53Z DEBUG Replace: ( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeCreated $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:53Z DEBUG with: ( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeCreated $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:53Z DEBUG Replace: ( acmeNonce-oid NAME 'acmeNonce' SUP top STRUCTURAL MUST ( acmeNonceId $ acmeCreated $ acmeExpires ) X-ORIGIN ( ' IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:53Z DEBUG with: ( acmeNonce-oid NAME 'acmeNonce' SUP top STRUCTURAL MUST ( acmeNonceId $ acmeCreated $ acmeExpires ) X-ORIGIN 'IP A v4.9.11' ) 2023-05-26T10:39:53Z DEBUG Replace: ( acmeCertificate-oid NAME 'acmeCertificate' SUP top STRUCTURAL MUST ( acmeCertificateId $ acmeCreated $ userCert ificate ) MAY acmeExpires X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:53Z DEBUG with: ( acmeCertificate-oid NAME 'acmeCertificate' SUP top STRUCTURAL MUST ( acmeCertificateId $ acmeCreated $ userCert ificate ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:53Z DEBUG Replace: ( acmeChallenge-oid NAME 'acmeChallenge' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:53Z DEBUG with: ( acmeChallenge-oid NAME 'acmeChallenge' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) X-ORIGIN 'IPA v4.9.11' ) 2023-05-26T10:39:53Z DEBUG Schema modlist: [(0, 'objectclasses', [b"( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $" b' acmeAccountId $ acmeCreated $ acmeStatus $ acmeIdentifier $ acmeAuthori' b'zationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN ' b"'IPA v4.9.11' )", b"( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccou" b'ntId $ acmeCreated $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContac' b"t X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST" b' ( acmeAuthorizationId $ acmeAccountId $ acmeCreated $ acmeIdentifier $ ' b"acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN 'IPA v" b"4.9.11' )", b"( acmeNonce-oid NAME 'acmeNonce' SUP top STRUCTURAL MUST ( acmeNonceId $" b" acmeCreated $ acmeExpires ) X-ORIGIN 'IPA v4.9.11' )", b"( acmeCertificate-oid NAME 'acmeCertificate' SUP top STRUCTURAL MUST ( a" b'cmeCertificateId $ acmeCreated $ userCertificate ) MAY acmeExpires X-ORI' b"GIN 'IPA v4.9.11' )", b"( acmeChallenge-oid NAME 'acmeChallenge' ABSTRACT MUST ( acmeChallengeId" b' $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidate' b"dAt $ acmeError ) X-ORIGIN 'IPA v4.9.11' )"])] 2023-05-26T10:39:53Z DEBUG update_entry modlist [(0, 'objectclasses', [b"( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $ acm eAccountId $ acmeCreated $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN 'IPA v4.9 .11' )", b"( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccountId $ acmeCreated $ acmeAccountKey $ acmeStatus ) MAY acmeAccount Contact X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $ acmeCreated $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' )", b"( acmeNonce-oid NAME 'acmeNonce ' SUP top STRUCTURAL MUST ( acmeNonceId $ acmeCreated $ acmeExpires ) X-ORIGIN 'IPA v4.9.11' )", b"( acmeCertificate-oid NAME 'acmeCertificate' SUP t op STRUCTURAL MUST ( acmeCertificateId $ acmeCreated $ userCertificate ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' )", b"( acmeChallenge-oid NAME 'acmeC hallenge' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) X-ORIGIN 'IPA v4.9 .11' )"])] 2023-05-26T10:39:54Z DEBUG Replace: ( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) ) 2023-05-26T10:39:54Z DEBUG with: ( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN 'IPA v4 .9.11' ) 2023-05-26T10:39:54Z DEBUG Replace: ( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN ( 'IPA v4 .9.11' 'user defined' ) ) 2023-05-26T10:39:54Z DEBUG with: ( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN 'IPA v4.9 .11' ) 2023-05-26T10:39:54Z DEBUG Schema modlist: [(0, 'objectclasses', [b"( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge S" b"TRUCTURAL MUST acmeToken X-ORIGIN 'IPA v4.9.11' )", b"( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STR" b"UCTURAL MUST acmeToken X-ORIGIN 'IPA v4.9.11' )"])] 2023-05-26T10:39:54Z DEBUG update_entry modlist [(0, 'objectclasses', [b"( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge STRUC TURAL MUST acmeToken X-ORIGIN 'IPA v4.9.11' )", b"( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-OR IGIN 'IPA v4.9.11' )"])] 2023-05-26T10:39:54Z INFO CA schema update complete 2023-05-26T10:39:54Z DEBUG Starting external process 2023-05-26T10:39:54Z DEBUG args=['/bin/systemctl', 'enable', 'certmonger.service'] 2023-05-26T10:39:54Z DEBUG Process finished, return code=0 2023-05-26T10:39:54Z DEBUG stdout= 2023-05-26T10:39:54Z DEBUG stderr= 2023-05-26T10:39:54Z DEBUG Starting external process 2023-05-26T10:39:54Z DEBUG args=['/bin/systemctl', 'is-active', 'dbus.service'] 2023-05-26T10:39:54Z DEBUG Process finished, return code=0 2023-05-26T10:39:54Z DEBUG stdout=active 2023-05-26T10:39:54Z DEBUG stderr= 2023-05-26T10:39:54Z DEBUG Starting external process 2023-05-26T10:39:54Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2023-05-26T10:39:55Z