On 10/18/2016 12:30 AM, Matt . wrote:
Hi Guys,

I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24

I already checked some info and:

ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX

Gives me TU instead of MII as expected.

Any suggestions further ?



2016-10-17T22:19:10Z DEBUG Starting external process
2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
2016-10-17T22:19:10Z DEBUG Process finished, return code=255
2016-10-17T22:19:10Z DEBUG stdout=
2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-10-17T22:19:11Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
in execute
    return_value = self.run()
line 46, in run
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1867, in upgrade
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1770, in upgrade_configuration
    certificate_renewal_update(ca, ds, http),
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1027, in certificate_renewal_update
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 996, in start_tracking_certificates
    'restart_dirsrv %s' % serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 307, in track_server_cert
    nsscert = x509.load_certificate(cert, dbdir=self.secdir)
  File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
    return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin

016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
security library failure.
2016-10-17T22:19:11Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information

Hmmm strange,

looks like your DS certificate got lost or has some strange nickname in your directory server's NSS database.

Is this CA-less install, externally signed CA or 'self-signed' CA? Master or replica?

Martin^3 Babinsky

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to