Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Thank you all.
Vinícius Ferrão via FreeIPA-users wrote:
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Hard to say. You upgraded from what to what? Was java included in the updated packages?
Does /bin/systemctl start pki-tomcatd@pki-tomcat.service work outside the upgrader?
rob
Can you check the ipaupgrade.log. I found out when I upgraded ipa-server on Centos 8 last-week that ipaupgrade script has has wrong path information for the file "/usr/share/pki/acme/database/ldap/database.conf". The upgrade script has path as "/usr/share/pki/acme/database/ds/database.conf" while what actually exists is "/usr/share/pki/acme/database/ldap/database.conf" I just created a symbolic link pointing to the correct path and the update completed.
_Uz
On Thu, Jan 7, 2021 at 7:01 AM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken
state.
[root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Hard to say. You upgraded from what to what? Was java included in the updated packages?
Does /bin/systemctl start pki-tomcatd@pki-tomcat.service work outside the upgrader?
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On to, 07 tammi 2021, Uzor Ide via FreeIPA-users wrote:
Can you check the ipaupgrade.log. I found out when I upgraded ipa-server on Centos 8 last-week that ipaupgrade script has has wrong path information for the file "/usr/share/pki/acme/database/ldap/database.conf". The upgrade script has path as "/usr/share/pki/acme/database/ds/database.conf" while what actually exists is "/usr/share/pki/acme/database/ldap/database.conf" I just created a symbolic link pointing to the correct path and the update completed.
I think you are mixing up CentOS 8 Stream and CentOS 8 here. The issue above is on CentOS 8 Stream as ACME support is only available in FreeIPA 4.9.0. This is known problem with pki-core module in Centos 8 Stream being older (yet) and will be handled by CentOS packagers now that they are back from vacation/holidays.
CentOS 8 does not have this issue but it will be crucial to know pki-core components versions and also Java versions.
_Uz
On Thu, Jan 7, 2021 at 7:01 AM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken
state.
[root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Hard to say. You upgraded from what to what? Was java included in the updated packages?
Does /bin/systemctl start pki-tomcatd@pki-tomcat.service work outside the upgrader?
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Rob, in fact it’s not working either.
Jan 8 00:02:58 headnode ipa-pki-wait-running[59836]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='headnode.cluster.tmc.if.ufrj.br', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f4caa2ffda0>, 'Connection to headnode.cluster.tmc.if.ufrj.br timed out. (connect timeout=1.0)')) Jan 8 00:02:58 headnode systemd[1]: pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping. Jan 8 00:02:59 headnode systemd[1]: pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'. Jan 8 00:02:59 headnode systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
I have upgraded from 8.2 to 8.3; here’s the output of yum history and indeed there’s an error with Java: https://pastebin.com/CH5g3kBw
On the end of the paste there’s the Java errors.
Thank you.
On 7 Jan 2021, at 11:01, Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com> wrote:
Vinícius Ferrão via FreeIPA-users wrote: Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Hard to say. You upgraded from what to what? Was java included in the updated packages?
Does /bin/systemctl start pki-tomcatd@pki-tomcat.servicemailto:pki-tomcatd@pki-tomcat.service work outside the upgrader?
rob
Vinícius Ferrão via FreeIPA-users wrote:
Hi Rob, in fact it’s not working either.
Jan 8 00:02:58 headnode ipa-pki-wait-running[59836]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='headnode.cluster.tmc.if.ufrj.br', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f4caa2ffda0>, 'Connection to headnode.cluster.tmc.if.ufrj.br timed out. (connect timeout=1.0)')) Jan 8 00:02:58 headnode systemd[1]: pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping. Jan 8 00:02:59 headnode systemd[1]: pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'. Jan 8 00:02:59 headnode systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
I have upgraded from 8.2 to 8.3; here’s the output of yum history and indeed there’s an error with Java: https://pastebin.com/CH5g3kBw
On the end of the paste there’s the Java errors.
I can't find the BZ with details but my swiss-cheese memory says that downgrading to 265 was the workaround at the time, assuming that this is indeed the same issue.
Details from the pki debug log may help confirm.
rob
Thank you.
On 7 Jan 2021, at 11:01, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Hard to say. You upgraded from what to what? Was java included in the updated packages?
Does /bin/systemctl start pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service work outside the upgrader?
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Vinícius Ferrão via FreeIPA-users wrote:
Hi Rob, in fact it’s not working either.
Jan 8 00:02:58 headnode ipa-pki-wait-running[59836]: ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host='headnode.cluster.tmc.if.ufrj.br', port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7f4caa2ffda0>, 'Connection to headnode.cluster.tmc.if.ufrj.br timed out. (connect timeout=1.0)')) Jan 8 00:02:58 headnode systemd[1]: pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping. Jan 8 00:02:59 headnode systemd[1]: pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'. Jan 8 00:02:59 headnode systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
I have upgraded from 8.2 to 8.3; here’s the output of yum history and indeed there’s an error with Java: https://pastebin.com/CH5g3kBw
On the end of the paste there’s the Java errors.
Ok, so my thinking on the bad openjdk release was wrong. It was fixed in 8.3 for sure.
Can you provide journalctl -u pki-tomcatd@pki-tomcat and take a look at the debug log in /var/log/pki/pki-tomcat/ca ?
Note that reading the debug log is best done by finding in the log the last time the CA was started and move down from there, rather than moving up from the bottom, as the CA is optimistic and will try to continue past some kinds of errors.
rob
Thank you.
On 7 Jan 2021, at 11:01, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hello, I’ve a single IPA machine that provides authentication for itself. It does not even have any client or host.
After def -y update and reboot, IPA fails to load an it’s in broken state.
[root@headnode ~]# systemctl status ipa ● ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2021-01-06 16:14:48 -03; 45min ago Process: 1278 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 1278 (code=exited, status=1/FAILURE)
Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CRL tree already moved Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command i> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Unexpected error - see /var/log/ipaupgrade.log for details: Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', '> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more > Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade> Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br ipactl[1278]: Aborting ipactl Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: ipa.service: Failed with result 'exit-code'. Jan 06 16:14:48 headnode.cluster.tmc.if.ufrj.br systemd[1]: Failed to start Identity, Policy, Audit.
If asks for look on /var/log/ipaupgrade.log; but this log is just overwhelming. You must know what you should be looking for for actually find something.
The relevant thing that I’ve found by myself is: 2021-01-06T19:09:51Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service'] returned non-zero exit status 1: 'Job for pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.\nSee "systemctl status pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.\n’)
Is that Java regression again that happened a month or two ago?
Hard to say. You upgraded from what to what? Was java included in the updated packages?
Does /bin/systemctl start pki-tomcatd@pki-tomcat.service mailto:pki-tomcatd@pki-tomcat.service work outside the upgrader?
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi All,
I am also facing similar problem however, I am not upgrading. This is fresh installation. In my case, also, pki-tomcatd@pki-tomcat.service is timed out when I am trying to run ipa-server-install. I am not sure how to attach journalctl -u pki-tomcatd@pki-tomcat which I have.
-Abhinav
freeipa-users@lists.fedorahosted.org
-
Abhinav Chittora -
Alexander Bokovoy -
Rob Crittenden -
Uzor Ide -
Vinícius Ferrão