We were in the same situation. I tried this solution, and it does fix the problem with not
being able to upgrade.
However it still leaves an inconsistency in the configuration. I was unable to add a new
replica. It failed at the CA step, even if the new replica was installed without CA. The
only way I could get the new replica set up was to remove
ipaConfigString: enabledService
ipaConfigString: caRenewalMaster
from cn=CA,cn=krb1.cs.rutgers.edu,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu
That makes the primary think there are no CA’s in the system, and the install works
fine.
If it doesn’t make sense to add a third-party cert when there’s a CA, perhaps you could
update the instructions to say that. But I’d like a way to put my system in a consistent
state, so that both updates and topology changes work.
On Oct 2, 2017, at 4:03 AM, Florence Blanc-Renaud via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote:
> Hi Florence,
> Thanks for the email.
> I am on CentOS 7 system and would like to use yum to go for the Upgrade. I beleive
dnf is intended for Fedora. Can you please provide me a solution for CentOS on the Upgrade
process.
> Regards,
> Alka Murali
Hi,
the fix hasn't been released yet in CentOS.
The workaround would be to rename your certificate into "Server-Cert" before
running ipa-server-upgrade.
If the 3rd part certificate is used by HTTPd:
backup /etc/httpd/alias, use certutil --rename to rename the cert as
"Server-Cert" and edit /etc/httpd/conf.d/nss.conf (replace NSSNickname xxx with
NSSNickName Server-Cert)
If the 3rd part certificate is used by LDAP:
backup /etc/dirsrv/slapd-DOMxx, use certutil --rename to rename the cert as
"Server-Cert" and edit /etc/dirsrv/slapd-DOMxx/dse.ldif (replace
nsSSLPersonalitySSL: xxx with nsSSLPersonalitySSL: Server-Cert).
Restart both services and re-try ipa-server-upgrade. After the command completes, you
will also need to stop-tracking the 3rd part certificate Server-Cert:
If the 3rd part cert is used by LDAP:
sudo getcert list -d /etc/dirsrv/slapd-DOMxxx -n Server-Cert
=> Extract the request ID, for instance Request ID '20170929163547'
sudo getcert stop-tracking -i 20170929163547
If the 3rd part cert is used by HTTPd:
sudo getcert list -d /etc/httpd/alias/ -n Server-Cert
=> Extract the request ID
sudo getcert stop-tracking -i <requestID>
HTH,
Flo
> On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
> On 09/28/2017 09:52 AM, Alka Murali wrote:
> Hi Florence,
> Thanks for the reply.
> However do you mean that I need to create a new repo file for
> Version 4.6 and try the Upgrade? Or do you mean that I need to
> remove the current installation and go for a fresh install?
> Hi,
> the easiest path is to do:
> sudo dnf copr enable @freeipa/freeipa-4-6
> sudo dnf update freeipa-server
> This will upgrade your existing installation to FreeIPA 4.6.
> HTH,
> Flo
> Regards,
> Alka Murali
> On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com
> <mailto:flo@redhat.com>>> wrote:
> On 09/28/2017 04:12 AM, Alka Murali wrote:
> Hi Florence,
> Thanks for the email. As you have mentioned, I tried
> updating
> the corresponding python files under IPA Server and
> tried for
> the Upgrade.
> Hi,
> do you mean that you manually edited the python files? In
> this case
> it is likely that some files were forgotten. The patch for 4-5
> branch is
>
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
> but may depend on other commits applied on the branch
> between the
> 4.5.3 release and the patch.
> For consistency, I'd rather recommend to upgrade the
> packages to 4.6
> (available in the copr repo @freeipa/freeipa-4-6 for fedora
> 26 and
> fedora27).
> Flo
> However I was getting the error below:
> -----
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> DEBUG:
> File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
> line 172, in execute
> return_value = self.run()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
> server.upgrade()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
> upgrade_configuration()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
> certificate_renewal_update(ca, ds, http),
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 966, in certificate_renewal_update
> 'cert-nickname': ds.get_server_cert_nickname(serverid),
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> DEBUG:
> The ipa-server-upgrade command failed, exception:
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> ERROR:
> Unexpected error - see /var/log/ipaupgrade.log for details:
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
> ERROR:
> The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
> ------
> So do I need to define "get_server_cert_nickname" in
> certs.py
> script too.
> Awaiting your reply.
> Thanks and Regards,
> Alka Murali
> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
> <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
wrote:
> On 09/26/2017 05:18 AM, Alka Murali via
> FreeIPA-users wrote:
> Hello,
> Currently my server is running on IPA Server
> Version
> 4.4. I have
> tried to upgrade the Version to 4.5 using the
> ipa-server-upgrade
> command and got ended with the following error:
> --------
> 2017-09-26T02:27:32Z DEBUG stderr=
> 2017-09-26T02:27:50Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2017-09-26T02:27:53Z DEBUG Starting external
> process
> 2017-09-26T02:27:53Z DEBUG
> args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert
> -a -f
> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
> 2017-09-26T02:27:56Z DEBUG Process finished,
> return
> code=255
> 2017-09-26T02:27:56Z DEBUG stdout=
> 2017-09-26T02:27:56Z DEBUG stderr=certutil:
> Could not
> find cert:
> Server-Cert
> : PR_FILE_NOT_FOUND_ERROR: File not found
> 2017-09-26T02:27:56Z ERROR IPA server upgrade
> failed:
> Inspect
> /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> 2017-09-26T02:27:56Z DEBUG File
>
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 172, in execute
> return_value = self.run()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
> server.upgrade()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
> upgrade_configuration()
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
> certificate_renewal_update(ca, ds, http),
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1018, in certificate_renewal_update
> ds.start_tracking_certificates(serverid)
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 1046, in start_tracking_certificates
> 'restart_dirsrv %s' % serverid)
> File
>
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 362, in track_server_cert
> cert_obj = x509.load_certificate(cert)
> File
> "/usr/lib/python2.7/site-packages/ipalib/x509.py",
> line
> 119, in load_certificate
> return
> cryptography.x509.load_der_x509_certificate(data,
> default_backend())
> File
>
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
> line 47, in load_der_x509_certificate
> return backend.load_der_x509_certificate(data)
> File
>
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
> line 350, in load_der_x509_certificate
> return b.load_der_x509_certificate(data)
> File
>
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
> line 1185, in load_der_x509_certificate
> raise ValueError("Unable to load certificate")
> 2017-09-26T02:27:56Z DEBUG The
> ipa-server-upgrade command
> failed, exception: ValueError: Unable to load
> certificate
> 2017-09-26T02:27:56Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
> ValueError: Unable to load certificate
> 2017-09-26T02:27:56Z ERROR The
> ipa-server-upgrade command
> failed. See /var/log/ipaupgrade.log for more
> information
> -------
> I am using a third party signed certificate
> along with my
> IPA-CA. Is it an issue with my current CA. I
> can see
> that while
> fetching for the certificate, the name given to be
> "Server-cert"
> instead of the exact CA name.
> -- Regards,
> Alka Murali
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> Hi,
> you are probably hitting issue 7141 [1]. The
> upgrade is
> trying to
> track the HTTPd/LDAP server certificates but
> shouldn't if
> they were
> issued by an external CA.
> The fix is available in FreeIPA 4.6.1 [2]
> HTH,
> Flo
> [1]
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
>
<
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.i...
> [2]
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
>
<
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freei...
> -- Regards,
> Alka Murali
> -- Regards,
> Alka Murali
> --
> Regards,
> Alka Murali
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org