10:18 p.m.
Hello,
Currently my server is running on IPA Server Version 4.4. I have tried to
upgrade the Version to 4.5 using the ipa-server-upgrade command and got
ended with the following error:
--------
2017-09-26T02:27:32Z DEBUG stderr=
2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-09-26T02:27:53Z DEBUG Starting external process
2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
2017-09-26T02:27:56Z DEBUG Process finished, return code=255
2017-09-26T02:27:56Z DEBUG stdout=
2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1018, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 1046, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
362, in track_server_cert
cert_obj = x509.load_certificate(cert)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
load_certificate
return cryptography.x509.load_der_x509_certificate(data,
default_backend())
File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", line
47, in load_der_x509_certificate
return backend.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
line 350, in load_der_x509_certificate
return b.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1185, in load_der_x509_certificate
raise ValueError("Unable to load certificate")
2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command failed,
exception: ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log
for details:
ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
-------
I am using a third party signed certificate along with my IPA-CA. Is it an
issue with my current CA. I can see that while fetching for the
certificate, the name given to be "Server-cert" instead of the exact CA
name.
--
Regards,
Alka Murali
4:01 a.m.
On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
Hello,
Currently my server is running on IPA Server Version 4.4. I have tried
to upgrade the Version to 4.5 using the ipa-server-upgrade command and
got ended with the following error:
--------
2017-09-26T02:27:32Z DEBUG stderr=
2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-09-26T02:27:53Z DEBUG Starting external process
2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
2017-09-26T02:27:56Z DEBUG Process finished, return code=255
2017-09-26T02:27:56Z DEBUG stdout=
2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1018, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 1046, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
362, in track_server_cert
cert_obj = x509.load_certificate(cert)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
load_certificate
return cryptography.x509.load_der_x509_certificate(data, default_backend())
File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
line 47, in load_der_x509_certificate
return backend.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
line 350, in load_der_x509_certificate
return b.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1185, in load_der_x509_certificate
raise ValueError("Unable to load certificate")
2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command failed,
exception: ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
-------
I am using a third party signed certificate along with my IPA-CA. Is it
an issue with my current CA. I can see that while fetching for the
certificate, the name given to be "Server-cert" instead of the exact CA
name.
--
Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
you are probably hitting issue 7141 [1]. The upgrade is trying to track
the HTTPd/LDAP server certificates but shouldn't if they were issued by
an external CA.
The fix is available in FreeIPA 4.6.1 [2]
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7141
[2] http://www.freeipa.org/page/Releases/4.6.1
9:12 p.m.
Hi Florence,
Thanks for the email. As you have mentioned, I tried updating the
corresponding python files under IPA Server and tried for the Upgrade.
However I was getting the error below:
-----
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update
'cert-nickname': ds.get_server_cert_nickname(serverid),
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
object has no attribute 'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected
error - see /var/log/ipaupgrade.log for details:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
------
So do I need to define "get_server_cert_nickname" in certs.py script too.
Awaiting your reply.
Thanks and Regards,
Alka Murali
On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
> Hello,
>
> Currently my server is running on IPA Server Version 4.4. I have tried to
> upgrade the Version to 4.5 using the ipa-server-upgrade command and got
> ended with the following error:
>
>
> --------
>
> 2017-09-26T02:27:32Z DEBUG stderr=
>
> 2017-09-26T02:27:50Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
>
> 2017-09-26T02:27:53Z DEBUG Starting external process
>
> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>
> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>
> 2017-09-26T02:27:56Z DEBUG stdout=
>
> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
> Server-Cert
>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>
> 2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line 172, in execute
>
> return_value = self.run()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
>
> server.upgrade()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
>
> upgrade_configuration()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
>
> certificate_renewal_update(ca, ds, http),
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1018, in certificate_renewal_update
>
> ds.start_tracking_certificates(serverid)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 1046, in start_tracking_certificates
>
> 'restart_dirsrv %s' % serverid)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
> 362, in track_server_cert
>
> cert_obj = x509.load_certificate(cert)
>
> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
> load_certificate
>
> return cryptography.x509.load_der_x509_certificate(data,
> default_backend())
>
> File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
> line 47, in load_der_x509_certificate
>
> return backend.load_der_x509_certificate(data)
>
> File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
> line 350, in load_der_x509_certificate
>
> return b.load_der_x509_certificate(data)
>
> File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
> line 1185, in load_der_x509_certificate
>
> raise ValueError("Unable to load certificate")
>
>
> 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command failed,
> exception: ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log
> for details:
>
> ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
>
> -------
>
> I am using a third party signed certificate along with my IPA-CA. Is it
> an issue with my current CA. I can see that while fetching for the
> certificate, the name given to be "Server-cert" instead of the exact CA
> name.
>
>
> --
> Regards,
> Alka Murali
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
> rahosted.org
>
> Hi,
you are probably hitting issue 7141 [1]. The upgrade is trying to track
the HTTPd/LDAP server certificates but shouldn't if they were issued by an
external CA.
