On Fri, Aug 11, 2017 at 7:47 PM, Charles Hedrick via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
I was unable to install an update for Centos 7.
I had done a default install, and then moved to commercial certs for LDAP
and HTTP, using
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP. We
don’t use the CA.
We have a replica. It upgraded fine, but then it’s CA-less.
The upgrade for the primary failed, because the upgrade of the CA failed. It
tried to update Server-Cert for LDAP, but the actual cert has an alias based
on the DN.
Could you share the error? I.e. output from console and related part
of /var/log/ipaupgrade.log with context. Someone might be able to
help.
I assume there’s a different naming convention when a 3rd party CA is in use
than when the cert is issued by Dogtag.
Any ideas how to recover? I’d be happy just to disable the CA component if
that’s possible.
Can I rerun the upgrade?
Yes re-runing ipa-server-upgrade is OK but it might fail at the same
step if the cause of failure is still there.
At the moment I’m running in production with a half-upgraded system. It
appears that the only thing that failed was the upgrade of the CA, which I
don’t use. But this doesn’t seem to be a good idea in the long run. I’ve
considered producing another CA-less replica, which presumably would upgrade
fine, and decommissioning the original.
From the text I assume that you have one or more IPA master with a CA
and one or more IPA masters without CA. Make sure that you don't
decommission the last CA. It is essential to keep at least one.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
Petr Vobornik