On 28/10/14 16:10, Rob Verduijn wrote:
Hello all,
I've been digging into my problem of being unable to update from 3.3.5
to 4.1
First I add the repo from copr
Then I used to update it by issueing 'yum update' which resulted in
an update in which my local dns zone entries no longer resolved.
So i tried the instructions mentioned on the site :
yum update freeipa-server
And this failed with a conflict in
bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
bind-utils-32:9.9.4-15.P2.fc20.x86_64
I noticed the new bind comes from the copr repo and the old bind utils
from fedora.
So I first run 'yum update bind-utils -y'
Then I ran yum update freeipa-server
and see it fail with errors about softhsm
I remembered reading about package errors with softhsm and installed
the softhsm-devel package first.
so revert back the freeipa kvm snapshot to 3.3.5 and try again
yum update bind-utils -y ; yum install softhsm-devel -y ; yum update
freeipa-server -y
However when restarting named-pkcs11 I can see in the system log that
it has 0 zones loaded
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
0.in-addr.arpa/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN:
loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.127.in-addr.arpa/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
localhost.localdomain/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP
instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)
It claims 0 zones loaded but I can see my forward and reverse zones in ipa
what could cause it not to load the zones that I defined in ipa ?
Rob
2014-10-27 23:05 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com
<mailto:rob.verdu...@gmail.com>>:
sorry for the xml formatting didn't realize it would mess up some
mail clients
The last bit of the message again
ipa-upgradeconfig gives the following :
[Verifying that root certificate is published]
Failed to backup CS.cfg: no magic attribute 'dogtag'
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful
Any ideas ?
I'm rather stuck now.
Rob
2014-10-27 22:59 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com
<mailto:rob.verdu...@gmail.com>>:
Hello,
I'm rather at a loss here.
Everything seems to be running
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
but the upgrade log is flooded with this error :
2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
2014-10-27T21:52:11Z DEBUG request
'https://freeipa.x.x:443/ca/admin/ca/getStatus'
2014-10-27T21:52:11Z DEBUG request body ''
2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
2014-10-27T21:52:12Z DEBUG request
'https://freeipa.x.x:443/ca/admin/ca/getStatus'
2014-10-27T21:52:12Z DEBUG request body ''
I've tried the url and it works fine.
https://freeipa.x.x/ca/admin/ca/getStatus
it gives the following xml:
<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>1</State><Type>CA</Type><Status>running</Status><Version>10.2.0-3.fc20</Version></XMLResponse>
After I run ipa-upgradeconfig it complains about a missing
magic dog tag attribute
ipa-upgradeconfig [Verifying that root certificate is
published] Failed to backup CS.cfg: no magic attribute
'dogtag' [Migrate CRL publish directory] CRL tree already
moved [Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias] Trust flags already
processed [Fix DS schema file syntax] Syntax already fixed
[Removing RA cert from DS NSS database] RA cert already
removed [Removing self-signed CA] [Checking for deprecated
KDC configuration files] [Checking for deprecated backups of
Samba configuration files] [Setting up Firefox extension]
[Add missing CA DNS records] IPA CA DNS records already
processed [Removing deprecated DNS configuration options]
[Ensuring minimal number of connections] [Enabling serial
autoincrement in DNS] [Updating GSSAPI configuration in
DNS] [Updating pid-file configuration in DNS] [Masking
named] Changes to named.conf have been made, restart named
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to
version 2] [Enable PKIX certificate path discovery and
validation] PKIX already enabled The ipa-upgradeconfig
command was successful
But my local dns zone does no longer resolve :(
reverting back to the 3.3 snapshot again :(
Please help
Rob
2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>:
Rob Verduijn wrote:
> hmmmm....
>
> after some more digging (monitoring the upgrade more
closely.)
> I saw that the upgrade kept waiting for the ca to start,
which it did
> not do.
> and after 5 minutes the upgrade gave up with the
following errors in the
> ipaupgrade log :
>
> at 85% it says :
> 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at
0x2b18cb0>
> 2014-10-26T15:04:35Z DEBUG Starting external process
> 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> '/etc/httpd/alias' '-L'
> 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> 2014-10-26T15:04:35Z DEBUG stdout=
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Signing-Cert u,u,u
> XXXX.XXXX IPA CA CT,C,C
> ipaCert u,u,u
> Server-Cert u,u,u
>
> 2014-10-26T15:04:35Z DEBUG stderr=
> 2014-10-26T15:04:35Z DEBUG Starting external process
> 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
> 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN
CERTIFICATE-----
> < certificate-removed >
> -----END CERTIFICATE-----
> 2014-10-26T15:04:35Z DEBUG stderr=
> 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot
connect to
> 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
This has nothing to do with the CA, the LDAP server didn't
come up. I'd
start with those logs or look earlier in ipaupgrade.log
The CA requires 389-ds to be running so if it isn't up,
then it will
fail to start too.
rob
Hello,
Please which version of bind-dyndb-ldap do you have installed?
--
Martin Basti
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
