Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1894781

Summary: add a validation test to verify the KRA_AGENT_DN exist is fix_kra_people_entry.py
Product: Red Hat Enterprise Linux 8 Reporter: Marc Sauton <msauton>
Component: ipa-healthcheckAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: low    
Version: ---CC: antorres, fcami, mpolovka, parmstro, pcech, rcritten, sigbjorn.lie, smercuri, ssidhaye, tscherf, twoerner
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-healthcheck-0.7-4.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1947043 (view as bug list) Environment:
Last Closed: 2021-11-09 18:21:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1947043    

Description Marc Sauton 2020-11-05 03:22:44 UTC 
Description of problem:

A PKI KRA subsystem exist but the agent LDAP entry does not
uid=ipakra,ou=people,o=kra,o=ipaca

fix_kra_people_entry does test the PKI KRA subsystem existence, but does not test if KRA_AGENT_DN exists, because the default expectation is to always have a KRA agent for a fully functioning PKI KRA subsystem.

this is a corner case to have a KRA and not a KRA agent entry in the LDAP backend, but it seems to happen in the real world (cause unknown).

the problem is the upgrade script fails with an exception, preventing an ipactl restart that is always called into the upgrade script.

a manual restart of the services till worls as workaround.

adding a validation test in
./freeipa/ipaserver/install/plugins/fix_kra_people_entry.py
fix_kra_people_entry

for this LDAP lookup
        entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)

        # check description attribute
        description_values = entry.get('description', [])

could prevent an exception and provide a smoother error handling of the failing IPA update process, and subsequent failing ipactl restart.

( is there a way to not have the "Automatically running upgrade: in ipactl start or restart ?  may be with --skip-version-check )


Version-Release number of selected component (if applicable):
RHEL IdM update from RHEL-7.8 to RHEL-7.9


How reproducible:
not tested, but likely on demand
, have to manually remove the 


Steps to Reproduce:
1. RHEL-7.8 IdM replica: manually remove the KRA agent LDAP entry with a ldapmodify
2. update the system to RHEL-7.9
3. IPA restart fail



Actual results:

/var/log/dirsrv/slapd-xx/access

[03/Nov/2020:10:27:14.264587951 -0700] conn=3 op=9 SRCH base="uid=ipakra,ou=people,o=kra,o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL
[03/Nov/2020:10:27:14.264683425 -0700] conn=3 op=9 RESULT err=32 tag=101 nentries=0 etime=0.000190580


ipaupgrade.log

2020-11-03T17:27:14Z DEBUG AD Trusts are not enabled on this server
2020-11-03T17:27:14Z DEBUG Executing upgrade plugin: fix_kra_people_entry
2020-11-03T17:27:14Z DEBUG raw: fix_kra_people_entry
2020-11-03T17:27:14Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2020-11-03T17:27:14Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2020-11-03T17:27:14Z DEBUG Destroyed connection context.ldap2_140376115621328
2020-11-03T17:27:14Z ERROR Upgrade failed with no such entry
2020-11-03T17:27:14Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 274, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 966, in update
    self._run_updates(all_updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 928, in _run_updates
    self._run_update_plugin(update['plugin'])
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 903, in _run_update_plugin
    restart_ds, updates = self.api.Updater[plugin_name]()
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1474, in __call__
    return self.execute(**options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_people_entry.py", line 35, in execute
    entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1565, in get_entry
    size_limit=size_limit, get_effective_rights=get_effective_rights,
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1377, in get_entries
    **kwargs)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1515, in find_entries
    break
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1026, in error_handler
    raise errors.NotFound(reason=arg_desc or 'no such entry')
NotFound: no such entry

2020-11-03T17:27:14Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 567, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 557, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 282, in __upgrade
    raise RuntimeError(e)
RuntimeError: no such entry

