We were in the same situation. I tried this solution, and it does fix the problem with not being able to upgrade.
However it still leaves an inconsistency in the configuration. I was unable to add a new replica. It failed at the CA step, even if the new replica was installed without CA. The only way I could get the new replica set up was to remove ipaConfigString: enabledService ipaConfigString: caRenewalMaster from cn=CA,cn=krb1.cs.rutgers.edu,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu That makes the primary think there are no CA’s in the system, and the install works fine. If it doesn’t make sense to add a third-party cert when there’s a CA, perhaps you could update the instructions to say that. But I’d like a way to put my system in a consistent state, so that both updates and topology changes work. > On Oct 2, 2017, at 4:03 AM, Florence Blanc-Renaud via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote: >> Hi Florence, >> Thanks for the email. >> I am on CentOS 7 system and would like to use yum to go for the Upgrade. I >> beleive dnf is intended for Fedora. Can you please provide me a solution for >> CentOS on the Upgrade process. >> Regards, >> Alka Murali > Hi, > > the fix hasn't been released yet in CentOS. > The workaround would be to rename your certificate into "Server-Cert" before > running ipa-server-upgrade. > > If the 3rd part certificate is used by HTTPd: > backup /etc/httpd/alias, use certutil --rename to rename the cert as > "Server-Cert" and edit /etc/httpd/conf.d/nss.conf (replace NSSNickname xxx > with NSSNickName Server-Cert) > > If the 3rd part certificate is used by LDAP: > backup /etc/dirsrv/slapd-DOMxx, use certutil --rename to rename the cert as > "Server-Cert" and edit /etc/dirsrv/slapd-DOMxx/dse.ldif (replace > nsSSLPersonalitySSL: xxx with nsSSLPersonalitySSL: Server-Cert). > > Restart both services and re-try ipa-server-upgrade. After the command > completes, you will also need to stop-tracking the 3rd part certificate > Server-Cert: > If the 3rd part cert is used by LDAP: > sudo getcert list -d /etc/dirsrv/slapd-DOMxxx -n Server-Cert > => Extract the request ID, for instance Request ID '20170929163547' > sudo getcert stop-tracking -i 20170929163547 > > If the 3rd part cert is used by HTTPd: > sudo getcert list -d /etc/httpd/alias/ -n Server-Cert > => Extract the request ID > sudo getcert stop-tracking -i <requestID> > > HTH, > Flo >> On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud <f...@redhat.com >> <mailto:f...@redhat.com>> wrote: >> On 09/28/2017 09:52 AM, Alka Murali wrote: >> Hi Florence, >> Thanks for the reply. >> However do you mean that I need to create a new repo file for >> Version 4.6 and try the Upgrade? Or do you mean that I need to >> remove the current installation and go for a fresh install? >> Hi, >> the easiest path is to do: >> sudo dnf copr enable @freeipa/freeipa-4-6 >> sudo dnf update freeipa-server >> This will upgrade your existing installation to FreeIPA 4.6. >> HTH, >> Flo >> Regards, >> Alka Murali >> On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud >> <f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com >> <mailto:f...@redhat.com>>> wrote: >> On 09/28/2017 04:12 AM, Alka Murali wrote: >> Hi Florence, >> Thanks for the email. As you have mentioned, I tried >> updating >> the corresponding python files under IPA Server and >> tried for >> the Upgrade. >> Hi, >> do you mean that you manually edited the python files? In >> this case >> it is likely that some files were forgotten. The patch for 4-5 >> branch is >> >> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fc%2F52853875e298e38a1e5a9a56c02aac9e30916044&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=GBXWHSAqI5joXJK1X7scJcQ5mL9eRIHhg3iR38wbkb4%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fc%2F52853875e298e38a1e5a9a56c02aac9e30916044&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=GBXWHSAqI5joXJK1X7scJcQ5mL9eRIHhg3iR38wbkb4%3D&reserved=0> >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fc%2F52853875e298e38a1e5a9a56c02aac9e30916044&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=GBXWHSAqI5joXJK1X7scJcQ5mL9eRIHhg3iR38wbkb4%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fc%2F52853875e298e38a1e5a9a56c02aac9e30916044&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=GBXWHSAqI5joXJK1X7scJcQ5mL9eRIHhg3iR38wbkb4%3D&reserved=0>> >> but may depend on other commits applied on the branch >> between the >> 4.5.3 release and the patch. >> For consistency, I'd rather recommend to upgrade the >> packages to 4.6 >> (available in the copr repo @freeipa/freeipa-4-6 for fedora >> 26 and >> fedora27). >> Flo >> However I was getting the error below: >> ----- >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: >> DEBUG: >> File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", >> line 172, in execute >> return_value = self.run() >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 46, in run >> server.upgrade() >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1913, in upgrade >> upgrade_configuration() >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1788, in upgrade_configuration >> certificate_renewal_update(ca, ds, http), >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 966, in certificate_renewal_update >> 'cert-nickname': ds.get_server_cert_nickname(serverid), >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: >> DEBUG: >> The ipa-server-upgrade command failed, exception: >> AttributeError: 'DsInstance' object has no attribute >> 'get_server_cert_nickname' >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: >> ERROR: >> Unexpected error - see /var/log/ipaupgrade.log for details: >> AttributeError: 'DsInstance' object has no attribute >> 'get_server_cert_nickname' >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: >> ERROR: >> The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> ------ >> So do I need to define "get_server_cert_nickname" in >> certs.py >> script too. >> Awaiting your reply. >> Thanks and Regards, >> Alka Murali >> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud >> <f...