[Freeipa-users] Re: Cannot start freeipa service after upgrade to Fedora 26

2017-11-10 Thread Fuji San via FreeIPA-users 
OK thanks

Removed mod_ssl package.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Cannot start freeipa service after upgrade to Fedora 26

2017-11-10 Thread Rob Crittenden via FreeIPA-users 
Fuji San via FreeIPA-users wrote:
> Ok I figured out what happened.
> 
> After the upgrade to F26, the file /etc/httpd/conf.d/ssl.conf has been 
> modified somehow preventing the httpd server to start.
> 
> Line 5 : Listen 443 https
> I had to comment it.
> 
> Line 61: #ServerName myserver.mydomain:443
> I had to uncomment it. Somehow it was commented!
> 
> Line 103: SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> Line 104: #SSLCertificateFile /etc/pki/tls/certs/myserver.mydomain.crt
> Line 103 was added and the next line (the original one) was commented. So I 
> removed line 103 and uncommented line 104.
> 
> Line 112: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> Line 113: #SSLCertificateKeyFile /etc/pki/tls/private/myserver.mydonmain.key
> Same here, I removed line 112 and uncommented line 113.
> 
> So, the question is : What happened ?

Hard to say. IPA does absolutely nothing with mod_ssl so my guess is
that someone installed the package at some point between the last
restart and the upgrade.

I'd recommend uninstalling mod_ssl completely.

rob

> 
> 
> 
> ---
> $ ipa-server-upgrade 
> Upgrading IPA:
>   [1/10]: stopping directory server
>   [2/10]: saving configuration
>   [3/10]: disabling listeners
>   [4/10]: enabling DS global lock
>   [5/10]: starting directory server
>   [6/10]: updating schema
>   [7/10]: upgrading server
>   [8/10]: stopping directory server
>   [9/10]: restoring configuration
>   [10/10]: starting directory server
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> /etc/dirsrv/slapd-mydomain/certmap.conf is now managed by IPA. It will be 
> overwritten. A backup of the original will be made.
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> [Removing self-signed CA]
> [Removing Dogtag 9 CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Checking global forwarding policy in named.conf to avoid conflicts with 
> automatic empty zones]
> Changes to named.conf have been made, restart named
> [Upgrading CA schema]
> CA schema update complete (no changes)
> [Verifying that CA audit signing cert has 2 year validity]
> [Update certmonger certificate renewal configuration to version 5]
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> [Authorizing RA Agent to modify profiles]
> [Authorizing RA Agent to manage lightweight CAs]
> [Ensuring Lightweight CAs container exists in Dogtag database]
> [Adding default OCSP URI configuration]
> [Ensuring CA is using LDAPProfileSubsystem]
> [Migrating certificate profiles to LDAP]
> [Ensuring presence of included profiles]
> [Add default CA ACL]
> Default CA ACL already added
> [Set up lightweight CA key retrieval]
> Creating principal
> Retrieving keytab
> Creating Custodia keys
> Configuring key retriever
> The IPA services were upgraded
> The ipa-server-upgrade command was successful
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Cannot start freeipa service after upgrade to Fedora 26

2017-11-10 Thread Fuji San via FreeIPA-users 
Ok I figured out what happened.

After the upgrade to F26, the file /etc/httpd/conf.d/ssl.conf has been modified 
somehow preventing the httpd server to start.

Line 5 : Listen 443 https
I had to comment it.

Line 61: #ServerName myserver.mydomain:443
I had to uncomment it. Somehow it was commented!

Line 103: SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Line 104: #SSLCertificateFile /etc/pki/tls/certs/myserver.mydomain.crt
Line 103 was added and the next line (the original one) was commented. So I 
removed line 103 and uncommented line 104.

Line 112: SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Line 113: #SSLCertificateKeyFile /etc/pki/tls/private/myserver.mydonmain.key
Same here, I removed line 112 and uncommented line 113.

So, the question is : What happened ?



---
$ ipa-server-upgrade 
Upgrading IPA:
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: starting directory server
  [6/10]: updating schema
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-mydomain/certmap.conf is now managed by IPA. It will be 
overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with 
automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 5]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
Creating Custodia keys
Configuring key retriever
The IPA services were upgraded
The ipa-server-upgrade command was successful
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Cannot start freeipa service after upgrade to Fedora 26

2017-11-10 Thread Fuji San via FreeIPA-users 
ipa-server-upgrade 
$ ipa-server-upgrade 
Upgrading IPA:
  [1/8]: saving configuration
  [2/8]: disabling listeners
  [3/8]: enabling DS global lock
  [4/8]: starting directory server
  [5/8]: updating schema
  [6/8]: upgrading server
  [7/8]: stopping directory server
  [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-mydomain/certmap.conf is now managed by IPA. It will be 
overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command 
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start httpd.service' returned 
non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
information

LOG---
[...]
2017-11-10T14:39:31Z DEBUG stdout=
2017-11-10T14:39:31Z DEBUG stderr=Warning: httpd.service changed on disk. Run 
'systemctl daemon-reload' to reload units.
Job for httpd.service failed because the control process exited with error code.
See "systemctl  status httpd.service" and "journalctl  -xe" for details.