2020-11-03T17:27:14Z DEBUG   [error] RuntimeError: no such entry
2020-11-03T17:27:14Z DEBUG   [cleanup]: stopping directory server
2020-11-03T17:27:14Z DEBUG Destroyed connection context.ldap2_140376143874960
2020-11-03T17:27:14Z DEBUG Starting external process
2020-11-03T17:27:14Z DEBUG args=/bin/systemctl stop dirsrv
2020-11-03T17:27:16Z DEBUG Process finished, return code=0
2020-11-03T17:27:16Z DEBUG stdout=
2020-11-03T17:27:16Z DEBUG stderr=
2020-11-03T17:27:16Z DEBUG Stop of dirsrv complete
2020-11-03T17:27:16Z DEBUG   duration: 2 seconds
2020-11-03T17:27:16Z DEBUG   [cleanup]: restoring configuration
...snip...
2020-11-03T17:27:16Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2020-11-03T17:27:16Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 56, in run
    raise admintool.ScriptError(str(e))

2020-11-03T17:27:16Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: ('IPA upgrade failed.', 1)
2020-11-03T17:27:16Z ERROR ('IPA upgrade failed.', 1)
2020-11-03T17:27:16Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

(END)


and then:

root $ ipactl restart
IPA version error: data needs to be upgraded (expected version '4.6.8-5.el7', current version '4.6.6-11.el7')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Automatic upgrade failed: Upgrade failed with no such entry
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
Aborting ipactl


Expected results:
yes


Additional info:

current code:
./freeipa/ipaserver/install/plugins/fix_kra_people_entry.py
...
    def execute(self, **options):
        kra = krainstance.KRAInstance(self.api.env.realm)
        if not kra.is_installed():
            return False, []

        cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
        entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)

        # check description attribute
        description_values = entry.get('description', [])

this fails if the entry variable cannot be initialized with the LDAP lookup of the KRA agent user entry uid=ipakra,ou=people,o=kra,o=ipaca when it does not exist ( LDAP err=32)
Comment 2 Florence Blanc-Renaud 2020-11-06 10:41:12 UTC 
See also https://bugzilla.redhat.com/show_bug.cgi?id=1895197

This issue is slightly different as it could happen if the customer deletes the uid=ipakra,ou=people,o=kra,o=ipaca entry by mistake. When the entry is missing, the KRA functionality is broken (ipa vault-* commands don't work anymore because the IPA framework cannot authenticate to the KRA service).

So IMO it is ok for ipa-server-upgrade to exit on error in order to signal that something abnormal was detected.
Moreover, it may get tricky to try to generate a new entry based on the content of the local file /var/lib/ipa/ra-agent.pem because the local file may be different on replicas if renewal happened on one of them but was not done on the others. A manual operation would be preferred as the user would have to check which ra-agent.pem is the most recent and select this one as the source to create the LDAP entry.
Comment 3 Florence Blanc-Renaud 2020-11-12 20:11:13 UTC 
During the team triage, we decided to implement a ipa-healthcheck check to ensure that the entry uid=ipakra,ou=people,o=kra,o=ipaca exists and its content is consistent with the RA cert stored in /var/lib/ipa/ra-agent.pem.

Hence moving to RHEL 8, ipa-healthcheck component.
Comment 6 Steven Mercurio 2021-01-31 09:24:33 UTC 
Is there a guide or help DOC to try and fix this issue on a 7.8 to 7.9 upgrade?

Maybe a back end process at every install, upgrade, backup, etc that backs up all system required entries like KRA and a script that restores or regenerates them.

Question I have though is  Why allow this entry to be deleted in the first place or have in the shut script a check for backup of these critical entries and a auto-restore at start?
Comment 7 Rob Crittenden 2021-01-31 17:06:45 UTC 
To re-create the entry, assuming as Flo pointed out that the certificates are in sync, convert the RA Agent PEM file into DER:

# openssl x509 -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der -outform der

Obtain the current description from the RA agent:

# ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory manager' -W -b uid=ipara,ou=people,o=ipaca description

Create the entry in LDAP

# ldapmodify -x -D 'cn=Directory Manager' -W
LDAP Password:
dn: uid=ipakra,ou=people,o=kra,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipakra
sn: IPA KRA User
cn: IPA KRA User
usertype: undefined
userCertificate:< file:///tmp/ra-agent.der
description: [ the value of description from above ]
<hit enter>
^D

You can remove the temporary file afterwards (/tmp/ra-agent.der).