The fix is available in FreeIPA 4.6.1 [2]
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7141
[2] http://www.freeipa.org/page/Releases/4.6.1
--
Regards,
Alka Murali
2:43 a.m.
On 09/28/2017 04:12 AM, Alka Murali wrote:
Hi Florence,
Thanks for the email. As you have mentioned, I tried updating the
corresponding python files under IPA Server and tried for the Upgrade.
Hi,
do you mean that you manually edited the python files? In this case it
is likely that some files were forgotten. The patch for 4-5 branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but
may depend on other commits applied on the branch between the 4.5.3
release and the patch.
For consistency, I'd rather recommend to upgrade the packages to 4.6
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
fedora27).
Flo
However I was getting the error below:
-----
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update
'cert-nickname': ds.get_server_cert_nickname(serverid),
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
ipa-server-upgrade command failed, exception: AttributeError:
'DsInstance' object has no attribute 'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
Unexpected error - see /var/log/ipaupgrade.log for details:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
------
So do I need to define "get_server_cert_nickname" in certs.py script too.
Awaiting your reply.
Thanks and Regards,
Alka Murali
On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
Hello,
Currently my server is running on IPA Server Version 4.4. I have
tried to upgrade the Version to 4.5 using the ipa-server-upgrade
command and got ended with the following error:
--------
2017-09-26T02:27:32Z DEBUG stderr=
2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-09-26T02:27:53Z DEBUG Starting external process
2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
2017-09-26T02:27:56Z DEBUG Process finished, return code=255
2017-09-26T02:27:56Z DEBUG stdout=
2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1018, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 1046, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 362, in track_server_cert
cert_obj = x509.load_certificate(cert)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
119, in load_certificate
return cryptography.x509.load_der_x509_certificate(data,
default_backend())
File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
line 47, in load_der_x509_certificate
return backend.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
line 350, in load_der_x509_certificate
return b.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1185, in load_der_x509_certificate
raise ValueError("Unable to load certificate")
2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
failed, exception: ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
failed. See /var/log/ipaupgrade.log for more information
-------
I am using a third party signed certificate along with my
IPA-CA. Is it an issue with my current CA. I can see that while
fetching for the certificate, the name given to be "Server-cert"
instead of the exact CA name.
--
Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Hi,
you are probably hitting issue 7141 [1]. The upgrade is trying to
track the HTTPd/LDAP server certificates but shouldn't if they were
issued by an external CA.
The fix is available in FreeIPA 4.6.1 [2]
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141>
[2] http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1>
--
Regards,
Alka Murali
2:52 a.m.
Hi Florence,
Thanks for the reply.
However do you mean that I need to create a new repo file for Version 4.6
and try the Upgrade? Or do you mean that I need to remove the current
installation and go for a fresh install?
Regards,
Alka Murali
On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 09/28/2017 04:12 AM, Alka Murali wrote:
> Hi Florence,
>
> Thanks for the email. As you have mentioned, I tried updating the
> corresponding python files under IPA Server and tried for the Upgrade.
>
Hi,
do you mean that you manually edited the python files? In this case it is
likely that some files were forgotten. The patch for 4-5 branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but
may depend on other commits applied on the branch between the 4.5.3 release
and the patch.
For consistency, I'd rather recommend to upgrade the packages to 4.6
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
fedora27).
Flo
However I was getting the error below:
>
> -----
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
>
> return_value = self.run()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
>
> server.upgrade()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
>
> upgrade_configuration()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
>
> certificate_renewal_update(ca, ds, http),
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 966, in certificate_renewal_update
>
> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
> ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
> object has no attribute 'get_server_cert_nickname'
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
> Unexpected error - see /var/log/ipaupgrade.log for details:
>
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
> information
>
> ------
>
> So do I need to define "get_server_cert_nickname" in certs.py script too.
>
>
> Awaiting your reply.
>
>
> Thanks and Regards,
>
> Alka Murali
>
>
> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>
> Hello,
>
> Currently my server is running on IPA Server Version 4.4. I have
> tried to upgrade the Version to 4.5 using the ipa-server-upgrade
> command and got ended with the following error:
>
>
> --------
>
> 2017-09-26T02:27:32Z DEBUG stderr=
>
> 2017-09-26T02:27:50Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
>
> 2017-09-26T02:27:53Z DEBUG Starting external process
>
> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>
> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>
> 2017-09-26T02:27:56Z DEBUG stdout=
>
> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
> Server-Cert
>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade
> manually.
