I just noticed my F31 FreeIPA server wasn't working. When I logged into it and investigated, I saw this in the IPA upgrade log: === Upgrading PKI server configuration on Sat 14 Mar 2020 06:02:24 AM PDT. WARNING: Directory already exists: /var/log/pki/server/upgrade/10.8.0/1/oldfiles/var/lib/pki/pki-tomcat WARNING: Directory already exists: /var/log/pki/server/upgrade/10.8.0/4/oldfiles/etc/pki/pki-tomcat WARNING: Directory already exists: /var/log/pki/server/upgrade/10.8.0/4/oldfiles/etc/pki/pki-tomcat WARNING: Directory already exists: /var/log/pki/server/upgrade/10.8.0/5/oldfiles/etc/pki/pki-tomcat WARNING: Directory already exists: /var/log/pki/server/upgrade/10.8.0/6/oldfiles/etc/pki/pki-tomcat ERROR: expected str, bytes or os.PathLike object, not NoneType ERROR: Upgrade failed in pki-tomcat/ca: expected str, bytes or os.PathLike object, not NoneType Upgrading from version 10.7.3 to 10.8.0: No upgrade scriptlets. Tracker has been set to version 10.8.0. Upgrading from version 10.8.0 to 10.8.2: 1. Fix common folder 2. Remove LDAP setup files from instance folder 3. Fix links to default Tomcat files 4. Remove unused UserDatabase from server.xml 5. Remove pki.policy from instance folder 6. Remove empty custom.policy from instance folder Upgrading from version 10.8.2 to 10.8.3: 1. Fix EC admin certificate profile Failed upgrading pki-tomcat/ca subsystem. Continue (Yes/No) [Y]? ERROR: EOF when reading a line === It seems to be choking because it's expecting an interactive response. Of course the upgrade process should *never* require an interactive response because it runs in RPM scriptlets. If I run 'ipa-server-upgrade' interactively at a console it also fails. If I run 'pki-server upgrade -v --validate' (command suggested by zdzichu) it fails with the same "EOF when reading a line" error. But if I just run 'pki-server upgrade' with no other args, it actually waits for me to answer 'Y', then completes successfully. After that I could run ipa-server-upgrade successfully, and my server is now back working again. But I shouldn't have needed to do that and it shouldn't have broken my server.
THe interactive response should not be needed and should default to Y. The issue you see in "Fix EC admin certificate profile" is due to a known bug which is fixed in 10.9 (not pushed it). Closing this as duplicate. *** This bug has been marked as a duplicate of bug 1814242 ***
aha, thanks for the explanation. Sorry for not spotting the other report - I didn't see it as it's assigned to dogtag-pki, and I looked for bugs against pki-core.