IPA provides a management CLI and UI to manage entries (safe) but leaves flexibility if users want to manipulate entries directly in LDAP (risky). The root cause of why the entry was removed is unknown, whether user error or a coding error in either IPA or CS.

Note that while this represents as an error during upgrade it also means the KRA is effectively not working in the pre-upgraded state. The upgrade process merely makes this painfully visible.
Comment 8 Steven Mercurio 2021-02-14 02:46:02 UTC 
I get this error:

ldapmodify: modify operation type is missing at line 2, entry "uid=ipakra,ou=people,o=kra,o=ipaca"




[root@idm01 ~]# ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory manager' -W -b uid=ipara,ou=people,o=ipaca description
Enter LDAP Password: 
dn: uid=ipara,ou=people,o=ipaca
description: 2;26;CN=Certificate Authority,O=HOMELINUX.COM;CN=IPA RA,O=HOMELINUX.COM

[root@idm01 ~]# ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password: 
dn: uid=ipakra,ou=people,o=kra,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipakra
sn: IPA KRA User
cn: IPA KRA User
usertype: undefined
userCertificate:< file:///tmp/ra-agent.der
description: 2;26;CN=Certificate Authority,O=HOMELINUX.COM;CN=IPA RA,O=HOMELINUX.COM

ldapmodify: modify operation type is missing at line 2, entry "uid=ipakra,ou=people,o=kra,o=ipaca"
[root@idm01 ~]#
Comment 9 Steven Mercurio 2021-02-14 02:48:42 UTC 
As this seems to be fixable (assuming I get past the error I have) is there a way to just prompt the user for Y/N to fix this or re-create the entry for them?  Another option would be a script to rebuild this entry and just add in the error that the user should run thwe script.
Comment 10 Steven Mercurio 2021-02-14 02:54:30 UTC 
Got it to work using ldapadd:


[root@idm01 ~]# ldapadd -x -D 'cn=Directory Manager' -W
Enter LDAP Password: 
dn: uid=ipakra,ou=people,o=kra,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipakra
sn: IPA KRA User
cn: IPA KRA User
usertype: undefined
userCertificate:< file:///tmp/ra-agent.der
description: 2;26;CN=Certificate Authority,O=HOMELINUX.COM;CN=IPA RA,O=HOMELINUX.COM

adding new entry "uid=ipakra,ou=people,o=kra,o=ipaca"
ldap_add: No such object (32)
	matched DN: o=ipaca

[root@idm01 ~]#



So is this something the upgrade script can do/fix or let someone know to run another provided script to fix then run the upgrade again?
Comment 11 Steven Mercurio 2021-02-14 03:00:24 UTC 
Actually didn't work but thought it did.  Not surehow to fix this.
Comment 12 Steven Mercurio 2021-02-14 03:04:23 UTC 
One thouhgt....  What if when I installed IDM pre 4.5 I never installed KRA so essentially it never existed?

[root@idm02 ~]# ipa --version
VERSION: 4.5.4, API_VERSION: 2.228
[root@idm02 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 (Maipo)
[root@idm02 ~]#
Comment 13 Rob Crittenden 2021-02-14 04:25:06 UTC 
After the dn add:

changetype: modify

This seems very much like a corner case. I'm not sure we'll provide automation to address it. A KCS is probably sufficient.
Comment 14 Antonio Torres 2021-02-23 15:34:33 UTC 
PR in ipa-healthcheck: https://github.com/freeipa/freeipa-healthcheck/pull/188
Comment 15 Rob Crittenden 2021-02-25 20:49:48 UTC 
merged upstream:
3f6ed4393dfa9ddf982e326065a3ea160bef90b6
a6504bd7d32fe3553b9f6f807f3d84a1b87bb77c
Comment 16 Paul Armstrong 2021-04-12 15:23:09 UTC 
In my case, the upgrade failed with the same error as Mark in the Description of Problem. Using Rob's method to work around did not succeed as the entry appeared to be missing entirely. I recreated the entry following Rob's example with the following:

[root@idm parmstro]# ldapadd -x -D 'cn=Directory Manager' -W
Enter LDAP Password: 
dn: uid=ipakra,ou=people,o=kra,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipakra
sn: IPA KRA User
cn: IPA KRA User
usertype: undefined
userCertificate:< file:///tmp/ra-agent.der
description: [ 2;109;CN=Certificate Authority,O=PARMSTRONG.CA;CN=IPA RA,O=PARMSTRONG.CA ]

adding new entry "uid=ipakra,ou=people,o=kra,o=ipaca"

[root@idm parmstro]#



This succeeded and allowed me to get passed the original error. Results running the upgrade manually eventually failed though. It seems that I have another issue

[root@idm parmstro]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 14
[Verifying that CA proxy configuration is correct]
[Ensuring ephemeralRequest is enabled in KRA]
ephemeralRequest is already enabled
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Updating mod_nss enabling OCSP]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration]
Configuring certmonger to stop tracking system certificates for CA
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to 'https://idm.parmstrong.ca:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@idm parmstro]# 


tail of /var/log/ipaupgrade.log

2021-04-12T15:12:55Z INFO [Adding default OCSP URI configuration]
2021-04-12T15:12:55Z INFO pki-tomcat configuration changed, restart pki-tomcat
2021-04-12T15:12:55Z DEBUG Starting external process
2021-04-12T15:12:55Z DEBUG args=/bin/systemctl restart pki-tomcatd
2021-04-12T15:12:58Z DEBUG Process finished, return code=0
2021-04-12T15:12:58Z DEBUG stdout=
2021-04-12T15:12:58Z DEBUG stderr=
2021-04-12T15:12:58Z DEBUG Starting external process
2021-04-12T15:12:58Z DEBUG args=/bin/systemctl is-active pki-tomcatd
2021-04-12T15:12:58Z DEBUG Process finished, return code=0
2021-04-12T15:12:58Z DEBUG stdout=active

2021-04-12T15:12:58Z DEBUG stderr=
2021-04-12T15:12:58Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300
2021-04-12T15:12:58Z DEBUG waiting for port: 8080
2021-04-12T15:12:58Z DEBUG Failed to connect to port 8080 tcp on ::1
2021-04-12T15:12:58Z DEBUG Failed to connect to port 8080 tcp on 127.0.0.1
2021-04-12T15:13:01Z DEBUG SUCCESS: port: 8080
2021-04-12T15:13:01Z DEBUG waiting for port: 8443
2021-04-12T15:13:01Z DEBUG SUCCESS: port: 8443
2021-04-12T15:13:01Z DEBUG Restart of pki-tomcatd complete
2021-04-12T15:13:01Z DEBUG Waiting until the CA is running
2021-04-12T15:13:01Z DEBUG request POST http://idm.parmstrong.ca:8080/ca/admin/ca/getStatus
2021-04-12T15:13:01Z DEBUG request body ''
2021-04-12T15:13:17Z DEBUG response status 200
2021-04-12T15:13:17Z DEBUG response headers Server: Apache-Coyote/1.1
Content-Type: application/xml
Content-Length: 171
Date: Mon, 12 Apr 2021 15:13:17 GMT

