On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote:
Hi Florence,

Thanks for the email.

I am on CentOS 7 system and would like to use yum to go for the Upgrade. I beleive dnf is intended for Fedora. Can you please provide me a solution for CentOS on the Upgrade process.

Regards,
Alka Murali

Hi,

the fix hasn't been released yet in CentOS.
The workaround would be to rename your certificate into "Server-Cert" before running ipa-server-upgrade.

If the 3rd part certificate is used by HTTPd:
backup /etc/httpd/alias, use certutil --rename to rename the cert as "Server-Cert" and edit /etc/httpd/conf.d/nss.conf (replace NSSNickname xxx with NSSNickName Server-Cert)

If the 3rd part certificate is used by LDAP:
backup /etc/dirsrv/slapd-DOMxx, use certutil --rename to rename the cert as "Server-Cert" and edit /etc/dirsrv/slapd-DOMxx/dse.ldif (replace nsSSLPersonalitySSL: xxx with nsSSLPersonalitySSL: Server-Cert).

Restart both services and re-try ipa-server-upgrade. After the command completes, you will also need to stop-tracking the 3rd part certificate Server-Cert:
If the 3rd part cert is used by LDAP:
sudo getcert list -d /etc/dirsrv/slapd-DOMxxx -n Server-Cert
=> Extract the request ID, for instance Request ID '20170929163547'
sudo getcert stop-tracking -i 20170929163547

If the 3rd part cert is used by HTTPd:
sudo getcert list -d /etc/httpd/alias/ -n Server-Cert
=> Extract the request ID
sudo getcert stop-tracking -i <requestID>

HTH,
Flo

On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote:

    On 09/28/2017 09:52 AM, Alka Murali wrote:

        Hi Florence,

        Thanks for the reply.

        However do you mean that I need to create a new repo file for
        Version 4.6 and try the Upgrade? Or do you mean that I need to
        remove the current installation and go for a fresh install?

    Hi,

    the easiest path is to do:
    sudo dnf copr enable @freeipa/freeipa-4-6
    sudo dnf update freeipa-server

    This will upgrade your existing installation to FreeIPA 4.6.

    HTH,
    Flo

        Regards,
        Alka Murali


        On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud
        <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com
        <mailto:f...@redhat.com>>> wrote:

             On 09/28/2017 04:12 AM, Alka Murali wrote:

                 Hi Florence,

                 Thanks for the email. As you have mentioned, I tried
        updating
                 the corresponding python files under IPA Server and
        tried for
                 the Upgrade.

             Hi,

             do you mean that you manually edited the python files? In
        this case
             it is likely that some files were forgotten. The patch for 4-5
             branch is
        https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
        <https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044>
<https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
        <https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044>>
             but may depend on other commits applied on the branch
        between the
             4.5.3 release and the patch.

             For consistency, I'd rather recommend to upgrade the
        packages to 4.6
             (available in the copr repo @freeipa/freeipa-4-6 for fedora
        26 and
             fedora27).

             Flo

                 However I was getting the error below:

                 -----

                 ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
        DEBUG:
                 File
        "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
                 line 172, in execute

                 return_value = self.run()

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
                 line 46, in run

                 server.upgrade()

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                 line 1913, in upgrade

                 upgrade_configuration()

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                 line 1788, in upgrade_configuration

                 certificate_renewal_update(ca, ds, http),

                 File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                 line 966, in certificate_renewal_update

                 'cert-nickname': ds.get_server_cert_nickname(serverid),


                 ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
        DEBUG:
                 The ipa-server-upgrade command failed, exception:
                 AttributeError: 'DsInstance' object has no attribute
                 'get_server_cert_nickname'

                 ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
        ERROR:
                 Unexpected error - see /var/log/ipaupgrade.log for details:

                 AttributeError: 'DsInstance' object has no attribute
                 'get_server_cert_nickname'

                 ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
        ERROR:
                 The ipa-server-upgrade command failed. See
                 /var/log/ipaupgrade.log for more information

                 ------

                 So do I need to define "get_server_cert_nickname"  in
        certs.py
                 script too.


                 Awaiting your reply.


                 Thanks and Regards,

                 Alka Murali


                 On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
                 <f...@redhat.com <mailto:f...@redhat.com>
        <mailto:f...@redhat.com <mailto:f...@redhat.com>>
        <mailto:f...@redhat.com <mailto:f...@redhat.com>

                 <mailto:f...@redhat.com <mailto:f...@redhat.com>>>> wrote:

                      On 09/26/2017 05:18 AM, Alka Murali via
        FreeIPA-users wrote:

                          Hello,

                          Currently my server is running on IPA Server
        Version
                 4.4. I have
                          tried to upgrade the Version to 4.5 using the
                 ipa-server-upgrade
                          command and got ended with the following error:


                          --------

                          2017-09-26T02:27:32Z DEBUG stderr=

                          2017-09-26T02:27:50Z DEBUG Loading Index file from
                          '/var/lib/ipa/sysrestore/sysrestore.index'

                          2017-09-26T02:27:53Z DEBUG Starting external
        process

                          2017-09-26T02:27:53Z DEBUG
        args=/usr/bin/certutil -d
                          /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert
        -a -f
                          /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt

                          2017-09-26T02:27:56Z DEBUG Process finished,
        return
                 code=255

                          2017-09-26T02:27:56Z DEBUG stdout=

                          2017-09-26T02:27:56Z DEBUG stderr=certutil:
        Could not
                 find cert:
                          Server-Cert

                          : PR_FILE_NOT_FOUND_ERROR: File not found


                          2017-09-26T02:27:56Z ERROR IPA server upgrade
        failed:
                 Inspect
                          /var/log/ipaupgrade.log and run command
                 ipa-server-upgrade manually.

                          2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
                          172, in execute

                          return_value = self.run()

                          File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
                          line 46, in run

                          server.upgrade()

                          File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                          line 1913, in upgrade

                          upgrade_configuration()

                          File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                          line 1788, in upgrade_configuration

                          certificate_renewal_update(ca, ds, http),

                          File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
                          line 1018, in certificate_renewal_update

                          ds.start_tracking_certificates(serverid)

                          File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
                          line 1046, in start_tracking_certificates

                          'restart_dirsrv %s' % serverid)

                          File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
                          line 362, in track_server_cert

                          cert_obj = x509.load_certificate(cert)

                          File
        "/usr/lib/python2.7/site-packages/ipalib/x509.py",
                 line
                          119, in load_certificate

                          return
        cryptography.x509.load_der_x509_certificate(data,
                          default_backend())

                          File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
                          line 47, in load_der_x509_certificate

                          return backend.load_der_x509_certificate(data)

                          File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
                          line 350, in load_der_x509_certificate

                          return b.load_der_x509_certificate(data)

                          File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
                          line 1185, in load_der_x509_certificate

                          raise ValueError("Unable to load certificate")


                          2017-09-26T02:27:56Z DEBUG The
        ipa-server-upgrade command
                          failed, exception: ValueError: Unable to load
        certificate

                          2017-09-26T02:27:56Z ERROR Unexpected error - see
                          /var/log/ipaupgrade.log for details:

                          ValueError: Unable to load certificate

                          2017-09-26T02:27:56Z ERROR The
        ipa-server-upgrade command
                          failed. See /var/log/ipaupgrade.log for more
        information

                          -------

                          I am using a third party signed certificate
        along with my
                          IPA-CA. Is it an issue with my current CA. I
        can see
                 that while
                          fetching for the certificate, the name given to be
                 "Server-cert"
                          instead of the exact CA name.


                          --         Regards,
                          Alka Murali


                          _______________________________________________
                          FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
                 <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>>
                          <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
                 <mailto:freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>>>
                          To unsubscribe send an email to
        freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>
                 <mailto:freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>>
<mailto:freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>
                 <mailto:freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>>>

                      Hi,

                      you are probably hitting issue 7141 [1]. The
        upgrade is
                 trying to
                      track the HTTPd/LDAP server certificates but
        shouldn't if
                 they were
                      issued by an external CA.

                      The fix is available in FreeIPA 4.6.1 [2]

                      HTH,
                      Flo

                      [1] https://pagure.io/freeipa/issue/7141
        <https://pagure.io/freeipa/issue/7141>
                 <https://pagure.io/freeipa/issue/7141
        <https://pagure.io/freeipa/issue/7141>>
                      <https://pagure.io/freeipa/issue/7141
        <https://pagure.io/freeipa/issue/7141>
                 <https://pagure.io/freeipa/issue/7141
        <https://pagure.io/freeipa/issue/7141>>>
                      [2] http://www.freeipa.org/page/Releases/4.6.1
        <http://www.freeipa.org/page/Releases/4.6.1>
                 <http://www.freeipa.org/page/Releases/4.6.1
        <http://www.freeipa.org/page/Releases/4.6.1>>
                      <http://www.freeipa.org/page/Releases/4.6.1
        <http://www.freeipa.org/page/Releases/4.6.1>
                 <http://www.freeipa.org/page/Releases/4.6.1
        <http://www.freeipa.org/page/Releases/4.6.1>>>




                 --         Regards,
                 Alka Murali





-- Regards,
        Alka Murali





--
Regards,
Alka Murali


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to