Re: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

Mon, 01 Jun 2015 01:11:59 -0700 

On 29/05/15 18:57, Thomas Sailer wrote:

Hello everyone.
I upgraded a freeipa server from fedora 20 to fedora 22. It mostly worked ok, but there are a few issues:
- pki-tomcat didn't start after the upgrade, and that in turn made ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg had the wrong owner (root). 

- ipa-ldap-updater stumbles over two problems:
  - Pre schema upgrade failed
- when trying to modify cn=encryption,cn=config, it stumbles over allowWeakCipher not allowed
Does anyone know how to fix this? Is the pre schema upgrade failure spurious? what bits am I missing about the allowWeakCipher issue? 

Thomas



2015-05-28T13:04:55Z DEBUG   [4/10]: starting directory server
2015-05-28T13:04:55Z DEBUG Starting external process
2015-05-28T13:04:55Z DEBUG args='/bin/systemctl' 'start' 'dirsrv@XXXXX-COM.service' 
2015-05-28T13:04:55Z DEBUG Process finished, return code=0
2015-05-28T13:04:55Z DEBUG stdout=
2015-05-28T13:04:55Z DEBUG stderr=Running in chroot, ignoring request.

2015-05-28T13:04:55Z DEBUG   duration: 0 seconds
2015-05-28T13:04:55Z DEBUG   [5/10]: preparing server upgrade
2015-05-28T13:05:36Z ERROR Pre schema upgrade failed with [Errno 2] No such file or directory 
2015-05-28T13:05:36Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__ 
    self.create_connection()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection 
    dm_password=self.dm_password, pw_name=self.pw_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect 
    conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind 
    self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait 
    self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection 
    wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1183, in wait_for_open_socket 
    raise e
error: [Errno 2] No such file or directory

2015-05-28T13:05:36Z DEBUG   duration: 40 seconds
2015-05-28T13:05:36Z DEBUG   [6/10]: updating schema
2015-05-28T13:05:46Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 388, in start_creation 
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 378, in run_step 
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema 
    dm_password='', ldapi=True, live_run=self.live_run) or self.modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema 
    fqdn=installutils.get_fqdn())
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect 
    conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind 
    self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait 
    self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection 
    wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1183, in wait_for_open_socket 
    raise e
error: [Errno 2] No such file or directory
2015-05-28T13:05:46Z DEBUG [error] error: [Errno 2] No such file or directory 
2015-05-28T13:05:46Z DEBUG   [cleanup]: stopping directory server
2015-05-28T13:05:46Z DEBUG Starting external process
2015-05-28T13:05:46Z DEBUG args='/bin/systemctl' 'stop' 'dirsrv@XXXXX-COM.service' 
2015-05-28T13:05:46Z DEBUG Process finished, return code=0
2015-05-28T13:05:46Z DEBUG stdout=
2015-05-28T13:05:46Z DEBUG stderr=Running in chroot, ignoring request.

2015-05-28T13:05:46Z DEBUG   duration: 0 seconds
2015-05-28T13:05:46Z DEBUG   [cleanup]: restoring configuration
2015-05-28T13:05:46Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-05-28T13:05:46Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 
2015-05-28T13:05:46Z DEBUG   duration: 0 seconds
2015-05-28T13:05:46Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute 
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 144, in run 
    upgrade.create_instance()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 93, in create_instance 
    show_service_name=False)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 388, in start_creation 
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 378, in run_step 
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema 
    dm_password='', ldapi=True, live_run=self.live_run) or self.modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema 
    fqdn=installutils.get_fqdn())
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect 
    conn.do_external_bind(pw_name)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind 
    self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait 
    self.__wait_for_connection(timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection 
    wait_for_open_socket(lurl.hostport, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1183, in wait_for_open_socket 
    raise e
2015-05-28T13:05:46Z DEBUG The ipa-ldap-updater command failed, exception: error: [Errno 2] No such file or directory 
2015-05-28T13:05:46Z ERROR [Errno 2] No such file or directory
2015-05-28T13:05:47Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True} 
2015-05-28T13:05:47Z DEBUG IPA version 4.1.4-2.fc22
2015-05-28T13:05:47Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-05-28T13:05:47Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py' 
2015-05-28T13:05:47Z DEBUG Starting external process
2015-05-28T13:05:47Z DEBUG args='klist' '-V'
2015-05-28T13:05:47Z DEBUG Process finished, return code=0
2015-05-28T13:05:47Z DEBUG stdout=Kerberos 5 version 1.13.1

