IPA upgrade is failing while upgrading from RHEL 9.5 to 9.6 with message "RemoteRetrieveError: Failed to authenticate to CA REST API"

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9.6
  • ipa-server-4.12.2-14.el9_6.x86_64

Issue

  • IPA upgrade failing as below:
2025-05-27T17:28:27Z DEBUG Discovery: using ipa-server.example.com for 'CA' service
2025-05-27T17:28:27Z DEBUG request GET https://ipa-server.example.com:8443/ca/rest/account/login
2025-05-27T17:28:27Z DEBUG request body ''
2025-05-27T17:28:27Z DEBUG response status 404
2025-05-27T17:28:27Z DEBUG response headers Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 784
Date: Tue, 27 May 2025 17:28:27 GMT

2025-05-27T17:28:27Z DEBUG response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body{font-family:Tahoma,Arial,sans-serif;}
h1, h2, h3, b color: Color value is invalid h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a color: Color value is invalid.line

{height:1px;background-color:#525D76;border:none;}
</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</
h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource /ca/rest/account/login is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.87</h3></body></html>'
2025-05-27T17:28:27Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2025-05-27T17:28:27Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 219, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
server.upgrade()
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 2093, in upgrade
upgrade_configuration()
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/upgrade.py", line 1954, in upgrade_configuration
cainstance.repair_profile_caIPAserviceCert()
File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 2169, in repair_profile_caIPAserviceCert with api.Backend.ra_certprofile as profile_api:
File "/usr/lib/python3.9/site-packages/ipaserver/plugins/dogtag.py", line 610, in {}enter{}
raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))

2025-05-27T17:28:27Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API
2025-05-27T17:28:27Z ERROR Unexpected error

Resolution

Workaround

  • Create symlink for rewrite.config file.
# ln -s /usr/share/pki/server/conf/Catalina/localhost/rewrite.config /etc/pki/pki-tomcat/Catalina/localhost/rewrite.config
  • Take backup of /etc/pki/pki-tomcat/server.xml for the safer side
  • Add pki-tomcat use the rewrite config by adding <Valve className="Name="org.apache.catalina.valves.rewrite.RewriteValve"/> at the end of the file /etc/pki/pki-tomcat/server.xml like this:
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="common"/>
        <Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/>
      </Host>
    </Engine>
  </Service>
</Server>

Root Cause

  • symlink for rewrite.config file was missing.

  • <Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/> was missing in /etc/pki/pki-tomcat/server.xml file.

  • ipa-acme-manage command was failing as below:

# ipa-acme-manage status
Failed to authenticate to CA REST API
The ipa-acme-manage command failed.

Diagnostic Steps

  • symlink for rewrite.config file is missing.
 # ls -al /etc/pki/pki-tomcat/Catalina/localhost/rewrite.config
ls: cannot access '/etc/pki/pki-tomcat/Catalina/localhost/rewrite.config': No such file or directory
  • Make sure lines below exist in last in /etc/pki/pki-tomcat/server.xml file.
....
        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="common"/>
        <Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/>
      </Host>
    </Engine>
  </Service>
</Server>
  • Check the acme status as below:
# ipa-acme-manage status
ACME is disabled
The ipa-acme-manage command was successful
  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments