Fraser Tweedale via FreeIPA-users wrote:
> On Thu, Jul 13, 2017 at 03:02:02PM +0000, Charles Hedrick via FreeIPA-users 
> wrote:
>> I’ve installed ipa. Originally I did the default install, without DNS.
>> I then updated to a commercial cert. Notes at the end.
>> I just did a yum update. isa-upgrade failed with the following error:
>> 017-07-12T19:23:39Z DEBUG stderr=
>> 2017-07-12T19:23:44Z DEBUG Loading Index file from 
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2017-07-12T19:23:45Z DEBUG Starting external process
>> 2017-07-12T19:23:45Z DEBUG args=/usr/bin/certutil -d 
>> /etc/dirsrv/slapd-CS-RUTGERS-EDU -L -n Server-Cert -a
>> 2017-07-12T19:23:45Z DEBUG Process finished, return code=255
>> 2017-07-12T19:23:45Z DEBUG stdout=
>> 2017-07-12T19:23:45Z DEBUG stderr=certutil: Could not find cert: Server-Cert
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>> When I do /usr/bin/certutil -d /etc/dirsrv/slapd-CS-RUTGERS-EDU -L I find 
>> that there is no Server-Cert alias. Instead
>> Certificate Nickname                                         Trust Attributes
>> CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust 
>> AB,C=SE C,,  
>> CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey 
>> City,ST=New Jersey,C=US C,,  
>> CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US C,, 
>> ipaCert                                                      u,u,u
>> CS.RUTGERS.EDU IPA CA                                        CT,C,C
>>,OU=SAS,O="Rutgers, The State University of New 
>> Jersey",STREET=43 College Avenue,STREET=Room 226A,L=New 
>> Brunswick,ST=NJ,postalCode=08901,C=US u,u,u
>> Any idea how to fix this? Can I safely rename the last entry to be
>> Server-Cert? Can I safely run isa-server-upgrade again to make
>> sure it works?
> It does look like something in ipa-server-upgrade is looking for
> cert with nickname 'Server-Cert' and not finding it, causing the
> failure.
> I don't think certutil offers a way to "rename" a certificate+key
> but you can certainly export it, delete it, then re-import it with
> the desired nickname.  Then you will need to update 389DS to use the
> new nickname, and you should be good to go.
> Meanwhile, would you raise a ticket about ipa-server-upgrade looking
> for 'Server-Cert' while the actual server cert nickname may be
> different?

That could work.

I'd like to see more of the upgrade log though to see where exactly it
failed. IIRC it checks the CA cert chain which is where things may be
failing but I don't recall seeing this before.

Knowing the current and upgraded versions of IPA would be handy too,
including the distro.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to