2017-11-10T14:39:31Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-11-10T14:39:31Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1841, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1659, in upgrade_configuration
http.start()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
346, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
285, in start
skip_output=not capture_output)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 520, in run
raise CalledProcessError(p.returncode, arg_string, str(output))

2017-11-10T14:39:31Z DEBUG The ipa-server-upgrade command failed, exception: 
CalledProcessError: Command '/bin/systemctl start httpd.service' returned 
non-zero exit status 1
2017-11-10T14:39:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for 
details:
CalledProcessError: Command '/bin/systemctl start httpd.service' returned 
non-zero exit status 1
2017-11-10T14:39:31Z ERROR The ipa-server-upgrade command failed. See 
/var/log/ipaupgrade.log for more information
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Cannot start freeipa service after upgrade to Fedora 26

2017-11-10 Thread Fuji San via FreeIPA-users 
No I cannot:
Nov 10 15:33:56 myserver.mydomain systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has begun starting up.
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: ipa : 
ERRORUnknown error while retrieving setting from 
ldapi://%2fvar%2frun%2fslapd-mydomain.socket: [Errno 111] Connection refused
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: Traceback (most 
recent call last):
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]:   File 
"/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: 
self.con.do_bind(timeout=self.time_limit)
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1681, in do_bind
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: 
self.do_external_bind(pw_name, timeout=timeout)
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1671, in 
do_external_bind
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: 
self.__bind_with_wait(self.external_bind, timeout, user_name)
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1660, in 
__bind_with_wait
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: 
self.__wait_for_connection(timeout)
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1643, in 
__wait_for_connection
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: 
wait_for_open_socket(lurl.hostport, timeout)
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1312, in 
wait_for_open_socket
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: raise e
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: error: [Errno 111] 
Connection refused
Nov 10 15:33:58 myserver.mydomain ipa-httpd-kdcproxy[15216]: ipa : 
ERRORUnknown error while retrieving setting from 
ldapi://%2fvar%2frun%2fslapd-mydomain.socket: [Errno 111] Connection refused
Nov 10 15:33:58 myserver.mydomain systemd[1]: httpd.service: Control process 
exited, code=exited status=1
Nov 10 15:33:58 myserver.mydomain systemd[1]: Failed to start The Apache HTTP 
Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has failed.
-- 
-- The result is failed.
Nov 10 15:33:58 myserver.mydomain audit[1]: SERVICE_START pid=1 uid=0 
auid=4294967295 ses=4294967295 msg='unit=httpd comm="systemd" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 10 15:33:58 myserver.mydomain systemd[1]: httpd.service: Unit entered 
failed state.
Nov 10 15:33:58 myserver.mydomain systemd[1]: httpd.service: Failed with result 
'exit-code'.
Nov 10 15:34:02 myserver.mydomain systemd[1]: Reloading.
Nov 10 15:34:04 myserver.mydomain systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has begun starting up.
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]: ipa : 
ERRORUnknown error while retrieving setting from 
ldapi://%2fvar%2frun%2fslapd-mydomain.socket: [Errno 111] Connection refused
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]: Traceback (most 
recent call last):
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]:   File 
"/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]: 
self.con.do_bind(timeout=self.time_limit)
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1681, in do_bind
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]: 
self.do_external_bind(pw_name, timeout=timeout)
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1671, in 
do_external_bind
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]: 
self.__bind_with_wait(self.external_bind, timeout, user_name)
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]:   File 
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1660, in 
__bind_with_wait
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]: 
self.__wait_for_connection(timeout)
Nov 10 15:34:06 myserver.mydomain ipa-httpd-kdcproxy[15271]:   File

[Freeipa-users] Re: Cannot start freeipa service after upgrade to Fedora 26

2017-11-10 Thread Callum Guy via FreeIPA-users 
Can you start apache manually?

On Fri, Nov 10, 2017 at 2:20 PM Fuji San via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> I upgraded my freeipa server to F26 and I noticed it wasn't working
> anymore.
> So I ran 'ipa-server-upgrade' and got the following :
>
> Upgrading IPA:
>   [1/8]: saving configuration
>   [2/8]: disabling listeners
>   [3/8]: enabling DS global lock
>   [4/8]: starting directory server
>   [5/8]: updating schema
>   [6/8]: upgrading server
>   [7/8]: stopping directory server
>   [8/8]: restoring configuration
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> CRL tree already moved
> /etc/dirsrv/slapd-OPERA/certmap.conf is now managed by IPA. It will be
> overwritten. A backup of the original will be made.
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Enable sidgen and extdom plugins by default]
> [Updating HTTPD service IPA configuration]
> [Updating mod_nss protocol versions]
> Protocol versions already updated
> [Updating mod_nss cipher suite]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Exporting KRA agent PEM file]
> KRA is not enabled
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> CalledProcessError: Command '/bin/systemctl start httpd.service' returned
> non-zero exit status 1
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> more information
>
> What can i do ?
>
> Thanks.
> F.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org