Hi Florence,
Thanks for the email. As you have mentioned, I tried updating the
corresponding python files under IPA Server and tried for the Upgrade.
However I was getting the error below:
-----
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update
'cert-nickname': ds.get_server_cert_nickname(serverid),
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
object has no attribute 'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected
error - see /var/log/ipaupgrade.log for details:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
------
So do I need to define "get_server_cert_nickname" in certs.py script too.
Awaiting your reply.
Thanks and Regards,
Alka Murali
On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <[email protected]>
wrote:
> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>
>> Hello,
>>
>> Currently my server is running on IPA Server Version 4.4. I have tried to
>> upgrade the Version to 4.5 using the ipa-server-upgrade command and got
>> ended with the following error:
>>
>>
>> --------
>>
>> 2017-09-26T02:27:32Z DEBUG stderr=
>>
>> 2017-09-26T02:27:50Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>
>> 2017-09-26T02:27:53Z DEBUG Starting external process
>>
>> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
>> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>>
>> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>>
>> 2017-09-26T02:27:56Z DEBUG stdout=
>>
>> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
>> Server-Cert
>>
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
>> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>
>> 2017-09-26T02:27:56Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>> line 172, in execute
>>
>> return_value = self.run()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1018, in certificate_renewal_update
>>
>> ds.start_tracking_certificates(serverid)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>> line 1046, in start_tracking_certificates
>>
>> 'restart_dirsrv %s' % serverid)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>> 362, in track_server_cert
>>
>> cert_obj = x509.load_certificate(cert)
>>
>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
>> load_certificate
>>
>> return cryptography.x509.load_der_x509_certificate(data,
>> default_backend())
>>
>> File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
>> line 47, in load_der_x509_certificate
>>
>> return backend.load_der_x509_certificate(data)
>>
>> File
>> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
>> line 350, in load_der_x509_certificate
>>
>> return b.load_der_x509_certificate(data)
>>
>> File
>> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
>> line 1185, in load_der_x509_certificate
>>
>> raise ValueError("Unable to load certificate")
>>
>>
>> 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command failed,
>> exception: ValueError: Unable to load certificate
>>
>> 2017-09-26T02:27:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log
>> for details:
>>
>> ValueError: Unable to load certificate
>>
>> 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>>
>> -------
>>
>> I am using a third party signed certificate along with my IPA-CA. Is it
>> an issue with my current CA. I can see that while fetching for the
>> certificate, the name given to be "Server-cert" instead of the exact CA
>> name.
>>
>>
>> --
>> Regards,
>> Alka Murali
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>> rahosted.org
>>
>> Hi,
>
> you are probably hitting issue 7141 [1]. The upgrade is trying to track
> the HTTPd/LDAP server certificates but shouldn't if they were issued by an
> external CA.
>
> The fix is available in FreeIPA 4.6.1 [2]
>
> HTH,
> Flo
>
> [1] https://pagure.io/freeipa/issue/7141
> [2] http://www.freeipa.org/page/Releases/4.6.1
>
--
Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
