On 09/28/2017 09:52 AM, Alka Murali wrote:
Hi Florence,

Thanks for the reply.

However do you mean that I need to create a new repo file for Version 4.6 and try the Upgrade? Or do you mean that I need to remove the current installation and go for a fresh install?

Hi,

the easiest path is to do:
sudo dnf copr enable @freeipa/freeipa-4-6
sudo dnf update freeipa-server

This will upgrade your existing installation to FreeIPA 4.6.

HTH,
Flo

Regards,
Alka Murali

On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote:

    On 09/28/2017 04:12 AM, Alka Murali wrote:

        Hi Florence,

        Thanks for the email. As you have mentioned, I tried updating
        the corresponding python files under IPA Server and tried for
        the Upgrade.

    Hi,

    do you mean that you manually edited the python files? In this case
    it is likely that some files were forgotten. The patch for 4-5
    branch is
    https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
    <https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044>
    but may depend on other commits applied on the branch between the
    4.5.3 release and the patch.

    For consistency, I'd rather recommend to upgrade the packages to 4.6
    (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
    fedora27).

    Flo

        However I was getting the error below:

        -----

        ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
        File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
        line 172, in execute

        return_value = self.run()

        File
        
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
        line 46, in run

        server.upgrade()

        File
        "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
        line 1913, in upgrade

        upgrade_configuration()

        File
        "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
        line 1788, in upgrade_configuration

        certificate_renewal_update(ca, ds, http),

        File
        "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
        line 966, in certificate_renewal_update

        'cert-nickname': ds.get_server_cert_nickname(serverid),


        ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
        The ipa-server-upgrade command failed, exception:
        AttributeError: 'DsInstance' object has no attribute
        'get_server_cert_nickname'

        ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
        Unexpected error - see /var/log/ipaupgrade.log for details:

        AttributeError: 'DsInstance' object has no attribute
        'get_server_cert_nickname'

        ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
        The ipa-server-upgrade command failed. See
        /var/log/ipaupgrade.log for more information

        ------

        So do I need to define "get_server_cert_nickname"  in certs.py
        script too.


        Awaiting your reply.


        Thanks and Regards,

        Alka Murali


        On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
        <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com
        <mailto:f...@redhat.com>>> wrote:

             On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:

                 Hello,

                 Currently my server is running on IPA Server Version
        4.4. I have
                 tried to upgrade the Version to 4.5 using the
        ipa-server-upgrade
                 command and got ended with the following error:


                 --------

                 2017-09-26T02:27:32Z DEBUG stderr=

                 2017-09-26T02:27:50Z DEBUG Loading Index file from
                 '/var/lib/ipa/sysrestore/sysrestore.index'

                 2017-09-26T02:27:53Z DEBUG Starting external process

                 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
                 /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
                 /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt

                 2017-09-26T02:27:56Z DEBUG Process finished, return
        code=255

                 2017-09-26T02:27:56Z DEBUG stdout=

                 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not
        find cert:
                 Server-Cert

                 : PR_FILE_NOT_FOUND_ERROR: File not found


                 2017-09-26T02:27:56Z ERROR IPA server upgrade failed:
        Inspect
                 /var/log/ipaupgrade.log and run command
        ipa-server-upgrade manually.

                 2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
                 172, in execute

                 return_value = self.run()

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
                 line 46, in run

                 server.upgrade()

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                 line 1913, in upgrade

                 upgrade_configuration()

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                 line 1788, in upgrade_configuration

                 certificate_renewal_update(ca, ds, http),

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                 line 1018, in certificate_renewal_update

                 ds.start_tracking_certificates(serverid)

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
                 line 1046, in start_tracking_certificates

                 'restart_dirsrv %s' % serverid)

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
                 line 362, in track_server_cert

                 cert_obj = x509.load_certificate(cert)

                 File "/usr/lib/python2.7/site-packages/ipalib/x509.py",
        line
                 119, in load_certificate

                 return cryptography.x509.load_der_x509_certificate(data,
                 default_backend())

                 File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
                 line 47, in load_der_x509_certificate

                 return backend.load_der_x509_certificate(data)

                 File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
                 line 350, in load_der_x509_certificate

                 return b.load_der_x509_certificate(data)

                 File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
                 line 1185, in load_der_x509_certificate

                 raise ValueError("Unable to load certificate")


                 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
                 failed, exception: ValueError: Unable to load certificate

                 2017-09-26T02:27:56Z ERROR Unexpected error - see
                 /var/log/ipaupgrade.log for details:

                 ValueError: Unable to load certificate

                 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
                 failed. See /var/log/ipaupgrade.log for more information

                 -------

                 I am using a third party signed certificate along with my
                 IPA-CA. Is it an issue with my current CA. I can see
        that while
                 fetching for the certificate, the name given to be
        "Server-cert"
                 instead of the exact CA name.


                 --         Regards,
                 Alka Murali


                 _______________________________________________
                 FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
                 <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>>
                 To unsubscribe send an email to
        freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>
                 <mailto:freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>>

             Hi,

             you are probably hitting issue 7141 [1]. The upgrade is
        trying to
             track the HTTPd/LDAP server certificates but shouldn't if
        they were
             issued by an external CA.

             The fix is available in FreeIPA 4.6.1 [2]

             HTH,
             Flo

             [1] https://pagure.io/freeipa/issue/7141
        <https://pagure.io/freeipa/issue/7141>
             <https://pagure.io/freeipa/issue/7141
        <https://pagure.io/freeipa/issue/7141>>
             [2] http://www.freeipa.org/page/Releases/4.6.1
        <http://www.freeipa.org/page/Releases/4.6.1>
             <http://www.freeipa.org/page/Releases/4.6.1
        <http://www.freeipa.org/page/Releases/4.6.1>>




-- Regards,
        Alka Murali





--
Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to