>
> 2017-09-26T02:27:56Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 172, in execute
>
> return_value = self.run()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
> server_upgrade.py",
> line 46, in run
>
> server.upgrade()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1913, in upgrade
>
> upgrade_configuration()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1788, in upgrade_configuration
>
> certificate_renewal_update(ca, ds, http),
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1018, in certificate_renewal_update
>
> ds.start_tracking_certificates(serverid)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
> ce.py",
> line 1046, in start_tracking_certificates
>
> 'restart_dirsrv %s' % serverid)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 362, in track_server_cert
>
> cert_obj = x509.load_certificate(cert)
>
> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
> 119, in load_certificate
>
> return cryptography.x509.load_der_x509_certificate(data,
> default_backend())
>
> File
> "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
> line 47, in load_der_x509_certificate
>
> return backend.load_der_x509_certificate(data)
>
> File
> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back
> ends/multibackend.py",
> line 350, in load_der_x509_certificate
>
> return b.load_der_x509_certificate(data)
>
> File
> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back
> ends/openssl/backend.py",
> line 1185, in load_der_x509_certificate
>
> raise ValueError("Unable to load certificate")
>
>
> 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
> failed, exception: ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
>
> ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
> failed. See /var/log/ipaupgrade.log for more information
>
> -------
>
> I am using a third party signed certificate along with my
> IPA-CA. Is it an issue with my current CA. I can see that while
> fetching for the certificate, the name given to be "Server-cert"
> instead of the exact CA name.
>
>
> -- Regards,
> Alka Murali
>
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> Hi,
>
> you are probably hitting issue 7141 [1]. The upgrade is trying to
> track the HTTPd/LDAP server certificates but shouldn't if they were
> issued by an external CA.
>
> The fix is available in FreeIPA 4.6.1 [2]
>
> HTH,
> Flo
>
> [1] https://pagure.io/freeipa/issue/7141
> <https://pagure.io/freeipa/issue/7141>
> [2] http://www.freeipa.org/page/Releases/4.6.1
> <http://www.freeipa.org/page/Releases/4.6.1>
>
>
>
>
> --
> Regards,
> Alka Murali
>
--
Regards,
Alka Murali
3:58 a.m.
On 09/28/2017 09:52 AM, Alka Murali wrote:
Hi Florence,
Thanks for the reply.
However do you mean that I need to create a new repo file for Version
4.6 and try the Upgrade? Or do you mean that I need to remove the
current installation and go for a fresh install?
Hi,
the easiest path is to do:
sudo dnf copr enable @freeipa/freeipa-4-6
sudo dnf update freeipa-server
This will upgrade your existing installation to FreeIPA 4.6.
HTH,
Flo
Regards,
Alka Murali
On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
On 09/28/2017 04:12 AM, Alka Murali wrote:
Hi Florence,
Thanks for the email. As you have mentioned, I tried updating
the corresponding python files under IPA Server and tried for
the Upgrade.
Hi,
do you mean that you manually edited the python files? In this case
it is likely that some files were forgotten. The patch for 4-5
branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
<https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044>
but may depend on other commits applied on the branch between the
4.5.3 release and the patch.
For consistency, I'd rather recommend to upgrade the packages to 4.6
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
fedora27).
Flo
However I was getting the error below:
-----
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update
'cert-nickname': ds.get_server_cert_nickname(serverid),
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
The ipa-server-upgrade command failed, exception:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
Unexpected error - see /var/log/ipaupgrade.log for details:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
------
So do I need to define "get_server_cert_nickname" in certs.py
script too.
Awaiting your reply.
Thanks and Regards,
Alka Murali
On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com
<mailto:flo@redhat.com>>> wrote:
On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
Hello,
Currently my server is running on IPA Server Version
4.4. I have
tried to upgrade the Version to 4.5 using the
ipa-server-upgrade
command and got ended with the following error:
--------
2017-09-26T02:27:32Z DEBUG stderr=
2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-09-26T02:27:53Z DEBUG Starting external process
2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
2017-09-26T02:27:56Z DEBUG Process finished, return
code=255
2017-09-26T02:27:56Z DEBUG stdout=
2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not
find cert:
Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-09-26T02:27:56Z ERROR IPA server upgrade failed:
Inspect
/var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1018, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 1046, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 362, in track_server_cert
cert_obj = x509.load_certificate(cert)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py",
line
119, in load_certificate
return cryptography.x509.load_der_x509_certificate(data,
default_backend())
File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
line 47, in load_der_x509_certificate
return backend.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
line 350, in load_der_x509_certificate
return b.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1185, in load_der_x509_certificate
raise ValueError("Unable to load certificate")
2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
failed, exception: ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
failed. See /var/log/ipaupgrade.log for more information
-------
I am using a third party signed certificate along with my
IPA-CA. Is it an issue with my current CA. I can see
that while
fetching for the certificate, the name given to be
"Server-cert"
instead of the exact CA name.
-- Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
Hi,
you are probably hitting issue 7141 [1]. The upgrade is
trying to
track the HTTPd/LDAP server certificates but shouldn't if
they were
issued by an external CA.
The fix is available in FreeIPA 4.6.1 [2]
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141>
<https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141>>
[2] http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1>
<http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1>>
--
Regards,
Alka Murali
--
Regards,
Alka Murali
4:51 a.m.
