Hi Florence,

Thanks for the reply.

However do you mean that I need to create a new repo file for Version 4.6
and try the Upgrade? Or do you mean that I need to remove the current
installation and go for a fresh install?

Regards,
Alka Murali

On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud <f...@redhat.com>
wrote:

> On 09/28/2017 04:12 AM, Alka Murali wrote:
>
>> Hi Florence,
>>
>> Thanks for the email. As you have mentioned, I tried updating the
>> corresponding python files under IPA Server and tried for the Upgrade.
>>
> Hi,
>
> do you mean that you manually edited the python files? In this case it is
> likely that some files were forgotten. The patch for 4-5 branch is
> https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but
> may depend on other commits applied on the branch between the 4.5.3 release
> and the patch.
>
> For consistency, I'd rather recommend to upgrade the packages to 4.6
> (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
> fedora27).
>
> Flo
>
> However I was getting the error below:
>>
>> -----
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
>> execute
>>
>> return_value = self.run()
>>
>> File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 966, in certificate_renewal_update
>>
>> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>>
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
>> ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
>> object has no attribute 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>
>> AttributeError: 'DsInstance' object has no attribute
>> 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
>> information
>>
>> ------
>>
>> So do I need to define "get_server_cert_nickname"  in certs.py script too.
>>
>>
>> Awaiting your reply.
>>
>>
>> Thanks and Regards,
>>
>> Alka Murali
>>
>>
>> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <f...@redhat.com
>> <mailto:f...@redhat.com>> wrote:
>>
>>     On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>>
>>         Hello,
>>
>>         Currently my server is running on IPA Server Version 4.4. I have
>>         tried to upgrade the Version to 4.5 using the ipa-server-upgrade
>>         command and got ended with the following error:
>>
>>
>>         --------
>>
>>         2017-09-26T02:27:32Z DEBUG stderr=
>>
>>         2017-09-26T02:27:50Z DEBUG Loading Index file from
>>         '/var/lib/ipa/sysrestore/sysrestore.index'
>>
>>         2017-09-26T02:27:53Z DEBUG Starting external process
>>
>>         2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
>>         /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
>>         /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>>
>>         2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>>
>>         2017-09-26T02:27:56Z DEBUG stdout=
>>
>>         2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
>>         Server-Cert
>>
>>         : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
>>         2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
>>         /var/log/ipaupgrade.log and run command ipa-server-upgrade
>> manually.
>>
>>         2017-09-26T02:27:56Z DEBUG File
>>         "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>         172, in execute
>>
>>         return_value = self.run()
>>
>>         File
>>         "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
>> server_upgrade.py",
>>         line 46, in run
>>
>>         server.upgrade()
>>
>>         File
>>         "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>>         line 1913, in upgrade
>>
>>         upgrade_configuration()
>>
>>         File
>>         "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>>         line 1788, in upgrade_configuration
>>
>>         certificate_renewal_update(ca, ds, http),
>>
>>         File
>>         "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>>         line 1018, in certificate_renewal_update
>>
>>         ds.start_tracking_certificates(serverid)
>>
>>         File
>>         "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
>> ce.py",
>>         line 1046, in start_tracking_certificates
>>
>>         'restart_dirsrv %s' % serverid)
>>
>>         File
>>         "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>>         line 362, in track_server_cert
>>
>>         cert_obj = x509.load_certificate(cert)
>>
>>         File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
>>         119, in load_certificate
>>
>>         return cryptography.x509.load_der_x509_certificate(data,
>>         default_backend())
>>
>>         File
>>         "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
>>         line 47, in load_der_x509_certificate
>>
>>         return backend.load_der_x509_certificate(data)
>>
>>         File
>>         "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back
>> ends/multibackend.py",
>>         line 350, in load_der_x509_certificate
>>
>>         return b.load_der_x509_certificate(data)
>>
>>         File
>>         "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back
>> ends/openssl/backend.py",
>>         line 1185, in load_der_x509_certificate
>>
>>         raise ValueError("Unable to load certificate")
>>
>>
>>         2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
>>         failed, exception: ValueError: Unable to load certificate
>>
>>         2017-09-26T02:27:56Z ERROR Unexpected error - see
>>         /var/log/ipaupgrade.log for details:
>>
>>         ValueError: Unable to load certificate
>>
>>         2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
>>         failed. See /var/log/ipaupgrade.log for more information
>>
>>         -------
>>
>>         I am using a third party signed certificate along with my
>>         IPA-CA. Is it an issue with my current CA. I can see that while
>>         fetching for the certificate, the name given to be "Server-cert"
>>         instead of the exact CA name.
>>
>>
>>         --         Regards,
>>         Alka Murali
>>
>>
>>         _______________________________________________
>>         FreeIPA-users mailing list --
>>         freeipa-users@lists.fedorahosted.org
>>         <mailto:freeipa-users@lists.fedorahosted.org>
>>         To unsubscribe send an email to
>>         freeipa-users-le...@lists.fedorahosted.org
>>         <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
>>     Hi,
>>
>>     you are probably hitting issue 7141 [1]. The upgrade is trying to
>>     track the HTTPd/LDAP server certificates but shouldn't if they were
>>     issued by an external CA.
>>
>>     The fix is available in FreeIPA 4.6.1 [2]
>>
>>     HTH,
>>     Flo
>>
>>     [1] https://pagure.io/freeipa/issue/7141
>>     <https://pagure.io/freeipa/issue/7141>
>>     [2] http://www.freeipa.org/page/Releases/4.6.1
>>     <http://www.freeipa.org/page/Releases/4.6.1>
>>
>>
>>
>>
>> --
>> Regards,
>> Alka Murali
>>
>
>


-- 
Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to