2015-05-28T13:05:47Z DEBUG stderr=
2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py' 2015-05-28T13:05:47Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
2015-05-28T17:11:53Z INFO Updating existing entry: cn=encryption,cn=config 
2015-05-28T17:11:53Z DEBUG ---------------------------------------------
2015-05-28T17:11:53Z DEBUG Initial value
2015-05-28T17:11:53Z DEBUG dn: cn=encryption,cn=config
2015-05-28T17:11:53Z DEBUG nsSSL3:
2015-05-28T17:11:53Z DEBUG     off
2015-05-28T17:11:53Z DEBUG nsSSL2:
2015-05-28T17:11:53Z DEBUG     off
2015-05-28T17:11:53Z DEBUG cn:
2015-05-28T17:11:53Z DEBUG     encryption
2015-05-28T17:11:53Z DEBUG objectClass:
2015-05-28T17:11:53Z DEBUG     top
2015-05-28T17:11:53Z DEBUG     nsEncryptionConfig
2015-05-28T17:11:53Z DEBUG sslVersionMax:
2015-05-28T17:11:53Z DEBUG     TLS1.2
2015-05-28T17:11:53Z DEBUG nsSSLSessionTimeout:
2015-05-28T17:11:53Z DEBUG     0
2015-05-28T17:11:53Z DEBUG sslVersionMin:
2015-05-28T17:11:53Z DEBUG     TLS1.0
2015-05-28T17:11:53Z DEBUG nsSSLSupportedCiphers:
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 
2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128 
2015-05-28T17:11:53Z DEBUG     TLS_RSA_WITH_NULL_MD5::NULL::MD5::0
2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 2015-05-28T17:11:53Z DEBUG SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 
2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 
2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128 
2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG nsSSLClientAuth:
2015-05-28T17:11:53Z DEBUG     allowed
2015-05-28T17:11:53Z DEBUG nssslenabledciphers:
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG nsTLS1:
2015-05-28T17:11:53Z DEBUG     on
2015-05-28T17:11:53Z DEBUG nsSSL3Ciphers:
2015-05-28T17:11:53Z DEBUG -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha 2015-05-28T17:11:53Z DEBUG only: set nsSSL3Ciphers to '+all', current value ['-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha'] 
2015-05-28T17:11:53Z DEBUG only: updated value ['+all']
2015-05-28T17:11:53Z DEBUG addifnew: 'off' to allowWeakCipher, current value [] 
2015-05-28T17:11:53Z DEBUG addifnew: set allowWeakCipher to ['off']
2015-05-28T17:11:53Z DEBUG ---------------------------------------------
2015-05-28T17:11:53Z DEBUG Final value after applying updates
2015-05-28T17:11:53Z DEBUG dn: cn=encryption,cn=config
2015-05-28T17:11:53Z DEBUG nsSSL3:
2015-05-28T17:11:53Z DEBUG     off
2015-05-28T17:11:53Z DEBUG nsSSL2:
2015-05-28T17:11:53Z DEBUG     off
2015-05-28T17:11:53Z DEBUG cn:
2015-05-28T17:11:53Z DEBUG     encryption
2015-05-28T17:11:53Z DEBUG objectClass:
2015-05-28T17:11:53Z DEBUG     top
2015-05-28T17:11:53Z DEBUG     nsEncryptionConfig
2015-05-28T17:11:53Z DEBUG sslVersionMax:
2015-05-28T17:11:53Z DEBUG     TLS1.2
2015-05-28T17:11:53Z DEBUG nsSSLSessionTimeout:
2015-05-28T17:11:53Z DEBUG     0
2015-05-28T17:11:53Z DEBUG sslVersionMin:
2015-05-28T17:11:53Z DEBUG     TLS1.0
2015-05-28T17:11:53Z DEBUG nsSSLSupportedCiphers:
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 
2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128 
2015-05-28T17:11:53Z DEBUG     TLS_RSA_WITH_NULL_MD5::NULL::MD5::0
2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 2015-05-28T17:11:53Z DEBUG SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 
2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 
2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64
2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256 2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128 
2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128 
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
2015-05-28T17:11:53Z DEBUG nsSSLClientAuth:
2015-05-28T17:11:53Z DEBUG     allowed
2015-05-28T17:11:53Z DEBUG nssslenabledciphers:
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192 
2015-05-28T17:11:53Z DEBUG nsTLS1:
2015-05-28T17:11:53Z DEBUG     on
2015-05-28T17:11:53Z DEBUG allowWeakCipher:
2015-05-28T17:11:53Z DEBUG     off
2015-05-28T17:11:53Z DEBUG nsSSL3Ciphers:
2015-05-28T17:11:53Z DEBUG     +all
2015-05-28T17:11:53Z DEBUG [(2, u'allowWeakCipher', ['off']), (0, u'nsSSL3Ciphers', ['+all']), (1, u'nsSSL3Ciphers', ['-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha'])] 
2015-05-28T17:11:53Z DEBUG Live 1, updated 1
2015-05-28T17:11:53Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute 
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 213, in run 
    modified = ld.update(self.files, ordered=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 854, in update 
    self._run_updates(all_updates)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 799, in _run_updates 
    self._update_record(update)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 720, in _update_record 
    self.conn.update_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1628, in update_entry 
    self.conn.modify_s(entry.dn, modlist)
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1191, in error_handler 
    raise errors.ObjectclassViolation(info=info)
2015-05-28T17:11:53Z DEBUG The ipa-ldap-updater command failed, exception: ObjectclassViolation: attribute "allowWeakCipher" not allowed 2015-05-28T17:11:53Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: 
ObjectclassViolation: attribute "allowWeakCipher" not allowed
2015-05-29T12:46:04Z DEBUG Logging to /var/log/ipaupgrade.log



Hello,

1)
Actually you have there more errors,

This causes the neither pre-schema upgrade or schema upgrade are executed.

error: [Errno 2] No such file or directory
Could DS in chroot, cause the ipa-ldap-updater --upgrade cannot locate the DS socket? 
2015-05-28T13:04:55Z DEBUG stderr=Running in chroot, ignoring request.

2)
Allow weak ciphers.
can you check objectclass definitions in /etc/dirsrv/slapd-XXXXX-COM/schema
# grep 'allowWeakCipher' *
If you find more than on objectclass definition, please remove the old from the ldif files and restart DS. (Probably there will be old in 99user.ldif) 


Martin


--
Martin Basti

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to