Hi Florence,

Thanks for the email. As you have mentioned, I tried updating the
corresponding python files under IPA Server and tried for the Upgrade.
However I was getting the error below:

-----

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute

    return_value = self.run()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run

    server.upgrade()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade

    upgrade_configuration()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration

    certificate_renewal_update(ca, ds, http),

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update

    'cert-nickname': ds.get_server_cert_nickname(serverid),


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
object has no attribute 'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected
error - see /var/log/ipaupgrade.log for details:

AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information

------

So do I need to define "get_server_cert_nickname"  in certs.py script too.


Awaiting your reply.


Thanks and Regards,

Alka Murali

On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <f...@redhat.com>
wrote:

> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>
>> Hello,
>>
>> Currently my server is running on IPA Server Version 4.4. I have tried to
>> upgrade the Version to 4.5 using the ipa-server-upgrade command and got
>> ended with the following error:
>>
>>
>> --------
>>
>> 2017-09-26T02:27:32Z DEBUG stderr=
>>
>> 2017-09-26T02:27:50Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>
>> 2017-09-26T02:27:53Z DEBUG Starting external process
>>
>> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
>> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>>
>> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>>
>> 2017-09-26T02:27:56Z DEBUG stdout=
>>
>> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
>> Server-Cert
>>
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
>> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>
>> 2017-09-26T02:27:56Z DEBUG File 
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>> line 172, in execute
>>
>> return_value = self.run()
>>
>> File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1018, in certificate_renewal_update
>>
>> ds.start_tracking_certificates(serverid)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>> line 1046, in start_tracking_certificates
>>
>> 'restart_dirsrv %s' % serverid)
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line
>> 362, in track_server_cert
>>
>> cert_obj = x509.load_certificate(cert)
>>
>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in
>> load_certificate
>>
>> return cryptography.x509.load_der_x509_certificate(data,
>> default_backend())
>>
>> File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
>> line 47, in load_der_x509_certificate
>>
>> return backend.load_der_x509_certificate(data)
>>
>> File 
>> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
>> line 350, in load_der_x509_certificate
>>
>> return b.load_der_x509_certificate(data)
>>
>> File 
>> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
>> line 1185, in load_der_x509_certificate
>>
>> raise ValueError("Unable to load certificate")
>>
>>
>> 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command failed,
>> exception: ValueError: Unable to load certificate
>>
>> 2017-09-26T02:27:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log
>> for details:
>>
>> ValueError: Unable to load certificate
>>
>> 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>>
>> -------
>>
>> I am using a third party signed certificate along with my IPA-CA. Is it
>> an issue with my current CA. I can see that while fetching for the
>> certificate, the name given to be "Server-cert" instead of the exact CA
>> name.
>>
>>
>> --
>> Regards,
>> Alka Murali
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>> Hi,
>
> you are probably hitting issue 7141 [1]. The upgrade is trying to track
> the HTTPd/LDAP server certificates but shouldn't if they were issued by an
> external CA.
>
> The fix is available in FreeIPA 4.6.1 [2]
>
> HTH,
> Flo
>
> [1] https://pagure.io/freeipa/issue/7141
> [2] http://www.freeipa.org/page/Releases/4.6.1
>



-- 
Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to