DEBUG Process finished, return code=0 2023-05-26T10:39:55Z DEBUG stdout= 2023-05-26T10:39:55Z DEBUG stderr= 2023-05-26T10:39:55Z DEBUG Starting external process 2023-05-26T10:39:55Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2023-05-26T10:39:55Z DEBUG Process finished, return code=0 2023-05-26T10:39:55Z DEBUG stdout=active 2023-05-26T10:39:55Z DEBUG stderr= 2023-05-26T10:39:55Z DEBUG Start of certmonger.service complete 2023-05-26T10:39:55Z DEBUG Starting external process 2023-05-26T10:39:55Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2023-05-26T10:39:55Z DEBUG Process finished, return code=1 2023-05-26T10:39:55Z DEBUG stdout= 2023-05-26T10:39:55Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat. 2023-05-26T10:39:55Z INFO [Update certmonger certificate renewal configuration] 2023-05-26T10:39:55Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2023-05-26T10:39:55Z DEBUG Starting external process 2023-05-26T10:39:55Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-DOMAINNAME/', '-L', '-n', "servername - Let's Enc rypt", '-a', '-f', '/etc/dirsrv/slapd-DOMAINNAME/pwdfile.txt'] 2023-05-26T10:39:55Z DEBUG Process finished, return code=0 2023-05-26T10:39:55Z DEBUG stdout=-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u servername - Let's Encrypt u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u T-TeleSec GlobalRoot Class 2 C,, DFN-Verein Certification Authority 2 C,, DFN-Verein Global Issuing CA C,, CN=ISRG Root X2,O=Internet Security Research Group,C=US C,, CN=E1,O=Let's Encrypt,C=US C,, primaryservername - Let's Encrypt ,, CN=R4,O=Let's Encrypt,C=US C,, CN=E2,O=Let's Encrypt,C=US C,, ISRG Root X1 - Internet Security Research Group C,, R3 - Internet Security Research Group C,, 2023-05-26T10:39:55Z DEBUG stderr= 2023-05-26T10:39:55Z INFO Certmonger certificate renewal configuration already up-to-date 2023-05-26T10:39:55Z INFO [Enable PKIX certificate path discovery and validation] 2023-05-26T10:39:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:55Z INFO PKIX already enabled 2023-05-26T10:39:55Z INFO [Authorizing RA Agent to modify profiles] 2023-05-26T10:39:55Z INFO [Authorizing RA Agent to manage lightweight CAs] 2023-05-26T10:39:55Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2023-05-26T10:39:55Z INFO [Adding default OCSP URI configuration] 2023-05-26T10:39:55Z INFO [Disabling cert publishing] 2023-05-26T10:39:55Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2023-05-26T10:39:55Z INFO [Migrating certificate profiles to LDAP] 2023-05-26T10:39:56Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'acmeServerCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caAdminCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caAgentFileSigning' is already in LDAP and enabled; skipping caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u servername - Let's Encrypt u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u T-TeleSec GlobalRoot Class 2 C,, DFN-Verein Certification Authority 2 C,, DFN-Verein Global Issuing CA C,, CN=ISRG Root X2,O=Internet Security Research Group,C=US C,, CN=E1,O=Let's Encrypt,C=US C,, primaryservername - Let's Encrypt ,, CN=R4,O=Let's Encrypt,C=US C,, CN=E2,O=Let's Encrypt,C=US C,, ISRG Root X1 - Internet Security Research Group C,, R3 - Internet Security Research Group C,, 2023-05-26T10:39:55Z DEBUG stderr= 2023-05-26T10:39:55Z INFO Certmonger certificate renewal configuration already up-to-date 2023-05-26T10:39:55Z INFO [Enable PKIX certificate path discovery and validation] 2023-05-26T10:39:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2023-05-26T10:39:55Z INFO PKIX already enabled 2023-05-26T10:39:55Z INFO [Authorizing RA Agent to modify profiles] 2023-05-26T10:39:55Z INFO [Authorizing RA Agent to manage lightweight CAs] 2023-05-26T10:39:55Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2023-05-26T10:39:55Z INFO [Adding default OCSP URI configuration] 2023-05-26T10:39:55Z INFO [Disabling cert publishing] 2023-05-26T10:39:55Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2023-05-26T10:39:55Z INFO [Migrating certificate profiles to LDAP] 2023-05-26T10:39:56Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'acmeServerCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caAdminCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caAgentFileSigning' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caAgentServerCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caAuditSigningCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCACert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCECUserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCECserverCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCECsubsystemCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCUserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCauditSigningCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCcaCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCcaCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCkraStorageCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCkraTransportCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCocspCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCserverCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCMCsubsystemCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caCrossSignedCACert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caDirBasedDualCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caDirPinUserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caDirUserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caDirUserRenewal' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caDualCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caDualRAuserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECAdminCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECAgentServerCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECDirPinUserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECDirUserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECFullCMCSharedTokenCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECFullCMCUserCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECFullCMCUserSignedCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECInternalAuthServerCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECInternalAuthSubsystemCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z DEBUG Profile 'caECServerCert' is already in LDAP and enabled; skipping 2023-05-26T10:39:56Z INFO Migrating profile 'caECServerCertWithSCT' 2023-05-26T10:39:56Z DEBUG request GET https://servername:8443/ca/rest/account/login 2023-05-26T10:39:56Z DEBUG request body '' 2023-05-26T10:39:57Z DEBUG response status 404 2023-05-26T10:39:57Z DEBUG response headers Content-Type: text/html;charset=utf-8 Content-Language: de Content-Length: 795 Date: Fri, 26 May 2023 10:39:57 GMT 2023-05-26T10:39:57Z DEBUG response body (decoded): b'<!doctype html><html lang="de"><head><title>HTTP Status 404 \xe2\x80\x93 nicht gefunden</title> <style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {fon t-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body> <h1>HTTP Status 404 \xe2\x80\x93 nicht gefunden</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/ ;ca/rest/account/login] is not available</p><p><b>Beschreibung</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.50</h3></body></html>' 2023-05-26T10:39:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2023-05-26T10:39:57Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2058, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1911, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) 2023-05-26T10:39:57Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2023-05-26T10:39:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API 2023-05-26T10:39:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
In our opinion we have already made way to many yum update since experience shows this led to broken systems at least roughly once a year on CentOS 7. Mostly of course on weekends when no one is there to fix them. Since this is an internal server we prefer updates on secondary servers, which we can test in advance, so we have a fallback and bleeding edge is not so important. this is a no go for the identity and access management systems. If you know how we could use freeipa more conservative, please feel free to point us into the right direction. Basicaly we need a standard install with a let's encrypt certificate, a replica server and backups. Doesn't sound to hard, but still made a lot of work.
yum update
Hi @ifdm based on your command's output I see 2 different issues:
the upgrade is trying to update the replication agreements in order to modify the nsDS5ReplicatedAttributeList (the attribute passwordgraceusertime should be excluded from the replication). But the update fails as the replication agreement is managed by the topology plugin. This error is reported but does not prevent the upgrade to continue. Something to fix in IPA code.
the upgrade command is unable to authenticate to PKI. I suspect that your server was initially installed with RHEL 8.0, then upgraded. Can you check if there is this drop-in file on your server:
# cat /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf [Service] Environment=LC_ALL=C.UTF-8 ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running
If not, create the directory + file manually, launch systemctl --system daemon-reload then ipa-server-upgrade. This file ensures that PKI is ready (CA subsystem available) before the start command returns. On new installations (post RHEL 8.1), this file is created at install time but it looks like an upgrade from 8.0 to 8.1+ does not create it, resulting in PKI not fully initialized when the upgrade is run.
systemctl --system daemon-reload
ipa-server-upgrade
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2216549
Issue linked to bug 2216549
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2216549, https://bugzilla.redhat.com/show_bug.cgi?id=2216551 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2216549)
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.