@redhat.com <mailto:f...@redhat.com> >> <mailto:f...@redhat.com <mailto:f...@redhat.com>> >> <mailto:f...@redhat.com <mailto:f...@redhat.com> >> <mailto:f...@redhat.com <mailto:f...@redhat.com>>>> wrote: >> On 09/26/2017 05:18 AM, Alka Murali via >> FreeIPA-users wrote: >> Hello, >> Currently my server is running on IPA Server >> Version >> 4.4. I have >> tried to upgrade the Version to 4.5 using the >> ipa-server-upgrade >> command and got ended with the following error: >> -------- >> 2017-09-26T02:27:32Z DEBUG stderr= >> 2017-09-26T02:27:50Z DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> 2017-09-26T02:27:53Z DEBUG Starting external >> process >> 2017-09-26T02:27:53Z DEBUG >> args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert >> -a -f >> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt >> 2017-09-26T02:27:56Z DEBUG Process finished, >> return >> code=255 >> 2017-09-26T02:27:56Z DEBUG stdout= >> 2017-09-26T02:27:56Z DEBUG stderr=certutil: >> Could not >> find cert: >> Server-Cert >> : PR_FILE_NOT_FOUND_ERROR: File not found >> 2017-09-26T02:27:56Z ERROR IPA server upgrade >> failed: >> Inspect >> /var/log/ipaupgrade.log and run command >> ipa-server-upgrade manually. >> 2017-09-26T02:27:56Z DEBUG File >> >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >> 172, in execute >> return_value = self.run() >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 46, in run >> server.upgrade() >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1913, in upgrade >> upgrade_configuration() >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1788, in upgrade_configuration >> certificate_renewal_update(ca, ds, http), >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1018, in certificate_renewal_update >> ds.start_tracking_certificates(serverid) >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >> line 1046, in start_tracking_certificates >> 'restart_dirsrv %s' % serverid) >> File >> >> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 362, in track_server_cert >> cert_obj = x509.load_certificate(cert) >> File >> "/usr/lib/python2.7/site-packages/ipalib/x509.py", >> line >> 119, in load_certificate >> return >> cryptography.x509.load_der_x509_certificate(data, >> default_backend()) >> File >> >> "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", >> line 47, in load_der_x509_certificate >> return backend.load_der_x509_certificate(data) >> File >> >> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", >> line 350, in load_der_x509_certificate >> return b.load_der_x509_certificate(data) >> File >> >> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", >> line 1185, in load_der_x509_certificate >> raise ValueError("Unable to load certificate") >> 2017-09-26T02:27:56Z DEBUG The >> ipa-server-upgrade command >> failed, exception: ValueError: Unable to load >> certificate >> 2017-09-26T02:27:56Z ERROR Unexpected error - see >> /var/log/ipaupgrade.log for details: >> ValueError: Unable to load certificate >> 2017-09-26T02:27:56Z ERROR The >> ipa-server-upgrade command >> failed. See /var/log/ipaupgrade.log for more >> information >> ------- >> I am using a third party signed certificate >> along with my >> IPA-CA. Is it an issue with my current CA. I >> can see >> that while >> fetching for the certificate, the name given to be >> "Server-cert" >> instead of the exact CA name. >> -- Regards, >> Alka Murali >> _______________________________________________ >> FreeIPA-users mailing list -- >> freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> >> <mailto:freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> <mailto:freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>>> >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> <mailto:freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org>> >> >> <mailto:freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> <mailto:freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org>>> >> Hi, >> you are probably hitting issue 7141 [1]. The >> upgrade is >> trying to >> track the HTTPd/LDAP server certificates but >> shouldn't if >> they were >> issued by an external CA. >> The fix is available in FreeIPA 4.6.1 [2] >> HTH, >> Flo >> [1] >> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0> >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0>> >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0> >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fissue%2F7141&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=ei9qjJzSK1%2FHEY4LjZxNZ%2BhC9ucun2do53WQXbTn%2FTM%3D&reserved=0>>> >> [2] >> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0> >> >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0>> >> >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0> >> >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0 >> >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeipa.org%2Fpage%2FReleases%2F4.6.1&data=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918&sdata=bS7W4vQdBHXDZ54ZA1aOu2T81qotA%2BnCIpO95akZA5s%3D&reserved=0>>> >> -- Regards, >> Alka Murali >> -- Regards, >> Alka Murali >> -- >> Regards, >> Alka Murali >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org