#9385 Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin
Closed: fixed a year ago by frenaud. Opened a year ago by ifdm.

Issue

ipactl start fails on a replica server

Steps to Reproduce

ipactl start

Actual behavior

Upgrade fails and rolls back.

Expected behavior

ipa starts

Version/Release/Distribution

The package freeipa-server is not installed
The package freeipa-client is not installed
ipa-server-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64
ipa-client-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64
389-ds-base-1.4.3.30-6.module+el8.7.0+20830+6d1ef8be.x86_64
The package pki-ca is not installed
krb5-server-1.18.2-22.0.1.el8_7.x86_64

Additional info:

ipactl restart
IPA version error: data needs to be upgraded (expected version '4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b', current version '4.9.10-6.0.1.module+el8.7.0+20837+581a7c1e')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: saving configuration
  [2/9]: disabling listeners
  [3/9]: enabling DS global lock
  [4/9]: disabling Schema Compat
  [5/9]: starting directory server
  [6/9]: updating schema
  [7/9]: upgrading server
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
  [8/9]: stopping directory server
  [9/9]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
[Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'caECServerCertWithSCT'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Workaround:

Commenting out the update in /usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py line 52.


Line 52 is a try statement in my tree. Can you provide the line(s) you commented out?

Hi,
The first errors happen when the upgrade tries to update the replication agreements. Can you provide the output of ldapsearch -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" -s sub "(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=ipa,dc=test))"

(replace dc=ipa,dc=test with your base DN).

The last error, the one triggering the command failure, seems to happen when migrating the certificate profiles. Can you paste the content of /var/log/ipaupgrade.log?

Also, this may be unrelated, but your versions show a partial upgrade: 389-ds package is from 8.7, while ipa-server from 8.8. We recommend to upgrade all the packages (yum update), not only the ipa ones (yum update ipa-server) because we do not test partial upgrades.

Sorry I was busy and it took me so long. Thanks for the help.
The primary freeipa server has a strange failure, the kerberos cert being expired and doesn't let you log in to the web GUI. After several hours or days trying to fix it, my colleague gave up. Since it still runs, except for the login and the replica (this server) allows the login via web and we tried all suggestions we found, did not get help in the forum and don't have endless hours of spare time and backups of both servers this is the state for the last 10 months. Now, a week ago this new problem occurs. Till then everything worked 'fine'.

Line 52 is a try statement in my tree. Can you provide the line(s) you commented out?

I commented out the whole try statement, the server.upgrade() alone did not work and I don't have time to have a detailed look into every function.

#        try:
#            server.upgrade_check(self.options)
#            server.upgrade()
#        except RuntimeError as e:
#            raise admintool.ScriptError(str(e)

Can you provide the output of ldapsearch -D "cn=directory manager" -W -b "cn=mapping tree,cn=config" -s sub "(&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=ipa,dc=test))"

# extended LDIF
#
# LDAPv3
# base <cn=mapping tree,cn=config> with scope subtree
# filter: (&(objectclass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=ipa,dc=test))
# requesting: ALL
#

# servername-to-primaryservername, replica, dc\3Dipa\2Cdc\3Dtest
, mapping tree, config
dn: cn=servername-to-primaryservername,cn=replica,cn=dc\3Dipa\2Cdc\3Dtest
,cn=mapping tree,cn=config
cn: servername-to-primaryservername
description: servername to primaryservername
ipaReplTopoManagedAgreementState: managed agreement - generated by topology pl
 ugin
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicaHost: primaryservername
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: dc=ipa,dc=test
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 5e0a15e3000000200000
nsds50ruv: {replica 6 ldap://primaryservername:389} 5e0a29c9000000060000 6
 478b04b000000060000
nsds50ruv: {replica 37 ldap://servername-offline2:389} 63515d0c00010025000
 0 63561e19000200250000
nsds50ruv: {replica 32 ldap://servername:389} 5e0a177c00010020000
 0 647927ef000000200000
nsds50ruv: {replica 36 ldap://servername-offline1:389} 635150da00020024000
 0 6355b881000200240000
nsds5ReplicaEnabled: on
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
 ternalModifyTimestamp
nsds5replicaTimeout: 300
nsruvReplicaLastModified: {replica 6 ldap://primaryservername:389} 0000000
 0
nsruvReplicaLastModified: {replica 37 ldap://servername-offline2:389} 0000
 0000
nsruvReplicaLastModified: {replica 32 ldap://servername:389} 0000
 0000
nsruvReplicaLastModified: {replica 36 ldap://servername-offline1:389} 0000
 0000
objectClass: nsds5replicationagreement
objectClass: ipaReplTopoManagedAgreement
objectClass: top
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20230602172453Z
nsds5replicaLastUpdateEnd: 20230602172453Z
nsds5replicaChangesSentSinceStartup:: MzI6MjIvMjEg
nsds5replicaLastUpdateStatus: Error (0) Replica acquired successfully: Increme
 ntal update succeeded
nsds5replicaLastUpdateStatusJSON: {"state": "green", "ldap_rc": "0", "ldap_rc_
 text": "Success", "repl_rc": "0", "repl_rc_text": "replica acquired", "date":
  "2023-06-02T17:24:53Z", "message": "Error (0) Replica acquired successfully:
  Incremental update succeeded"}
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z

