Re: [Freeipa-devel] [PATCH] 1098 catch cert-find errors on upgraded servers
Petr Viktorin wrote: On 04/29/2013 10:52 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/26/2013 09:53 PM, Rob Crittenden wrote: A dogtag 9 -> 10 upgraded server doesn't provide the RESTful API so therefore the cert-find command doesn't work. Starting with dogtag 10.0.2 it is going to send back a 501 (HTTP Not implemented) in this case so we at least have something to catch. This patch catches a 501 and returns a more specific message. 10.0.2 builds should be available this weekend, or you can pull from their devel repo at: [dogtag-devel] name=Dogtag development $releasever - $basearch baseurl=http://nkinder.fedorapeople.org/dogtag-devel/fedora/$releasever/$basearch/os/ enabled=0 gpgcheck=0 With the new Dogtag, /root/.pki/pki-tomcat/ca_admin_cert.p12 is not created. Installation of a new server fails on copying that to /root/ca-agent.p12. Adding Ade to the thread, he should know more. On my instance upgraded from f17 to f18, I get 404 errors, not 501. $ rpm -q pki-base pki-base-10.0.2-1.fc18.noarch $ ./ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) $ curl -v http://`hostname`:9180/ca/rest/certs/search [...] < HTTP/1.1 404 Not Found < Server: Apache-Coyote/1.1 < Content-Type: text/html < Content-Length: 5723 < Date: Sun, 28 Apr 2013 23:08:44 GMT [...] This is caused by some syntax errors in the dogtag upgrade script. They are working on a respin. See /var/log/pki/pki-server-upgrade-*.log rob When I used yum upgrade for f17→f18, the pki-server-upgrade scriptlet failed; /var/log/pki/pki-server-upgrade-10.0.2.log says: Upgrading server at Fri May 3 07:37:44 EDT 2013. Upgrading from version 10.0.0 to 10.0.1: No upgrade scriptlets. Upgrading from version 10.0.1 to 10.0.2: 1. Replace random number generator ERROR: Failed upgrading Dogtag 9 pki-ca/ca subsystem. Upgrade failed in Dogtag 9 pki-ca/ca: However, after running the script manually, everything is back to normal. The patch works fine, it just needs a changelog rebase. ACK Rebased and pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1098 catch cert-find errors on upgraded servers
On 04/29/2013 10:52 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 04/26/2013 09:53 PM, Rob Crittenden wrote: A dogtag 9 -> 10 upgraded server doesn't provide the RESTful API so therefore the cert-find command doesn't work. Starting with dogtag 10.0.2 it is going to send back a 501 (HTTP Not implemented) in this case so we at least have something to catch. This patch catches a 501 and returns a more specific message. 10.0.2 builds should be available this weekend, or you can pull from their devel repo at: [dogtag-devel] name=Dogtag development $releasever - $basearch baseurl=http://nkinder.fedorapeople.org/dogtag-devel/fedora/$releasever/$basearch/os/ enabled=0 gpgcheck=0 With the new Dogtag, /root/.pki/pki-tomcat/ca_admin_cert.p12 is not created. Installation of a new server fails on copying that to /root/ca-agent.p12. Adding Ade to the thread, he should know more. On my instance upgraded from f17 to f18, I get 404 errors, not 501. $ rpm -q pki-base pki-base-10.0.2-1.fc18.noarch $ ./ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) $ curl -v http://`hostname`:9180/ca/rest/certs/search [...] < HTTP/1.1 404 Not Found < Server: Apache-Coyote/1.1 < Content-Type: text/html < Content-Length: 5723 < Date: Sun, 28 Apr 2013 23:08:44 GMT [...] This is caused by some syntax errors in the dogtag upgrade script. They are working on a respin. See /var/log/pki/pki-server-upgrade-*.log rob When I used yum upgrade for f17→f18, the pki-server-upgrade scriptlet failed; /var/log/pki/pki-server-upgrade-10.0.2.log says: Upgrading server at Fri May 3 07:37:44 EDT 2013. Upgrading from version 10.0.0 to 10.0.1: No upgrade scriptlets. Upgrading from version 10.0.1 to 10.0.2: 1. Replace random number generator ERROR: Failed upgrading Dogtag 9 pki-ca/ca subsystem. Upgrade failed in Dogtag 9 pki-ca/ca: However, after running the script manually, everything is back to normal. The patch works fine, it just needs a changelog rebase. ACK -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1098 catch cert-find errors on upgraded servers
Petr Viktorin wrote: On 04/26/2013 09:53 PM, Rob Crittenden wrote: A dogtag 9 -> 10 upgraded server doesn't provide the RESTful API so therefore the cert-find command doesn't work. Starting with dogtag 10.0.2 it is going to send back a 501 (HTTP Not implemented) in this case so we at least have something to catch. This patch catches a 501 and returns a more specific message. 10.0.2 builds should be available this weekend, or you can pull from their devel repo at: [dogtag-devel] name=Dogtag development $releasever - $basearch baseurl=http://nkinder.fedorapeople.org/dogtag-devel/fedora/$releasever/$basearch/os/ enabled=0 gpgcheck=0 With the new Dogtag, /root/.pki/pki-tomcat/ca_admin_cert.p12 is not created. Installation of a new server fails on copying that to /root/ca-agent.p12. Adding Ade to the thread, he should know more. On my instance upgraded from f17 to f18, I get 404 errors, not 501. $ rpm -q pki-base pki-base-10.0.2-1.fc18.noarch $ ./ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) $ curl -v http://`hostname`:9180/ca/rest/certs/search [...] < HTTP/1.1 404 Not Found < Server: Apache-Coyote/1.1 < Content-Type: text/html < Content-Length: 5723 < Date: Sun, 28 Apr 2013 23:08:44 GMT [...] This is caused by some syntax errors in the dogtag upgrade script. They are working on a respin. See /var/log/pki/pki-server-upgrade-*.log rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1098 catch cert-find errors on upgraded servers
On 04/26/2013 09:53 PM, Rob Crittenden wrote: A dogtag 9 -> 10 upgraded server doesn't provide the RESTful API so therefore the cert-find command doesn't work. Starting with dogtag 10.0.2 it is going to send back a 501 (HTTP Not implemented) in this case so we at least have something to catch. This patch catches a 501 and returns a more specific message. 10.0.2 builds should be available this weekend, or you can pull from their devel repo at: [dogtag-devel] name=Dogtag development $releasever - $basearch baseurl=http://nkinder.fedorapeople.org/dogtag-devel/fedora/$releasever/$basearch/os/ enabled=0 gpgcheck=0 With the new Dogtag, /root/.pki/pki-tomcat/ca_admin_cert.p12 is not created. Installation of a new server fails on copying that to /root/ca-agent.p12. Adding Ade to the thread, he should know more. On my instance upgraded from f17 to f18, I get 404 errors, not 501. $ rpm -q pki-base pki-base-10.0.2-1.fc18.noarch $ ./ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) $ curl -v http://`hostname`:9180/ca/rest/certs/search [...] < HTTP/1.1 404 Not Found < Server: Apache-Coyote/1.1 < Content-Type: text/html < Content-Length: 5723 < Date: Sun, 28 Apr 2013 23:08:44 GMT [...] -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel