Hello, I'm rather at a loss here. Everything seems to be running ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
but the upgrade log is flooded with this error : 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... 2014-10-27T21:52:11Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:11Z DEBUG request body '' 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... 2014-10-27T21:52:12Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:12Z DEBUG request body '' I've tried the url and it works fine. https://freeipa.x.x/ca/admin/ca/getStatus it gives the following xml: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1 </State><Type>CA</Type><Status>running</Status><Version>10.2.0-3.fc20 </Version></XMLResponse> After I run ipa-upgradeconfig it complains about a missing magic dog tag attribute ipa-upgradeconfig [Verifying that root certificate is published]Failed to backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL tree already moved[Verifying that CA proxy configuration is correct][Verifying that KDC configuration is using ipa-kdb backend][Fixing trust flags in /etc/httpd/alias]Trust flags already processed[Fix DS schema file syntax]Syntax already fixed[Removing RA cert from DS NSS database]RA cert already removed[Removing self-signed CA][Checking for deprecated KDC configuration files][Checking for deprecated backups of Samba configuration files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS records already processed[Removing deprecated DNS configuration options][Ensuring minimal number of connections][Enabling serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating pid-file configuration in DNS][Masking named]Changes to named.conf have been made, restart named[Verifying that CA service certificate profile is updated][Update certmonger certificate renewal configuration to version 2][Enable PKIX certificate path discovery and validation]PKIX already enabledThe ipa-upgradeconfig command was successful But my local dns zone does no longer resolve :( reverting back to the 3.3 snapshot again :( Please help Rob 2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Rob Verduijn wrote: > > hmmmm.... > > > > after some more digging (monitoring the upgrade more closely.) > > I saw that the upgrade kept waiting for the ca to start, which it did > > not do. > > and after 5 minutes the upgrade gave up with the following errors in the > > ipaupgrade log : > > > > at 85% it says : > > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache > > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0> > > 2014-10-26T15:04:35Z DEBUG Starting external process > > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' > > '/etc/httpd/alias' '-L' > > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 > > 2014-10-26T15:04:35Z DEBUG stdout= > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Signing-Cert u,u,u > > XXXX.XXXX IPA CA CT,C,C > > ipaCert u,u,u > > Server-Cert u,u,u > > > > 2014-10-26T15:04:35Z DEBUG stderr= > > 2014-10-26T15:04:35Z DEBUG Starting external process > > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' > > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' > > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 > > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE----- > > < certificate-removed > > > -----END CERTIFICATE----- > > 2014-10-26T15:04:35Z DEBUG stderr= > > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to > > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\ > > This has nothing to do with the CA, the LDAP server didn't come up. I'd > start with those logs or look earlier in ipaupgrade.log > > The CA requires 389-ds to be running so if it isn't up, then it will > fail to start too. > > rob > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project