# meToservername-offline1, replica, dc\3Dipa\2Cdc\3Dtest, mapp
 ing tree, config
dn: cn=meToservername-offline1,cn=replica,cn=dc\3Dipa\2Cdc\3Dtest
,cn=mapping tree,cn=config
cn: meToservername-offline1
description: me to servername-offline1
ipaReplTopoManagedAgreementState: managed agreement - controlled by topology p
 lugin
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicaHost: servername-offline1
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot: dc=ipa,dc=test
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 5e0a15e3000000200000
nsds50ruv: {replica 36 ldap://servername-offline1:389} 635150da00020024000
 0 63561f46000000240000
nsds50ruv: {replica 32 ldap://servername:389} 5e0a177c00010020000
 0 6355dae1000300200000
nsds50ruv: {replica 6 ldap://primaryservername:389} 5e0a29c9000000060000 6
 35422d9000100060000
nsds50ruv: {replica 37 ldap://servername-offline2:389} 63515d0c00010025000
 0 63561e19000200250000
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName in
 ternalModifyTimestamp
nsds5replicaTimeout: 120
nsruvReplicaLastModified: {replica 36 ldap://servername-offline1:389} 0000
 0000
nsruvReplicaLastModified: {replica 32 ldap://servername:389} 0000
 0000
nsruvReplicaLastModified: {replica 6 ldap://primaryservername:389} 0000000
 0
nsruvReplicaLastModified: {replica 37 ldap://servername-offline2:389} 0000
 0000
objectClass: nsds5replicationagreement
objectClass: top
objectClass: ipaReplTopoManagedAgreement
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: Error (-1) Problem connecting to replica - LDAP 
 error: Can't contact LDAP server (connection error)
nsds5replicaLastUpdateStatusJSON: {"state": "red", "ldap_rc": "-1", "ldap_rc_t
 ext": "Can't contact LDAP server", "repl_rc": "16", "repl_rc_text": "connecti
 on error", "date": "2023-06-02T17:33:57Z", "message": "Error (-1) Problem con
 necting to replica - LDAP error: Can't contact LDAP server (connection error)
 "}
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 19700101000000Z
nsds5replicaLastInitEnd: 19700101000000Z

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Can you paste the content of /var/log/ipaupgrade.log?

I'm not realy sure where one run starts and the other ends, but that's a lot of code:

2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', 'is-active', 'dirsrv@DOMAINNAME.service']
2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=active
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z DEBUG wait_for_open_ports: localhost [389] timeout 120
2023-05-26T10:39:47Z DEBUG waiting for port: 389
2023-05-26T10:39:47Z DEBUG SUCCESS: port: 389
2023-05-26T10:39:47Z DEBUG Start of dirsrv@DOMAINNAME.service complete
2023-05-26T10:39:47Z DEBUG Created connection context.ldap2_140530175559720
2023-05-26T10:39:47Z INFO [Enable sidgen and extdom plugins by default]
2023-05-26T10:39:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:47Z DEBUG sidgen and extdom plugins are enabled already
2023-05-26T10:39:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:47Z DEBUG graceperiod is enabled already
2023-05-26T10:39:47Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-DOMAINNAME.socket from SchemaCache
2023-05-26T10:39:47Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-DOMAINNAME.socket conn=<ldap.ldapobject.SimpleLDAPO
bject object at 0x7fcfba96e470>
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', 'stop', 'httpd.service']
2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z DEBUG Stop of httpd.service complete
2023-05-26T10:39:47Z INFO [Updating HTTPD service IPA configuration]
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/sbin/restorecon', '/etc/systemd/system/httpd.service.d/ipa.conf']
2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', '--system', 'daemon-reload']
2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z INFO [Updating HTTPD service IPA WSGI configuration]
2023-05-26T10:39:47Z INFO Nothing to do for configure_httpd_wsgi_conf
2023-05-26T10:39:47Z INFO [Migrating from mod_nss to mod_ssl]
2023-05-26T10:39:47Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:47Z INFO Already migrated to mod_ssl
2023-05-26T10:39:47Z INFO [Moving HTTPD service keytab to gssproxy]
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/usr/sbin/selinuxenabled']
2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/sbin/restorecon', '/etc/gssproxy/10-ipa.conf']
2023-05-26T10:39:47Z DEBUG Process finished, return code=0
2023-05-26T10:39:47Z DEBUG stdout=
2023-05-26T10:39:47Z DEBUG stderr=
2023-05-26T10:39:47Z DEBUG Starting external process
2023-05-26T10:39:47Z DEBUG args=['/bin/systemctl', 'restart', 'gssproxy.service']
2023-05-26T10:39:48Z DEBUG Process finished, return code=0
2023-05-26T10:39:48Z DEBUG stdout=
2023-05-26T10:39:48Z DEBUG stderr=
2023-05-26T10:39:48Z DEBUG Starting external process
2023-05-26T10:39:48Z DEBUG args=['/bin/systemctl', 'is-active', 'gssproxy.service']
2023-05-26T10:39:48Z DEBUG Process finished, return code=0
2023-05-26T10:39:48Z DEBUG stdout=active
2023-05-26T10:39:48Z DEBUG stderr=
2023-05-26T10:39:48Z DEBUG Restart of gssproxy.service complete
2023-05-26T10:39:48Z DEBUG Starting external process
2023-05-26T10:39:48Z DEBUG args=['/bin/systemctl', 'start', 'httpd.service']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'is-active', 'httpd.service']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=active
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z DEBUG Start of httpd.service complete
2023-05-26T10:39:49Z INFO [Removing self-signed CA]
2023-05-26T10:39:49Z DEBUG Self-signed CA is not installed
2023-05-26T10:39:49Z INFO [Removing Dogtag 9 CA]
2023-05-26T10:39:49Z DEBUG Dogtag is version 10 or above
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z INFO [Checking for deprecated KDC configuration files]
2023-05-26T10:39:49Z INFO [Checking for deprecated backups of Samba configuration files]
2023-05-26T10:39:49Z DEBUG raw: ca_is_enabled(version='2.251')
2023-05-26T10:39:49Z DEBUG ca_is_enabled(version='2.251')
2023-05-26T10:39:49Z DEBUG raw: kra_is_enabled(version='2.251')
2023-05-26T10:39:49Z DEBUG kra_is_enabled(version='2.251')
2023-05-26T10:39:49Z DEBUG Cleaning up after pkispawn for the CA subsystem
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-05-26T10:39:49Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2023-05-26T10:39:49Z INFO [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'dedicated keytab file', '/etc/samba/samba.keytab']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z INFO [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'getparm', 'global', 'max smbd processes']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=1000
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z INFO [Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'server role', 'IPA PRIMARY DOMAIN CONTROLLER']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z INFO dnssec-validation yes
2023-05-26T10:39:49Z INFO [Add missing CA DNS records]
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z INFO IPA CA DNS records already processed
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:49Z DEBUG Process finished, return code=3
2023-05-26T10:39:49Z DEBUG stdout=inactive
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'start', 'named-pkcs11.service']
2023-05-26T10:39:50Z DEBUG Process finished, return code=0
2023-05-26T10:39:50Z DEBUG stdout=
2023-05-26T10:39:50Z DEBUG stderr=
2023-05-26T10:39:50Z DEBUG Starting external process
2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:50Z DEBUG Process finished, return code=0
2023-05-26T10:39:50Z DEBUG stdout=active
2023-05-26T10:39:50Z DEBUG stderr=
2023-05-26T10:39:50Z DEBUG Start of named-pkcs11.service complete
2023-05-26T10:39:50Z DEBUG /etc/named.conf is unmodified
2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-ext.conf' already exists
2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-options-ext.conf' already exists
2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-logging-ext.conf' already exists
2023-05-26T10:39:50Z DEBUG Starting external process
2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:50Z DEBUG Process finished, return code=0
2023-05-26T10:39:50Z DEBUG stdout=active
2023-05-26T10:39:50Z DEBUG stderr=
2023-05-26T10:39:50Z DEBUG Starting external process
2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'restart', 'named-pkcs11.service']
2023-05-26T10:39:51Z DEBUG Process finished, return code=0
2023-05-26T10:39:51Z DEBUG stdout=
2023-05-26T10:39:51Z DEBUG stderr=
2023-05-26T10:39:51Z DEBUG Starting external process
2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:51Z DEBUG Process finished, return code=0
2023-05-26T10:39:51Z DEBUG stdout=active
2023-05-26T10:39:51Z DEBUG stderr=
2023-05-26T10:39:51Z DEBUG Restart of named-pkcs11.service complete
2023-05-26T10:39:51Z DEBUG Starting external process
2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'stop', 'named-pkcs11.service']
2023-05-26T10:39:51Z DEBUG Process finished, return code=0
2023-05-26T10:39:51Z DEBUG stdout=
2023-05-26T10:39:51Z DEBUG stderr=
2023-05-26T10:39:51Z DEBUG Stop of named-pkcs11.service complete
2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:51Z INFO [Upgrading CA schema]
2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif
2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif
2023-05-26T10:39:52Z DEBUG    with: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.
