Indeed strange as another master where I did the upgrade on went fine.
It is/was a master with CA and Externally Signed CA, which was
perfectly sychned to the other master.
I finally uninstalled the ipa server and did a new replica install on
it with dns and CA and all went smooth and fine. I also had some weird
DNS error and bind didn't want to start anymore because of expecting a
; I thought this had something todo with a forwarder which wasn't.
For now I'm good, but do you want extra info ?
2016-10-18 7:49 GMT+02:00 Martin Babinsky <mbabi...@redhat.com>:
> On 10/18/2016 12:30 AM, Matt . wrote:
>> Hi Guys,
>> I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24
>> I already checked some info and:
>> ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>> Gives me TU instead of MII as expected.
>> Any suggestions further ?
>> 2016-10-17T22:19:10Z DEBUG Starting external process
>> 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
>> 2016-10-17T22:19:10Z DEBUG Process finished, return code=255
>> 2016-10-17T22:19:10Z DEBUG stdout=
>> 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert:
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>> 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2016-10-17T22:19:11Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
>> in execute
>> return_value = self.run()
>> line 46, in run
>> line 1867, in upgrade
>> line 1770, in upgrade_configuration
>> certificate_renewal_update(ca, ds, http),
>> line 1027, in certificate_renewal_update
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>> line 996, in start_tracking_certificates
>> 'restart_dirsrv %s' % serverid)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 307, in track_server_cert
>> nsscert = x509.load_certificate(cert, dbdir=self.secdir)
>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
>> 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
>> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
>> security library failure.
>> 2016-10-17T22:19:11Z ERROR Unexpected error - see
>> /var/log/ipaupgrade.log for details:
>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>> 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
> Hmmm strange,
> looks like your DS certificate got lost or has some strange nickname in your
> directory server's NSS database.
> Is this CA-less install, externally signed CA or 'self-signed' CA? Master or
> Martin^3 Babinsky
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project