Hi Florence,
Thanks for the email.
I am on CentOS 7 system and would like to use yum to go for the Upgrade. I
beleive dnf is intended for Fedora. Can you please provide me a solution
for CentOS on the Upgrade process.
Regards,
Alka Murali
On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 09/28/2017 09:52 AM, Alka Murali wrote:
> Hi Florence,
>
> Thanks for the reply.
>
> However do you mean that I need to create a new repo file for Version 4.6
> and try the Upgrade? Or do you mean that I need to remove the current
> installation and go for a fresh install?
>
> Hi,
the easiest path is to do:
sudo dnf copr enable @freeipa/freeipa-4-6
sudo dnf update freeipa-server
This will upgrade your existing installation to FreeIPA 4.6.
HTH,
Flo
Regards,
> Alka Murali
>
>
> On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 09/28/2017 04:12 AM, Alka Murali wrote:
>
> Hi Florence,
>
> Thanks for the email. As you have mentioned, I tried updating
> the corresponding python files under IPA Server and tried for
> the Upgrade.
>
> Hi,
>
> do you mean that you manually edited the python files? In this case
> it is likely that some files were forgotten. The patch for 4-5
> branch is
> https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
> <https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
> >
> but may depend on other commits applied on the branch between the
> 4.5.3 release and the patch.
>
> For consistency, I'd rather recommend to upgrade the packages to 4.6
> (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
> fedora27).
>
> Flo
>
> However I was getting the error below:
>
> -----
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line 172, in execute
>
> return_value = self.run()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
> server_upgrade.py",
> line 46, in run
>
> server.upgrade()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1913, in upgrade
>
> upgrade_configuration()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1788, in upgrade_configuration
>
> certificate_renewal_update(ca, ds, http),
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 966, in certificate_renewal_update
>
> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
> The ipa-server-upgrade command failed, exception:
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
> Unexpected error - see /var/log/ipaupgrade.log for details:
>
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
> The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
>
> ------
>
> So do I need to define "get_server_cert_nickname" in certs.py
> script too.
>
>
> Awaiting your reply.
>
>
> Thanks and Regards,
>
> Alka Murali
>
>
> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com
>
> <mailto:flo@redhat.com>>> wrote:
>
> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>
> Hello,
>
> Currently my server is running on IPA Server Version
> 4.4. I have
> tried to upgrade the Version to 4.5 using the
> ipa-server-upgrade
> command and got ended with the following error:
>
>
> --------
>
> 2017-09-26T02:27:32Z DEBUG stderr=
>
> 2017-09-26T02:27:50Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
>
> 2017-09-26T02:27:53Z DEBUG Starting external process
>
> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>
> 2017-09-26T02:27:56Z DEBUG Process finished, return
> code=255
>
> 2017-09-26T02:27:56Z DEBUG stdout=
>
> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not
> find cert:
> Server-Cert
>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed:
> Inspect
> /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
>
> 2017-09-26T02:27:56Z DEBUG File
>
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line
> 172, in execute
>
> return_value = self.run()
>
> File
> "/usr/lib/python2.7/site-packa
> ges/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
>
> server.upgrade()
>
> File
> "/usr/lib/python2.7/site-packa
> ges/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
>
> upgrade_configuration()
>
> File
> "/usr/lib/python2.7/site-packa
> ges/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
>
> certificate_renewal_update(ca, ds, http),
>
> File
> "/usr/lib/python2.7/site-packa
> ges/ipaserver/install/server/upgrade.py",
> line 1018, in certificate_renewal_update
>
> ds.start_tracking_certificates(serverid)
>
> File
> "/usr/lib/python2.7/site-packa
> ges/ipaserver/install/dsinstance.py",
> line 1046, in start_tracking_certificates
>
> 'restart_dirsrv %s' % serverid)
>
> File
> "/usr/lib/python2.7/site-packa
> ges/ipaserver/install/certs.py",
> line 362, in track_server_cert
>
> cert_obj = x509.load_certificate(cert)
>
> File "/usr/lib/python2.7/site-packages/ipalib/x509.py",
> line
> 119, in load_certificate
>
> return cryptography.x509.load_der_x509_certificate(data,
> default_backend())
>
> File
> "/usr/lib64/python2.7/site-pac
> kages/cryptography/x509/base.py",
> line 47, in load_der_x509_certificate
>
> return backend.load_der_x509_certificate(data)
>
> File
> "/usr/lib64/python2.7/site-pac
> kages/cryptography/hazmat/backends/multibackend.py",
> line 350, in load_der_x509_certificate
>
> return b.load_der_x509_certificate(data)
>
> File
> "/usr/lib64/python2.7/site-pac
> kages/cryptography/hazmat/backends/openssl/backend.py",
> line 1185, in load_der_x509_certificate
>
> raise ValueError("Unable to load certificate")
>
>
> 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
> failed, exception: ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
>
> ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
> failed. See /var/log/ipaupgrade.log for more information
>
> -------
>
> I am using a third party signed certificate along with my
> IPA-CA. Is it an issue with my current CA. I can see
> that while
> fetching for the certificate, the name given to be
> "Server-cert"
> instead of the exact CA name.