121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' )
2023-05-26T10:39:52Z DEBUG Schema modlist:
[(0,
  'attributetypes',
  [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority k"
   b"ey nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN "
   b"'user-defined' )"])]
2023-05-26T10:39:52Z DEBUG update_entry modlist [(0, 'attributetypes', [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key
nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' )"])]
2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/acme/database/ldap/schema.ldif
2023-05-26T10:39:52Z DEBUG Replace: ( acmeStatus-oid NAME 'acmeStatus'  EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-
ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-O
RIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeExpires-oid NAME 'acmeExpires'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountKey-oid NAME 'acmeAccountKey'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.
9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.1
1' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeError-oid NAME 'acmeError'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'use
r defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeCertificateId-oid NAME 'acmeCertificateId'  EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI
NGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN
GLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeIdentifier-oid NAME 'acmeIdentifier'  EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI
N ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR
IGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI
GIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact'  EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' )
)
2023-05-26T10:39:52Z DEBUG    with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX
N ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR
IGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI
GIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact'  EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' )
)
2023-05-26T10:39:52Z DEBUG    with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX
N ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR
IGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI
GIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact'  EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' )
)
2023-05-26T10:39:52Z DEBUG    with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX
2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'dedicated keytab file', '/etc/samba/samba.keytab']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z INFO [Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'getparm', 'global', 'max smbd processes']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=1000
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z INFO [Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/usr/bin/net', 'conf', 'setparm', 'global', 'server role', 'IPA PRIMARY DOMAIN CONTROLLER']
2023-05-26T10:39:49Z DEBUG Process finished, return code=0
2023-05-26T10:39:49Z DEBUG stdout=
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z INFO dnssec-validation yes
2023-05-26T10:39:49Z INFO [Add missing CA DNS records]
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z INFO IPA CA DNS records already processed
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:49Z DEBUG Process finished, return code=3
2023-05-26T10:39:49Z DEBUG stdout=inactive
2023-05-26T10:39:49Z DEBUG stderr=
2023-05-26T10:39:49Z DEBUG Starting external process
2023-05-26T10:39:49Z DEBUG args=['/bin/systemctl', 'start', 'named-pkcs11.service']
2023-05-26T10:39:50Z DEBUG Process finished, return code=0
2023-05-26T10:39:50Z DEBUG stdout=
2023-05-26T10:39:50Z DEBUG stderr=
2023-05-26T10:39:50Z DEBUG Starting external process
2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:50Z DEBUG Process finished, return code=0
2023-05-26T10:39:50Z DEBUG stdout=active
2023-05-26T10:39:50Z DEBUG stderr=
2023-05-26T10:39:50Z DEBUG Start of named-pkcs11.service complete
2023-05-26T10:39:50Z DEBUG /etc/named.conf is unmodified
2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-ext.conf' already exists
2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-options-ext.conf' already exists
2023-05-26T10:39:50Z INFO named user config '/etc/named/ipa-logging-ext.conf' already exists
2023-05-26T10:39:50Z DEBUG Starting external process
2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:50Z DEBUG Process finished, return code=0
2023-05-26T10:39:50Z DEBUG stdout=active
2023-05-26T10:39:50Z DEBUG stderr=
2023-05-26T10:39:50Z DEBUG Starting external process
2023-05-26T10:39:50Z DEBUG args=['/bin/systemctl', 'restart', 'named-pkcs11.service']
2023-05-26T10:39:51Z DEBUG Process finished, return code=0
2023-05-26T10:39:51Z DEBUG stdout=
2023-05-26T10:39:51Z DEBUG stderr=
2023-05-26T10:39:51Z DEBUG Starting external process
2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'is-active', 'named-pkcs11.service']
2023-05-26T10:39:51Z DEBUG Process finished, return code=0
2023-05-26T10:39:51Z DEBUG stdout=active
2023-05-26T10:39:51Z DEBUG stderr=
2023-05-26T10:39:51Z DEBUG Restart of named-pkcs11.service complete
2023-05-26T10:39:51Z DEBUG Starting external process
2023-05-26T10:39:51Z DEBUG args=['/bin/systemctl', 'stop', 'named-pkcs11.service']
2023-05-26T10:39:51Z DEBUG Process finished, return code=0
2023-05-26T10:39:51Z DEBUG stdout=
2023-05-26T10:39:51Z DEBUG stderr=
2023-05-26T10:39:51Z DEBUG Stop of named-pkcs11.service complete
2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2023-05-26T10:39:51Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-05-26T10:39:51Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:51Z INFO [Upgrading CA schema]
2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif
2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif
2023-05-26T10:39:52Z DEBUG Replace: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.
121.1.26 SINGLE-VALUE X-ORIGIN ( 'user-defined' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.
121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' )
2023-05-26T10:39:52Z DEBUG Schema modlist:
[(0,
  'attributetypes',
  [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority k"
   b"ey nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN "
   b"'user-defined' )"])]
2023-05-26T10:39:52Z DEBUG update_entry modlist [(0, 'attributetypes', [b"( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key
nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' )"])]
2023-05-26T10:39:52Z DEBUG Processing schema LDIF file /usr/share/pki/acme/database/ldap/schema.ldif
2023-05-26T10:39:52Z DEBUG Replace: ( acmeStatus-oid NAME 'acmeStatus'  EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-
ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-O
RIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeExpires-oid NAME 'acmeExpires'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountKey-oid NAME 'acmeAccountKey'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.
9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.1
1' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeError-oid NAME 'acmeError'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'use
r defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrin
gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeCertificateId-oid NAME 'acmeCertificateId'  EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI
NGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN
GLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeIdentifier-oid NAME 'acmeIdentifier'  EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI
N ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeEnabled-oid NAME 'acmeEnabled'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-OR
IGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORI
GIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeValidatedAt-oid NAME 'acmeValidatedAt'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountContact-oid NAME 'acmeAccountContact'  EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeChallengeId-oid NAME 'acmeChallengeId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAccountId-oid NAME 'acmeAccountId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNT
AX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeOrderId-oid NAME 'acmeOrderId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeNonceId-oid NAME 'acmeNonceId'  SUP name EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeToken-oid NAME 'acmeToken'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN ( 'IPA v4.9.11' 'user defined' )
)
2023-05-26T10:39:52Z DEBUG    with: ( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard'  EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.7 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.11
5.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Replace: ( acmeCreated-oid NAME 'acmeCreated'  EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:52Z DEBUG    with: ( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:52Z DEBUG Schema modlist:
[(0,
  'attributetypes',
  [b"( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6"
   b".1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDER"
   b'ING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SI'
   b"NGLE-VALUE X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX 1.3.6.1.4.1.1466.115.1"
   b"21.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI"
   b"NGLE-VALUE X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN '"
   b"IPA v4.9.11' )",
   b"( acmeCertificateId-oid NAME 'acmeCertificateId' EQUALITY caseExactMatch"
   b" SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11"
   b"' )",
   b"( acmeIdentifier-oid NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNT"
   b"AX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeEnabled-oid NAME 'acmeEnabled' EQUALITY booleanMatch SYNTAX 1.3.6."
   b"1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQUALITY generalizedTimeMat"
   b'ch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121'
   b".1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMa"
   b'tch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1'
   b"5 X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORI"
   b"GIN 'IPA v4.9.11' )",
   b"( acmeAccountId-oid NAME 'acmeAccountId' SUP name SINGLE-VALUE X-ORIGIN "
   b"'IPA v4.9.11' )",
   b"( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA"
   b" v4.9.11' )",
   b"( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA"
   b" v4.9.11' )",
   b"( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-"
   b"ORIGIN 'IPA v4.9.11' )",
   b"( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALIT"
   b'Y booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN'
   b" 'IPA v4.9.11' )",
   b"( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDER"
   b'ING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SI'
   b"NGLE-VALUE X-ORIGIN 'IPA v4.9.11' )"])]
2023-05-26T10:39:53Z DEBUG update_entry modlist [(0, 'attributetypes', [b"( acmeStatus-oid NAME 'acmeStatus' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeExpires-oid NAME 'acmeExpires' EQUALITY generalizedTimeMatch ORDERING generaliz
edTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAccountKey-oid NAME 'acmeAccountKey' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeError-oid NAME 'acmeError' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-
VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorizationId-oid NAME 'acmeAuthorizationId' SUP name X-ORIGIN 'IPA v4.9.11' )", b"( acmeCertificateId-oid
 NAME 'acmeCertificateId' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeIdentifier-oid
 NAME 'acmeIdentifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.9.11' )", b"( acmeEnabled-oid NAME 'acmeEnabled
' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeValidatedAt-oid NAME 'acmeValidatedAt' EQ
UALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( ac
meAccountContact-oid NAME 'acmeAccountContact' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGI
N 'IPA v4.9.11' )", b"( acmeChallengeId-oid NAME 'acmeChallengeId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeAccountId-oid NAME 'acmeA
ccountId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeOrderId-oid NAME 'acmeOrderId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"
( acmeNonceId-oid NAME 'acmeNonceId' SUP name SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeToken-oid NAME 'acmeToken' SYNTAX 1.3.6.1.4.1.1466.115.
121.1.15 X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorizationWildcard-oid NAME 'acmeAuthorizationWildcard' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )", b"( acmeCreated-oid NAME 'acmeCreated' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrde
ringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA v4.9.11' )"])]
2023-05-26T10:39:53Z DEBUG Replace: ( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeCreated $ acmeStatus
 $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:53Z DEBUG    with: ( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $ acmeAccountId $ acmeCreated $ acmeStatus
 $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:53Z DEBUG Replace: ( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccountId $ acmeCreated $ acmeAccountKey $ acm
eStatus ) MAY acmeAccountContact X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:53Z DEBUG    with: ( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccountId $ acmeCreated $ acmeAccountKey $ acm
eStatus ) MAY acmeAccountContact X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:53Z DEBUG Replace: ( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $
acmeCreated $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:53Z DEBUG    with: ( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $
acmeCreated $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:53Z DEBUG Replace: ( acmeNonce-oid NAME 'acmeNonce' SUP top STRUCTURAL MUST ( acmeNonceId $ acmeCreated $ acmeExpires ) X-ORIGIN ( '
IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:53Z DEBUG    with: ( acmeNonce-oid NAME 'acmeNonce' SUP top STRUCTURAL MUST ( acmeNonceId $ acmeCreated $ acmeExpires ) X-ORIGIN 'IP
A v4.9.11' )
2023-05-26T10:39:53Z DEBUG Replace: ( acmeCertificate-oid NAME 'acmeCertificate' SUP top STRUCTURAL MUST ( acmeCertificateId $ acmeCreated $ userCert
ificate ) MAY acmeExpires X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:53Z DEBUG    with: ( acmeCertificate-oid NAME 'acmeCertificate' SUP top STRUCTURAL MUST ( acmeCertificateId $ acmeCreated $ userCert
ificate ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:53Z DEBUG Replace: ( acmeChallenge-oid NAME 'acmeChallenge' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $
acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) X-ORIGIN ( 'IPA v4.9.11' 'user defined' ) )
2023-05-26T10:39:53Z DEBUG    with: ( acmeChallenge-oid NAME 'acmeChallenge' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $
acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) X-ORIGIN 'IPA v4.9.11' )
2023-05-26T10:39:53Z DEBUG Schema modlist:
[(0,
  'objectclasses',
  [b"( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $"
   b' acmeAccountId $ acmeCreated $ acmeStatus $ acmeIdentifier $ acmeAuthori'
   b'zationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN '
   b"'IPA v4.9.11' )",
   b"( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccou"
   b'ntId $ acmeCreated $ acmeAccountKey $ acmeStatus ) MAY acmeAccountContac'
   b"t X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST"
   b' ( acmeAuthorizationId $ acmeAccountId $ acmeCreated $ acmeIdentifier $ '
   b"acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN 'IPA v"
   b"4.9.11' )",
   b"( acmeNonce-oid NAME 'acmeNonce' SUP top STRUCTURAL MUST ( acmeNonceId $"
   b" acmeCreated $ acmeExpires ) X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeCertificate-oid NAME 'acmeCertificate' SUP top STRUCTURAL MUST ( a"
   b'cmeCertificateId $ acmeCreated $ userCertificate ) MAY acmeExpires X-ORI'
   b"GIN 'IPA v4.9.11' )",
   b"( acmeChallenge-oid NAME 'acmeChallenge' ABSTRACT MUST ( acmeChallengeId"
   b' $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidate'
   b"dAt $ acmeError ) X-ORIGIN 'IPA v4.9.11' )"])]
2023-05-26T10:39:53Z DEBUG update_entry modlist [(0, 'objectclasses', [b"( acmeOrder-oid NAME 'acmeOrder' SUP top STRUCTURAL MUST ( acmeOrderId $ acm
eAccountId $ acmeCreated $ acmeStatus $ acmeIdentifier $ acmeAuthorizationId ) MAY ( acmeError $ acmeCertificateId $ acmeExpires ) X-ORIGIN 'IPA v4.9
.11' )", b"( acmeAccount-oid NAME 'acmeAccount' SUP top STRUCTURAL MUST ( acmeAccountId $ acmeCreated $ acmeAccountKey $ acmeStatus ) MAY acmeAccount
Contact X-ORIGIN 'IPA v4.9.11' )", b"( acmeAuthorization-oid NAME 'acmeAuthorization' SUP top STRUCTURAL MUST ( acmeAuthorizationId $ acmeAccountId $
 acmeCreated $ acmeIdentifier $ acmeAuthorizationWildcard $ acmeStatus ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' )", b"( acmeNonce-oid NAME 'acmeNonce
' SUP top STRUCTURAL MUST ( acmeNonceId $ acmeCreated $ acmeExpires ) X-ORIGIN 'IPA v4.9.11' )", b"( acmeCertificate-oid NAME 'acmeCertificate' SUP t
op STRUCTURAL MUST ( acmeCertificateId $ acmeCreated $ userCertificate ) MAY acmeExpires X-ORIGIN 'IPA v4.9.11' )", b"( acmeChallenge-oid NAME 'acmeC
hallenge' ABSTRACT MUST ( acmeChallengeId $ acmeAccountId $ acmeAuthorizationId $ acmeStatus ) MAY ( acmeValidatedAt $ acmeError ) X-ORIGIN 'IPA v4.9
.11' )"])]
2023-05-26T10:39:54Z DEBUG Replace: ( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN ( 'IPA
v4.9.11' 'user defined' ) )
2023-05-26T10:39:54Z DEBUG    with: ( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN 'IPA v4
.9.11' )
2023-05-26T10:39:54Z DEBUG Replace: ( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN ( 'IPA v4
.9.11' 'user defined' ) )
2023-05-26T10:39:54Z DEBUG    with: ( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-ORIGIN 'IPA v4.9
.11' )
2023-05-26T10:39:54Z DEBUG Schema modlist:
[(0,
  'objectclasses',
  [b"( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge S"
   b"TRUCTURAL MUST acmeToken X-ORIGIN 'IPA v4.9.11' )",
   b"( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STR"
   b"UCTURAL MUST acmeToken X-ORIGIN 'IPA v4.9.11' )"])]
2023-05-26T10:39:54Z DEBUG update_entry modlist [(0, 'objectclasses', [b"( acmeChallengeHttp01-oid NAME 'acmeChallengeHttp01' SUP acmeChallenge STRUC
TURAL MUST acmeToken X-ORIGIN 'IPA v4.9.11' )", b"( acmeChallengeDns01-oid NAME 'acmeChallengeDns01' SUP acmeChallenge STRUCTURAL MUST acmeToken X-OR
IGIN 'IPA v4.9.11' )"])]
2023-05-26T10:39:54Z INFO CA schema update complete
2023-05-26T10:39:54Z DEBUG Starting external process
2023-05-26T10:39:54Z DEBUG args=['/bin/systemctl', 'enable', 'certmonger.service']
2023-05-26T10:39:54Z DEBUG Process finished, return code=0
2023-05-26T10:39:54Z DEBUG stdout=
2023-05-26T10:39:54Z DEBUG stderr=
2023-05-26T10:39:54Z DEBUG Starting external process
2023-05-26T10:39:54Z DEBUG args=['/bin/systemctl', 'is-active', 'dbus.service']
2023-05-26T10:39:54Z DEBUG Process finished, return code=0
2023-05-26T10:39:54Z DEBUG stdout=active
2023-05-26T10:39:54Z DEBUG stderr=
2023-05-26T10:39:54Z DEBUG Starting external process
2023-05-26T10:39:54Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service']
2023-05-26T10:39:55Z DEBUG Process finished, return code=0
2023-05-26T10:39:55Z DEBUG stdout=
2023-05-26T10:39:55Z DEBUG stderr=
2023-05-26T10:39:55Z DEBUG Starting external process
2023-05-26T10:39:55Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service']
2023-05-26T10:39:55Z DEBUG Process finished, return code=0
2023-05-26T10:39:55Z DEBUG stdout=active
2023-05-26T10:39:55Z DEBUG stderr=
2023-05-26T10:39:55Z DEBUG Start of certmonger.service complete
2023-05-26T10:39:55Z DEBUG Starting external process
2023-05-26T10:39:55Z DEBUG args=['pki-server', 'subsystem-show', 'kra']
2023-05-26T10:39:55Z DEBUG Process finished, return code=1
2023-05-26T10:39:55Z DEBUG stdout=
2023-05-26T10:39:55Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2023-05-26T10:39:55Z INFO [Update certmonger certificate renewal configuration]
2023-05-26T10:39:55Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2023-05-26T10:39:55Z DEBUG Starting external process
2023-05-26T10:39:55Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-DOMAINNAME/', '-L', '-n', "servername - Let's Enc
rypt", '-a', '-f', '/etc/dirsrv/slapd-DOMAINNAME/pwdfile.txt']
2023-05-26T10:39:55Z DEBUG Process finished, return code=0
2023-05-26T10:39:55Z DEBUG stdout=-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
servername - Let's Encrypt                                   u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
T-TeleSec GlobalRoot Class 2                                 C,,
DFN-Verein Certification Authority 2                         C,,
DFN-Verein Global Issuing CA                                 C,,
CN=ISRG Root X2,O=Internet Security Research Group,C=US      C,,
CN=E1,O=Let's Encrypt,C=US                                   C,,
primaryservername - Let's Encrypt                            ,,
CN=R4,O=Let's Encrypt,C=US                                   C,,
CN=E2,O=Let's Encrypt,C=US                                   C,,
ISRG Root X1 - Internet Security Research Group              C,,
R3 - Internet Security Research Group                        C,,
2023-05-26T10:39:55Z DEBUG stderr=
2023-05-26T10:39:55Z INFO Certmonger certificate renewal configuration already up-to-date
