On 28/10/14 16:10, Rob Verduijn wrote:
Hello all,

I've been digging into my problem of being unable to update from 3.3.5 to 4.1

First I add the repo from copr

Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved.

So i tried the instructions mentioned on the site :
yum update freeipa-server
And this failed with a conflict in

bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64

I noticed the new bind comes from the copr repo and the old bind utils from fedora.

So I first run 'yum update bind-utils -y'
Then I ran yum update freeipa-server
and see it fail with errors about softhsm

I remembered reading about package errors with softhsm and installed the softhsm-devel package first.

so revert back the freeipa kvm snapshot to 3.3.5  and try again
yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y

However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded

Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

It claims 0 zones loaded but I can see my forward and reverse zones in ipa

what could cause it not to load the zones that I defined in ipa ?
Rob


2014-10-27 23:05 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com <mailto:rob.verdu...@gmail.com>>:

    sorry for the xml formatting didn't realize it would mess up some
    mail clients

    The last bit of the message again

     ipa-upgradeconfig  gives the following :
    [Verifying that root certificate is published]
    Failed to backup CS.cfg: no magic attribute 'dogtag'
    [Migrate CRL publish directory]
    CRL tree already moved
    [Verifying that CA proxy configuration is correct]
    [Verifying that KDC configuration is using ipa-kdb backend]
    [Fixing trust flags in /etc/httpd/alias]
    Trust flags already processed
    [Fix DS schema file syntax]
    Syntax already fixed
    [Removing RA cert from DS NSS database]
    RA cert already removed
    [Removing self-signed CA]
    [Checking for deprecated KDC configuration files]
    [Checking for deprecated backups of Samba configuration files]
    [Setting up Firefox extension]
    [Add missing CA DNS records]
    IPA CA DNS records already processed
    [Removing deprecated DNS configuration options]
    [Ensuring minimal number of connections]
    [Enabling serial autoincrement in DNS]
    [Updating GSSAPI configuration in DNS]
    [Updating pid-file configuration in DNS]
    [Masking named]
    Changes to named.conf have been made, restart named
    [Verifying that CA service certificate profile is updated]
    [Update certmonger certificate renewal configuration to version 2]
    [Enable PKIX certificate path discovery and validation]
    PKIX already enabled
    The ipa-upgradeconfig command was successful

    Any ideas ?
    I'm rather stuck now.
    Rob

    2014-10-27 22:59 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com
    <mailto:rob.verdu...@gmail.com>>:

        Hello,

        I'm rather at a loss here.
        Everything seems to be running
         ipactl status
        Directory Service: RUNNING
        krb5kdc Service: RUNNING
        kadmin Service: RUNNING
        named Service: RUNNING
        ipa_memcached Service: RUNNING
        httpd Service: RUNNING
        pki-tomcatd Service: RUNNING
        ipa-otpd Service: RUNNING
        ipa-dnskeysyncd Service: RUNNING
        ipa: INFO: The ipactl command was successful

        but the upgrade log is flooded with this error :
        2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
        2014-10-27T21:52:11Z DEBUG request
        'https://freeipa.x.x:443/ca/admin/ca/getStatus'
        2014-10-27T21:52:11Z DEBUG request body ''
        2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
        2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
        2014-10-27T21:52:12Z DEBUG request
        'https://freeipa.x.x:443/ca/admin/ca/getStatus'
        2014-10-27T21:52:12Z DEBUG request body ''

        I've tried the url and it works fine.
        https://freeipa.x.x/ca/admin/ca/getStatus
        it gives the following xml:

                <?xml version="1.0" encoding="UTF-8"
        
standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.2.0-3.fc20</Version></XMLResponse>

        After I run ipa-upgradeconfig it complains about a missing
        magic dog tag attribute
                ipa-upgradeconfig       [Verifying that root certificate is
        published]      Failed to backup CS.cfg: no magic attribute
        'dogtag'        [Migrate CRL publish directory]         CRL tree already
        moved   [Verifying that CA proxy configuration is correct]
        [Verifying that KDC configuration is using ipa-kdb backend]
        [Fixing trust flags in /etc/httpd/alias]        Trust flags already
        processed       [Fix DS schema file syntax]     Syntax already fixed
        [Removing RA cert from DS NSS database]         RA cert already
        removed         [Removing self-signed CA]       [Checking for deprecated
        KDC configuration files]        [Checking for deprecated backups of
        Samba configuration files]      [Setting up Firefox extension]
        [Add missing CA DNS records]    IPA CA DNS records already
        processed       [Removing deprecated DNS configuration options]
        [Ensuring minimal number of connections]        [Enabling serial
        autoincrement in DNS]   [Updating GSSAPI configuration in
        DNS]    [Updating pid-file configuration in DNS]        [Masking
        named]  Changes to named.conf have been made, restart named
        [Verifying that CA service certificate profile is updated]
        [Update certmonger certificate renewal configuration to
        version 2]      [Enable PKIX certificate path discovery and
        validation]     PKIX already enabled    The ipa-upgradeconfig
        command was successful

        But my local dns zone does no longer resolve :(

        reverting back to the 3.3 snapshot again :(

        Please help
        Rob


        2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
        <mailto:rcrit...@redhat.com>>:

            Rob Verduijn wrote:
            > hmmmm....
            >
            > after some more digging (monitoring the upgrade more
            closely.)
            > I saw that the upgrade kept waiting for the ca to start,
            which it did
            > not do.
            > and after 5 minutes the upgrade gave up with the
            following errors in the
            > ipaupgrade log :
            >
            > at 85% it says :
            > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
            > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
            > conn=<ldap.ldapobject.SimpleLDAPObject instance at
            0x2b18cb0>
            > 2014-10-26T15:04:35Z DEBUG Starting external process
            > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
            > '/etc/httpd/alias' '-L'
            > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
            > 2014-10-26T15:04:35Z DEBUG stdout=
            > Certificate Nickname                              Trust
            > Attributes
            >
            >  SSL,S/MIME,JAR/XPI
            >
            > Signing-Cert                              u,u,u
            > XXXX.XXXX IPA CA                            CT,C,C
            > ipaCert                               u,u,u
            > Server-Cert                               u,u,u
            >
            > 2014-10-26T15:04:35Z DEBUG stderr=
            > 2014-10-26T15:04:35Z DEBUG Starting external process
            > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
            > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
            > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
            > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN
            CERTIFICATE-----
            > < certificate-removed >
            > -----END CERTIFICATE-----
            > 2014-10-26T15:04:35Z DEBUG stderr=
            > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot
            connect to
            > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\

            This has nothing to do with the CA, the LDAP server didn't
            come up. I'd
            start with those logs or look earlier in ipaupgrade.log

            The CA requires 389-ds to be running so if it isn't up,
            then it will
            fail to start too.

            rob






Hello,
Please which version of bind-dyndb-ldap do you have installed?

--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to