I believe you. I'm not upset at all that things go sideways every now and again. I'm surprised it doesn't happen more.
Original failure (or, at least, first occurrence of "ERROR") follows: 2013-08-13T13:56:07Z INFO [Setting up Firefox extension] 2013-08-13T13:56:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-08-13T13:56:07Z INFO /usr/share/ipa/html/krb.js<http://bl-1.com/click/load/U2ILOlY2ADdTO1A9BDQ-b0231>exists, skipping install of Firefox extension 2013-08-13T13:56:07Z INFO [Add missing CA DNS records] 2013-08-13T13:56:07Z ERROR Cannot connect to LDAP to add DNS records: cannot connect to u'ldapi://%2fvar%2frun%2fslapd-SPX-NET.socket': LDAP Server Down 2013-08-13T13:56:07Z INFO [Enabling persistent search in DNS] 2013-08-13T13:56:07Z DEBUG [Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2013-08-13T13:56:07Z DEBUG Persistent search enabled 2013-08-13T13:56:07Z DEBUG Connections set to 4 Then it goes on for a while, leading to: 2013-08-13T13:56:11Z DEBUG Process finished, return code=1 2013-08-13T13:56:11Z DEBUG stdout=Error connecting to DBus. Please verify that the message bus (D-Bus) service is running. 2013-08-13T13:56:11Z DEBUG stderr= 2013-08-13T13:56:11Z ERROR cretmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-retrieve-agent-submit -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" -P XXXXXXXX -T auditSigningCert cert-pki-ca' returned non-zero exit status 1 2013-08-13T13:56:11Z DEBUG Starting external process 2013-08-13T13:56:11Z DEBUG args=/usr/bin/certutil -L -d/var/lib/pki-ca/alias -n ocspSigningCert cert-pki-ca 2013-08-13T13:56:11Z DEBUG Process finished, return code=0 Does that help at all? Do you need more? I'm upgrading a slave today and will try just doing the --upgrade (_if_ the automatic upgrade has issues again). * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Wed, Aug 14, 2013 at 9:10 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Bret Wortman wrote: > >> Rob, I got past this, as you indicated, by doing that after first running: >> >> # ipa-ldap-updater --ldapi ./schema.update >> >> Using a schema.update tip file I found in a note from you after some >> hard core googling. Should that extra step have been necessary? >> > > No, it shouldn't be necessary. Can look in /var/log/ipaupgrade.log (likely > humongous) for the original failure and post that section of the log? > > Updating schema is hard. We are actually completely revamping the way we > handle schema changes between version which should be a lot more stable. > > rob > > >> >> _ >> _ >> *Bret Wortman* >> >> >> http://damascusgrp.com/ >> http://about.me/wortmanbret >> >> >> On Tue, Aug 13, 2013 at 3:39 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Bret Wortman wrote: >> >> I tried this, but no joy: >> >> # /usr/sbin/ipa-upgradeconfig --debug >> : >> : >> DEBUG: caSignedLogCert.cfg >> >> <http://bl-1.com/click/load/__**VWRaa1w-b0221U28CYQNlAT4-b0231<http://bl-1.com/click/load/__VWRaa1w-b0221U28CYQNlAT4-b0231> >> >> <http://bl-1.com/click/load/**VWRaa1w-b0221U28CYQNlAT4-b0231<http://bl-1.com/click/load/VWRaa1w-b0221U28CYQNlAT4-b0231> >> **>__> >> >> profile >> >> validity range is 720 >> INFO: [Certificate renewal should stop the CA] >> ERROR: Unable to find certmonger request ID for auditSigning Cert >> INFO: The ipa-upgradeconfig command was successful >> # >> >> >> Run getcert list and sift through the output and see if you have a >> request tracking for nickname auditSigningCert cert-pki-ca (or >> similar). >> >> But I still can't connect to http://ipamaster/ipa/ui/; I get a >> 903 error >> every time, and /var/log/httpd/error_log shows, in part: >> >> [Tue Aug 13 13:07:20.786566 2013] [:error] [pid 5890] KeyError: >> 'ipadnszone' >> [Tue Aug 13 13:07:20.786717 2013] [:error] [pid 5890] ipa: INFO: >> br...@foo.net <mailto:br...@foo.net> <mailto:br...@foo.net >> >> <mailto:br...@foo.net>>: json_metadata(None, None, >> >> object=u'all'): KeyError >> [Tue Aug 13 13:07:21.001525 2013] [:error] [pid 5890] ipa: INFO: >> br...@foo.net <mailto:br...@foo.net> <mailto:br...@foo.net >> >> <mailto:br...@foo.net>>: json_metadata(None, None, >> command=u'all'): SUCCESS >> >> DNS resolution, authentication and authorization all /appear/ to >> be >> working fine. >> >> >> The DNS schema was not updated properly. I'd run: >> >> # ipa-ldap-updater --upgrade >> >> rob >> >> >> >
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users