Hi all!

I'm trying to upgrade my ipa-server to the version in subject and hitting some bug that seems similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1404910

The yum upgrade process took a bit longer than expected so i ctrl+c it and executed the command ipa-server-upgrade

The error message from ipa-server-upgrade is:
8<---
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab' The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@o-ipa01-r ~]#
8<---


The lines that indicate an error in the /var/log/ipaupgrade.log file is:
8<---
2017-03-07T23:05:38Z DEBUG stdout=Authenticating as principal root/ad...@netnerdz.se with password.

2017-03-07T23:05:38Z DEBUG stderr=WARNING: no policy specified for dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se; defaulting to no policy add_principal: Principal or policy already exists while creating "dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se".

2017-03-07T23:05:38Z INFO Retrieving keytab
2017-03-07T23:05:38Z DEBUG Starting external process
2017-03-07T23:05:38Z DEBUG args=kadmin.local -q ktadd -k /etc/pki/pki-tomcat/dogtag.keytab dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se -x ipa-setup-override-restrictions
2017-03-07T23:05:48Z DEBUG Process finished, return code=0
2017-03-07T23:05:48Z DEBUG stdout=Authenticating as principal root/ad...@netnerdz.se with password.

2017-03-07T23:05:48Z DEBUG stderr=kadmin.local: Server error while changing dogtag/o-ipa01-r.ovirt.netnerdz...@netnerdz.se's key

2017-03-07T23:05:48Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2017-03-07T23:05:48Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
    server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade
    upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1796, in upgrade_configuration
    ca.setup_lightweight_ca_key_retrieval()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1400, in setup_lightweight_ca_key_retrieval
    self.__setup_lightweight_ca_key_retrieval_kerberos()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1431, in __setup_lightweight_ca_key_retrieval_kerberos
    os.chmod(keytab, 0o600)

2017-03-07T23:05:48Z DEBUG The ipa-server-upgrade command failed, exception: OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab' 2017-03-07T23:05:48Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab' 2017-03-07T23:05:48Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
8<---


Here's the output from the ipa-server-upgrade command:
[root@o-ipa01-r ~]# ipa-server-upgrade
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema

  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-NETNERDZ-SE/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 5]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/dogtag.keytab' The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
[root@o-ipa01-r ~]#

Everything seems to be working as normal, but this error message worries me a bit since this is my only ipa server (setting up a secondary master have been on my todo list).
Can you help me troubleshoot this?
Or should I just setup a replica and propagate it to primary node for all clients and then reinstall the one that have problem?

Thank you in advance!
//Robert

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to