2023-05-26T10:39:55Z INFO [Enable PKIX certificate path discovery and validation]
2023-05-26T10:39:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:55Z INFO PKIX already enabled
2023-05-26T10:39:55Z INFO [Authorizing RA Agent to modify profiles]
2023-05-26T10:39:55Z INFO [Authorizing RA Agent to manage lightweight CAs]
2023-05-26T10:39:55Z INFO [Ensuring Lightweight CAs container exists in Dogtag database]
2023-05-26T10:39:55Z INFO [Adding default OCSP URI configuration]
2023-05-26T10:39:55Z INFO [Disabling cert publishing]
2023-05-26T10:39:55Z INFO [Ensuring CA is using LDAPProfileSubsystem]
2023-05-26T10:39:55Z INFO [Migrating certificate profiles to LDAP]
2023-05-26T10:39:56Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'acmeServerCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caAdminCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caAgentFileSigning' is already in LDAP and enabled; skipping
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
servername - Let's Encrypt                                   u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
T-TeleSec GlobalRoot Class 2                                 C,,
DFN-Verein Certification Authority 2                         C,,
DFN-Verein Global Issuing CA                                 C,,
CN=ISRG Root X2,O=Internet Security Research Group,C=US      C,,
CN=E1,O=Let's Encrypt,C=US                                   C,,
primaryservername - Let's Encrypt                            ,,
CN=R4,O=Let's Encrypt,C=US                                   C,,
CN=E2,O=Let's Encrypt,C=US                                   C,,
ISRG Root X1 - Internet Security Research Group              C,,
R3 - Internet Security Research Group                        C,,
2023-05-26T10:39:55Z DEBUG stderr=
2023-05-26T10:39:55Z INFO Certmonger certificate renewal configuration already up-to-date
2023-05-26T10:39:55Z INFO [Enable PKIX certificate path discovery and validation]
2023-05-26T10:39:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2023-05-26T10:39:55Z INFO PKIX already enabled
2023-05-26T10:39:55Z INFO [Authorizing RA Agent to modify profiles]
2023-05-26T10:39:55Z INFO [Authorizing RA Agent to manage lightweight CAs]
2023-05-26T10:39:55Z INFO [Ensuring Lightweight CAs container exists in Dogtag database]
2023-05-26T10:39:55Z INFO [Adding default OCSP URI configuration]
2023-05-26T10:39:55Z INFO [Disabling cert publishing]
2023-05-26T10:39:55Z INFO [Ensuring CA is using LDAPProfileSubsystem]
2023-05-26T10:39:55Z INFO [Migrating certificate profiles to LDAP]
2023-05-26T10:39:56Z DEBUG Profile 'AdminCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'DomainController' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'acmeServerCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caAdminCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caAgentFileSigning' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caAgentServerCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caAuditSigningCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCACert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCECUserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCECserverCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCECsubsystemCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCUserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCauditSigningCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCcaCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCcaCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCkraStorageCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCkraTransportCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCocspCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCserverCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCMCsubsystemCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caCrossSignedCACert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caDirBasedDualCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caDirPinUserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caDirUserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caDirUserRenewal' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caDualCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caDualRAuserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECAdminCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECAgentServerCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECDirPinUserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECDirUserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECFullCMCSharedTokenCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECFullCMCUserCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECFullCMCUserSignedCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECInternalAuthServerCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECInternalAuthSubsystemCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z DEBUG Profile 'caECServerCert' is already in LDAP and enabled; skipping
2023-05-26T10:39:56Z INFO Migrating profile 'caECServerCertWithSCT'
2023-05-26T10:39:56Z DEBUG request GET https://servername:8443/ca/rest/account/login
2023-05-26T10:39:56Z DEBUG request body ''
2023-05-26T10:39:57Z DEBUG response status 404
2023-05-26T10:39:57Z DEBUG response headers Content-Type: text/html;charset=utf-8
Content-Language: de
Content-Length: 795
Date: Fri, 26 May 2023 10:39:57 GMT
2023-05-26T10:39:57Z DEBUG response body (decoded): b'<!doctype html><html lang="de"><head><title>HTTP Status 404 \xe2\x80\x93 nicht gefunden</title>
<style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {fon
t-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body>
<h1>HTTP Status 404 \xe2\x80\x93 nicht gefunden</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47
;ca&#47;rest&#47;account&#47;login] is not available</p><p><b>Beschreibung</b> The origin server did not find a current representation for the target
 resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.50</h3></body></html>'
2023-05-26T10:39:57Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2023-05-26T10:39:57Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
    server.upgrade()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2058, in upgrade
    upgrade_configuration()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1911, in upgrade_configuration
    ca_enable_ldap_profile_subsystem(ca)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 458, in ca_enable_ldap_profile_subsystem
    cainstance.migrate_profiles_to_ldap()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2111, in migrate_profiles_to_ldap
    _create_dogtag_profile(profile_id, profile_data, overwrite=False)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 2165, in _create_dogtag_profile
    with api.Backend.ra_certprofile as profile_api:
  File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in __enter__
    raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2023-05-26T10:39:57Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API
2023-05-26T10:39:57Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
2023-05-26T10:39:57Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information 