>
>
> -- Regards,
> Alka Murali
>
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>
> Hi,
>
> you are probably hitting issue 7141 [1]. The upgrade is
> trying to
> track the HTTPd/LDAP server certificates but shouldn't if
> they were
> issued by an external CA.
>
> The fix is available in FreeIPA 4.6.1 [2]
>
> HTH,
> Flo
>
> [1] https://pagure.io/freeipa/issue/7141
> <https://pagure.io/freeipa/issue/7141>
> <https://pagure.io/freeipa/issue/7141
> <https://pagure.io/freeipa/issue/7141>>
> [2] http://www.freeipa.org/page/Releases/4.6.1
> <http://www.freeipa.org/page/Releases/4.6.1>
> <http://www.freeipa.org/page/Releases/4.6.1
> <http://www.freeipa.org/page/Releases/4.6.1>>
>
>
>
>
> -- Regards,
> Alka Murali
>
>
>
>
>
> --
> Regards,
> Alka Murali
>
--
Regards,
Alka Murali
3:03 a.m.
On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote:
Hi Florence,
Thanks for the email.
I am on CentOS 7 system and would like to use yum to go for the Upgrade.
I beleive dnf is intended for Fedora. Can you please provide me a
solution for CentOS on the Upgrade process.
Regards,
Alka Murali
Hi,
the fix hasn't been released yet in CentOS.
The workaround would be to rename your certificate into "Server-Cert"
before running ipa-server-upgrade.
If the 3rd part certificate is used by HTTPd:
backup /etc/httpd/alias, use certutil --rename to rename the cert as
"Server-Cert" and edit /etc/httpd/conf.d/nss.conf (replace NSSNickname
xxx with NSSNickName Server-Cert)
If the 3rd part certificate is used by LDAP:
backup /etc/dirsrv/slapd-DOMxx, use certutil --rename to rename the cert
as "Server-Cert" and edit /etc/dirsrv/slapd-DOMxx/dse.ldif (replace
nsSSLPersonalitySSL: xxx with nsSSLPersonalitySSL: Server-Cert).
Restart both services and re-try ipa-server-upgrade. After the command
completes, you will also need to stop-tracking the 3rd part certificate
Server-Cert:
If the 3rd part cert is used by LDAP:
sudo getcert list -d /etc/dirsrv/slapd-DOMxxx -n Server-Cert
=> Extract the request ID, for instance Request ID '20170929163547'
sudo getcert stop-tracking -i 20170929163547
If the 3rd part cert is used by HTTPd:
sudo getcert list -d /etc/httpd/alias/ -n Server-Cert
=> Extract the request ID
sudo getcert stop-tracking -i <requestID>
HTH,
Flo
On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
On 09/28/2017 09:52 AM, Alka Murali wrote:
Hi Florence,
Thanks for the reply.
However do you mean that I need to create a new repo file for
Version 4.6 and try the Upgrade? Or do you mean that I need to
remove the current installation and go for a fresh install?
Hi,
the easiest path is to do:
sudo dnf copr enable @freeipa/freeipa-4-6
sudo dnf update freeipa-server
This will upgrade your existing installation to FreeIPA 4.6.
HTH,
Flo
Regards,
Alka Murali
On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com
<mailto:flo@redhat.com>>> wrote:
On 09/28/2017 04:12 AM, Alka Murali wrote:
Hi Florence,
Thanks for the email. As you have mentioned, I tried
updating
the corresponding python files under IPA Server and
tried for
the Upgrade.
Hi,
do you mean that you manually edited the python files? In
this case
it is likely that some files were forgotten. The patch for 4-5
branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
<https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044>
<https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
<https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044>>
but may depend on other commits applied on the branch
between the
4.5.3 release and the patch.
For consistency, I'd rather recommend to upgrade the
packages to 4.6
(available in the copr repo @freeipa/freeipa-4-6 for fedora
26 and
fedora27).
Flo
However I was getting the error below:
-----
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
DEBUG:
File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update
'cert-nickname': ds.get_server_cert_nickname(serverid),
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
DEBUG:
The ipa-server-upgrade command failed, exception:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
ERROR:
Unexpected error - see /var/log/ipaupgrade.log for details:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
ERROR:
The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
------
So do I need to define "get_server_cert_nickname" in
certs.py
script too.
Awaiting your reply.