2021-04-12T15:13:17Z DEBUG response body '<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.5.18-12.el7_9</Version></XMLResponse>'
2021-04-12T15:13:17Z DEBUG The CA status is: running
2021-04-12T15:13:17Z INFO [Ensuring CA is using LDAPProfileSubsystem]
2021-04-12T15:13:17Z INFO [Migrating certificate profiles to LDAP]
2021-04-12T15:13:17Z DEBUG Created connection context.ldap2_140197971264784
2021-04-12T15:13:17Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-PARMSTRONG-CA.socket from SchemaCache
2021-04-12T15:13:17Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-PARMSTRONG-CA.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f8263d68dd0>
2021-04-12T15:13:17Z DEBUG Destroyed connection context.ldap2_140197971264784
2021-04-12T15:13:17Z DEBUG request GET https://idm.parmstrong.ca:8443/ca/rest/account/login
2021-04-12T15:13:17Z DEBUG request body ''
2021-04-12T15:13:17Z DEBUG httplib request failed:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 220, in _httplib_request
    conn.request(method, path, body=request_body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 1056, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1090, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1052, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 890, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 852, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1275, in connect
    server_hostname=sni_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 609, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 831, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
2021-04-12T15:13:17Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2021-04-12T15:13:17Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2176, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2048, in upgrade_configuration
    ca_enable_ldap_profile_subsystem(ca)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 425, in ca_enable_ldap_profile_subsystem
    cainstance.migrate_profiles_to_ldap()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2029, in migrate_profiles_to_ldap
    _create_dogtag_profile(profile_id, profile_data, overwrite=False)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2035, in _create_dogtag_profile
    with api.Backend.ra_certprofile as profile_api:
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1311, in __enter__
    method='GET'
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 167, in https_request
    method=method, headers=headers)
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 229, in _httplib_request
    raise NetworkError(uri=uri, error=str(e))

2021-04-12T15:13:17Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://idm.parmstrong.ca:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
2021-04-12T15:13:17Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to 'https://idm.parmstrong.ca:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
2021-04-12T15:13:17Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information



looking at the problem further.
Comment 17 Rob Crittenden 2021-04-12 18:13:52 UTC 
This doesn't seem to be related to the KRA. Can you open a separate issue, or a thread on freeipa-users?
Comment 27 Michal Polovka 2021-07-02 10:48:47 UTC 
Verifies using RHEL8.5 machine with ipa-healthcheck-0.7-6.module+el8.5.0+11410+91a33fe4.noarch


==================================================================================== test session starts =====================================================================================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /root/freeipa-healthcheck, inifile:
collected 14 items                                                                                                                                                                           

tests/test_ipa_agent.py::TestNSSAgent::test_nss_agent_load_failure PASSED                                                                                                              [  7%]
tests/test_ipa_agent.py::TestNSSAgent::test_nss_agent_multiple_certs PASSED                                                                                                            [ 14%]
tests/test_ipa_agent.py::TestNSSAgent::test_nss_agent_no_description PASSED                                                                                                            [ 21%]
tests/test_ipa_agent.py::TestNSSAgent::test_nss_agent_no_entry_found PASSED                                                                                                            [ 28%]
tests/test_ipa_agent.py::TestNSSAgent::test_nss_agent_nonmatching_cert PASSED                                                                                                          [ 35%]
tests/test_ipa_agent.py::TestNSSAgent::test_nss_agent_ok PASSED                                                                                                                        [ 42%]
tests/test_ipa_agent.py::TestNSSAgent::test_nss_agent_too_many PASSED                                                                                                                  [ 50%]
tests/test_ipa_agent.py::TestKRAAgent::test_kra_agent_load_failure PASSED                                                                                                              [ 57%]
tests/test_ipa_agent.py::TestKRAAgent::test_kra_agent_multiple_certs PASSED                                                                                                            [ 64%]
tests/test_ipa_agent.py::TestKRAAgent::test_kra_agent_no_description PASSED                                                                                                            [ 71%]
tests/test_ipa_agent.py::TestKRAAgent::test_kra_agent_no_entry_found PASSED                                                                                                            [ 78%]
tests/test_ipa_agent.py::TestKRAAgent::test_kra_agent_nonmatching_cert PASSED                                                                                                          [ 85%]
tests/test_ipa_agent.py::TestKRAAgent::test_kra_agent_ok PASSED                                                                                                                        [ 92%]
tests/test_ipa_agent.py::TestKRAAgent::test_kra_agent_too_many PASSED                                                                                                                  [100%]

================================================================================= 14 passed in 0.45 seconds ==================================================================================


marking as verified.
Comment 29 errata-xmlrpc 2021-11-09 18:21:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230