Also, this may be unrelated, but your versions show a partial upgrade: 389-ds package is from 8.7, while ipa-server from 8.8. We recommend to upgrade all the packages (yum update), not only the ipa ones (yum update ipa-server) because we do not test partial upgrades.

In our opinion we have already made way to many yum update since experience shows this led to broken systems at least roughly once a year on CentOS 7. Mostly of course on weekends when no one is there to fix them. Since this is an internal server we prefer updates on secondary servers, which we can test in advance, so we have a fallback and bleeding edge is not so important. this is a no go for the identity and access management systems. If you know how we could use freeipa more conservative, please feel free to point us into the right direction.
Basicaly we need a standard install with a let's encrypt certificate, a replica server and backups. Doesn't sound to hard, but still made a lot of work.

Hi @ifdm
based on your command's output I see 2 different issues:

  • the upgrade is trying to update the replication agreements in order to modify the nsDS5ReplicatedAttributeList (the attribute passwordgraceusertime should be excluded from the replication). But the update fails as the replication agreement is managed by the topology plugin. This error is reported but does not prevent the upgrade to continue. Something to fix in IPA code.

  • the upgrade command is unable to authenticate to PKI. I suspect that your server was initially installed with RHEL 8.0, then upgraded. Can you check if there is this drop-in file on your server:

# cat /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
[Service]
Environment=LC_ALL=C.UTF-8
ExecStartPost=/usr/libexec/ipa/ipa-pki-wait-running

If not, create the directory + file manually, launch systemctl --system daemon-reload then ipa-server-upgrade. This file ensures that PKI is ready (CA subsystem available) before the start command returns.
On new installations (post RHEL 8.1), this file is created at install time but it looks like an upgrade from 8.0 to 8.1+ does not create it, resulting in PKI not fully initialized when the upgrade is run.

master:

  • 143c3eb Upgrade: fix replica agreement
  • ac78a84 Integration tests: add a test to ipa-server-upgrade

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2216549

a year ago

ipa-4-10:

  • ad77c4c Upgrade: fix replica agreement
  • 3b58487 Integration tests: add a test to ipa-server-upgrade

ipa-4-9:

  • d29b475 Upgrade: fix replica agreement
  • 93d97b5 Integration tests: add a test to ipa-server-upgrade

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Log in to comment on this ticket.

Metadata