Thanks and Regards,
Alka Murali
On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com>
<mailto:flo@redhat.com <mailto:flo@redhat.com>>
<mailto:flo@redhat.com <mailto:flo@redhat.com>
<mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
wrote:
On 09/26/2017 05:18 AM, Alka Murali via
FreeIPA-users wrote:
Hello,
Currently my server is running on IPA Server
Version
4.4. I have
tried to upgrade the Version to 4.5 using the
ipa-server-upgrade
command and got ended with the following error:
--------
2017-09-26T02:27:32Z DEBUG stderr=
2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-09-26T02:27:53Z DEBUG Starting external
process
2017-09-26T02:27:53Z DEBUG
args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert
-a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
2017-09-26T02:27:56Z DEBUG Process finished,
return
code=255
2017-09-26T02:27:56Z DEBUG stdout=
2017-09-26T02:27:56Z DEBUG stderr=certutil:
Could not
find cert:
Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-09-26T02:27:56Z ERROR IPA server upgrade
failed:
Inspect
/var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1018, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 1046, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 362, in track_server_cert
cert_obj = x509.load_certificate(cert)
File
"/usr/lib/python2.7/site-packages/ipalib/x509.py",
line
119, in load_certificate
return
cryptography.x509.load_der_x509_certificate(data,
default_backend())
File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
line 47, in load_der_x509_certificate
return backend.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
line 350, in load_der_x509_certificate
return b.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 1185, in load_der_x509_certificate
raise ValueError("Unable to load certificate")
2017-09-26T02:27:56Z DEBUG The
ipa-server-upgrade command
failed, exception: ValueError: Unable to load
certificate
2017-09-26T02:27:56Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR The
ipa-server-upgrade command
failed. See /var/log/ipaupgrade.log for more
information
-------
I am using a third party signed certificate
along with my
IPA-CA. Is it an issue with my current CA. I
can see
that while
fetching for the certificate, the name given to be
"Server-cert"
instead of the exact CA name.
-- Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>>
Hi,
you are probably hitting issue 7141 [1]. The
upgrade is
trying to
track the HTTPd/LDAP server certificates but
shouldn't if
they were
issued by an external CA.
The fix is available in FreeIPA 4.6.1 [2]
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141>
<https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141>>
<https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141>
<https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141>>>
[2] http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1>
<http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1>>
<http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1>
<http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1>>>
-- Regards,
Alka Murali
--
Regards,
Alka Murali
--
Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
1:16 p.m.
Note that the —rename option of certutil doesn’t seem to work for this format of files.
Extract the cert, delete and and add it back with the new nickname. e.g.
certutil -L -d /etc/httpd/alias -n ‘CN=…...' -a -o ~/krb1.cert
certutil -D -d /etc/httpd/alias -n ‘CN=…..'
certutil -A -d /etc/httpd/alias -n "Server-Cert" -t u,u,u -i ~/krb1.cert
10:50 a.m.
We were in the same situation. I tried this solution, and it does fix the problem with not
being able to upgrade.
However it still leaves an inconsistency in the configuration. I was unable to add a new
replica. It failed at the CA step, even if the new replica was installed without CA. The
only way I could get the new replica set up was to remove
ipaConfigString: enabledService
ipaConfigString: caRenewalMaster
from cn=CA,cn=krb1.cs.rutgers.edu,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu
That makes the primary think there are no CA’s in the system, and the install works
fine.
If it doesn’t make sense to add a third-party cert when there’s a CA, perhaps you could
update the instructions to say that. But I’d like a way to put my system in a consistent
state, so that both updates and topology changes work.
On Oct 2, 2017, at 4:03 AM, Florence Blanc-Renaud via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote:
> Hi Florence,
> Thanks for the email.
> I am on CentOS 7 system and would like to use yum to go for the Upgrade. I beleive
dnf is intended for Fedora. Can you please provide me a solution for CentOS on the Upgrade
process.
> Regards,
> Alka Murali
Hi,
the fix hasn't been released yet in CentOS.
The workaround would be to rename your certificate into "Server-Cert" before
running ipa-server-upgrade.
If the 3rd part certificate is used by HTTPd:
backup /etc/httpd/alias, use certutil --rename to rename the cert as
"Server-Cert" and edit /etc/httpd/conf.d/nss.conf (replace NSSNickname xxx with
NSSNickName Server-Cert)
If the 3rd part certificate is used by LDAP:
backup /etc/dirsrv/slapd-DOMxx, use certutil --rename to rename the cert as
"Server-Cert" and edit /etc/dirsrv/slapd-DOMxx/dse.ldif (replace
nsSSLPersonalitySSL: xxx with nsSSLPersonalitySSL: Server-Cert).
Restart both services and re-try ipa-server-upgrade. After the command completes, you
will also need to stop-tracking the 3rd part certificate Server-Cert:
If the 3rd part cert is used by LDAP:
sudo getcert list -d /etc/dirsrv/slapd-DOMxxx -n Server-Cert
=> Extract the request ID, for instance Request ID '20170929163547'
sudo getcert stop-tracking -i 20170929163547
If the 3rd part cert is used by HTTPd:
sudo getcert list -d /etc/httpd/alias/ -n Server-Cert
=> Extract the request ID
sudo getcert stop-tracking -i <requestID>
HTH,
Flo
> On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
> On 09/28/2017 09:52 AM, Alka Murali wrote:
> Hi Florence,
> Thanks for the reply.
