On Fri, Aug 11, 2017 at 7:47 PM, Charles Hedrick via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> I was unable to install an update for Centos 7.
>
> I had done a default install, and then moved to commercial certs for LDAP
> and HTTP, using
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP. We
> don’t use the CA.
>
> We have a replica. It upgraded fine, but then it’s CA-less.
>
> The upgrade for the primary failed, because the upgrade of the CA failed. It
> tried to update Server-Cert for LDAP, but the actual cert has an alias based
> on the DN.

Could you share the error? I.e. output from console and related part
of /var/log/ipaupgrade.log with context. Someone might be able to
help.

>
> I assume there’s a different naming convention when a 3rd party CA is in use
> than when the cert is issued by Dogtag.
>
> Any ideas how to recover? I’d be happy just to disable the CA component if
> that’s possible.
>
> Can I rerun the upgrade?

Yes re-runing ipa-server-upgrade is OK but it might fail at the same
step if the cause of failure is still there.

>
> At the moment I’m running in production with a half-upgraded system. It
> appears that the only thing that failed was the upgrade of the CA, which I
> don’t use. But this doesn’t seem to be a good idea in the long run. I’ve
> considered producing another CA-less replica, which presumably would upgrade
> fine, and decommissioning the original.

From the text I assume that you have one or more IPA master with a CA
and one or more IPA masters without CA. Make sure that you don't
decommission the last CA. It is essential to keep at least one.

>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>

-- 
Petr Vobornik
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to