> However do you mean that I need to create a new repo file for
> Version 4.6 and try the Upgrade? Or do you mean that I need to
> remove the current installation and go for a fresh install?
> Hi,
> the easiest path is to do:
> sudo dnf copr enable @freeipa/freeipa-4-6
> sudo dnf update freeipa-server
> This will upgrade your existing installation to FreeIPA 4.6.
> HTH,
> Flo
> Regards,
> Alka Murali
> On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com
> <mailto:flo@redhat.com>>> wrote:
> On 09/28/2017 04:12 AM, Alka Murali wrote:
> Hi Florence,
> Thanks for the email. As you have mentioned, I tried
> updating
> the corresponding python files under IPA Server and
> tried for
> the Upgrade.
> Hi,
> do you mean that you manually edited the python files? In
> this case
> it is likely that some files were forgotten. The patch for 4-5
> branch is
>
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
> but may depend on other commits applied on the branch
> between the
> 4.5.3 release and the patch.
> For consistency, I'd rather recommend to upgrade the
> packages to 4.6
> (available in the copr repo @freeipa/freeipa-4-6 for fedora
> 26 and
> fedora27).
> Flo
> However I was getting the error below:
> -----
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> DEBUG:
> File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line 172, in execute
> return_value = self.run()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
> server.upgrade()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
> upgrade_configuration()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
> certificate_renewal_update(ca, ds, http),
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 966, in certificate_renewal_update
> 'cert-nickname': ds.get_server_cert_nickname(serverid),
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> DEBUG:
> The ipa-server-upgrade command failed, exception:
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> ERROR:
> Unexpected error - see /var/log/ipaupgrade.log for details:
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> ERROR:
> The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
> ------
> So do I need to define "get_server_cert_nickname" in
> certs.py
> script too.
> Awaiting your reply.
> Thanks and Regards,
> Alka Murali
> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
wrote:
> On 09/26/2017 05:18 AM, Alka Murali via
> FreeIPA-users wrote:
> Hello,
> Currently my server is running on IPA Server
> Version
> 4.4. I have
> tried to upgrade the Version to 4.5 using the
> ipa-server-upgrade
> command and got ended with the following error:
> --------
> 2017-09-26T02:27:32Z DEBUG stderr=
> 2017-09-26T02:27:50Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-09-26T02:27:53Z DEBUG Starting external
> process
> 2017-09-26T02:27:53Z DEBUG
> args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert
> -a -f
> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
> 2017-09-26T02:27:56Z DEBUG Process finished,
> return
> code=255
> 2017-09-26T02:27:56Z DEBUG stdout=
> 2017-09-26T02:27:56Z DEBUG stderr=certutil:
> Could not
> find cert:
> Server-Cert
> : PR_FILE_NOT_FOUND_ERROR: File not found
> 2017-09-26T02:27:56Z ERROR IPA server upgrade
> failed:
> Inspect
> /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> 2017-09-26T02:27:56Z DEBUG File
>
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 172, in execute
> return_value = self.run()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
> server.upgrade()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
> upgrade_configuration()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
> certificate_renewal_update(ca, ds, http),
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1018, in certificate_renewal_update
> ds.start_tracking_certificates(serverid)
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 1046, in start_tracking_certificates
> 'restart_dirsrv %s' % serverid)
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 362, in track_server_cert
> cert_obj = x509.load_certificate(cert)
> File
> "/usr/lib/python2.7/site-packages/ipalib/x509.py",
> line
> 119, in load_certificate
> return
> cryptography.x509.load_der_x509_certificate(data,
> default_backend())
> File
>
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
> line 47, in load_der_x509_certificate
> return backend.load_der_x509_certificate(data)
> File
>
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
> line 350, in load_der_x509_certificate
> return b.load_der_x509_certificate(data)
> File
>
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
> line 1185, in load_der_x509_certificate
> raise ValueError("Unable to load certificate")
> 2017-09-26T02:27:56Z DEBUG The
> ipa-server-upgrade command
> failed, exception: ValueError: Unable to load
> certificate
> 2017-09-26T02:27:56Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
> ValueError: Unable to load certificate
> 2017-09-26T02:27:56Z ERROR The
> ipa-server-upgrade command
> failed. See /var/log/ipaupgrade.log for more
> information
> -------
> I am using a third party signed certificate
> along with my
> IPA-CA. Is it an issue with my current CA. I
> can see
> that while
> fetching for the certificate, the name given to be
> "Server-cert"
> instead of the exact CA name.
> -- Regards,
> Alka Murali
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> Hi,
> you are probably hitting issue 7141 [1]. The
> upgrade is
> trying to
> track the HTTPd/LDAP server certificates but
> shouldn't if
> they were
> issued by an external CA.
> The fix is available in FreeIPA 4.6.1 [2]
> HTH,
> Flo
> [1]
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
> [2]
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
> -- Regards,
> Alka Murali
> -- Regards,
> Alka Murali
> --
> Regards,
> Alka Murali
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
1:55 p.m.
New subject: how I spent my day (hints on dealing with issues setting up a replica)
In case anyone else has the same problem, let me document what I did today with our IPA
installation (Centos 7.3)
We started out by installing a primary with a default install, and doing
ipa-replica-install with no parameters. That worked fine. We then install a commercial
certificate, because I wanted people to be able to use the web tool without having to
click through warnings.
That used https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP.
That worked fine. However it created a time bomb.
The first attempt at doing “yum update” failed to update the primary. There was a recent
email on this. It can be fixed by changing the nicknames for the certificate to
“Server-Cert,” using a process describe in email. That allows update and reboot to work.
However I just tried installing a third replica. I ran into two issues:
1) It blew up at varying points, but most consistently when trying to talk to the CA
system. I’m guessing that using the commercial cert confused it, though I didn’t actually
diagnose the problem.
To work around this, I did ldapmodify on
dn: cn=CA,cn=krb1.cs.rutgers.edu,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu
changetype:modify
delete:ipaConfigString
ipaConfigString: enabledService
ipaConfigString: caRenewalMaster
That makes the primary appear not to be a CA, after which ipa-replica-install works, when
specifying --dirsrv-cert-file --http-cert-file --no-pkinit.
2) The resulting system looked OK, but ipa-replica-manage -v list XXX showed that it
didn’t sync from one of the servers. It looks like a remnant of the failed installs. I had
done “ipa server-del” after the failure, but maybe no after all of them. Anyway, I ended
up with two entries for the ldap service. On one of the servers the current entry had the
wrong dn. I had to do modrdn to fix it.
But I still got permission failures. I had to add the dn manually to cn=replication
managers,cn=sysaccounts,cn=etc,dc=cs,dc=rutgers,dc=edu. At that point after doing a
reinitialize and restarting ipa, things look good.
The upshot is that doing this kind of thing requires pretty good skills at reverse
engineering and doing LDAP configuration. Perhaps it’s reasonable to assume such skills
are available anywhere that’s using this in production.
3:20 p.m.
New subject: how I spent my day (hints on dealing with issues setting up a replica)
Charles Hedrick via FreeIPA-users wrote:
In case anyone else has the same problem, let me document what I did
today with our IPA installation (Centos 7.3)
Sorry to hear you had so many problems.
We started out by installing a primary with a default install, and doing
ipa-replica-install with no parameters. That worked fine. We then install a commercial
certificate, because I wanted people to be able to use the web tool without having to
click through warnings.
That used https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP.
That worked fine. However it created a time bomb.
The first attempt at doing “yum update” failed to update the primary. There was a recent
email on this. It can be fixed by changing the nicknames for the certificate to
“Server-Cert,” using a process describe in email. That allows update and reboot to work.
However I just tried installing a third replica. I ran into two issues:
1) It blew up at varying points, but most consistently when trying to talk to the CA
system. I’m guessing that using the commercial cert confused it, though I didn’t actually
diagnose the problem.
To work around this, I did ldapmodify on
dn: cn=CA,cn=krb1.cs.rutgers.edu,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu
changetype:modify
delete:ipaConfigString
ipaConfigString: enabledService
ipaConfigString: caRenewalMaster
That makes the primary appear not to be a CA, after which ipa-replica-install works, when
specifying --dirsrv-cert-file --http-cert-file --no-pkinit.
Without logs, reproduction steps and a ticket it makes it difficult to
fix this.
2) The resulting system looked OK, but ipa-replica-manage -v list XXX
showed that it didn’t sync from one of the servers. It looks like a remnant of the failed
installs. I had done “ipa server-del” after the failure, but maybe no after all of them.
Anyway, I ended up with two entries for the ldap service. On one of the servers the
current entry had the wrong dn. I had to do modrdn to fix it.
What was wrong about it?
It's unlikely related to a missing server-del because existing entries
should have prevented a re-install.
But I still got permission failures. I had to add the dn manually to
cn=replication managers,cn=sysaccounts,cn=etc,dc=cs,dc=rutgers,dc=edu. At that point after
doing a reinitialize and restarting ipa, things look good.
It's odd that the initial replication succeeded without this. Again logs
would help.
The upshot is that doing this kind of thing requires pretty good
skills at reverse engineering and doing LDAP configuration. Perhaps it’s reasonable to
assume such skills are available anywhere that’s using this in production.
Well, ideally IPA is supposed to do all this for you. There aren't
normally so many hoops to jump through to get a replica install.
rob
2392
days inactive
2402
days old
freeipa-users@lists.fedorahosted.org
11 comments
4 participants
participants (4)
-
Alka Murali -
Charles Hedrick -
Florence Blanc-Renaud -
Rob Crittenden