subject:"\[Freeipa\-users\] Re\: IPA Server Upgrade Error"

[Freeipa-users] Re: IPA Server Upgrade Error

2017-10-06 Thread Charles Hedrick via FreeIPA-users

We were in the same situation. I tried this solution, and it does fix the 
problem with not being able to upgrade.

However it still leaves an inconsistency in the configuration. I was unable to 
add a new replica. It failed at the CA step, even if the new replica was 
installed without CA. The only way I could get the new replica set up was to 
remove

ipaConfigString: enabledService
ipaConfigString: caRenewalMaster

from 
cn=CA,cn=krb1.cs.rutgers.edu,cn=masters,cn=ipa,cn=etc,dc=cs,dc=rutgers,dc=edu

That makes the primary think there are no CA’s in the system, and the install 
works fine.

If it doesn’t make sense to add a third-party cert when there’s a CA, perhaps 
you could update the instructions to say that. But I’d like a way to put my 
system in a consistent state, so that both updates and topology changes work.

> On Oct 2, 2017, at 4:03 AM, Florence Blanc-Renaud via FreeIPA-users 
>  wrote:
> 
> On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote:
>> Hi Florence,
>> Thanks for the email.
>> I am on CentOS 7 system and would like to use yum to go for the Upgrade. I 
>> beleive dnf is intended for Fedora. Can you please provide me a solution for 
>> CentOS on the Upgrade process.
>> Regards,
>> Alka Murali
> Hi,
> 
> the fix hasn't been released yet in CentOS.
> The workaround would be to rename your certificate into "Server-Cert" before 
> running ipa-server-upgrade.
> 
> If the 3rd part certificate is used by HTTPd:
> backup /etc/httpd/alias, use certutil --rename to rename the cert as 
> "Server-Cert" and edit /etc/httpd/conf.d/nss.conf (replace NSSNickname xxx 
> with NSSNickName Server-Cert)
> 
> If the 3rd part certificate is used by LDAP:
> backup /etc/dirsrv/slapd-DOMxx, use certutil --rename to rename the cert as 
> "Server-Cert" and edit /etc/dirsrv/slapd-DOMxx/dse.ldif (replace 
> nsSSLPersonalitySSL: xxx with nsSSLPersonalitySSL: Server-Cert).
> 
> Restart both services and re-try ipa-server-upgrade. After the command 
> completes, you will also need to stop-tracking the 3rd part certificate 
> Server-Cert:
> If the 3rd part cert is used by LDAP:
> sudo getcert list -d /etc/dirsrv/slapd-DOMxxx -n Server-Cert
> => Extract the request ID, for instance Request ID '20170929163547'
> sudo getcert stop-tracking -i 20170929163547
> 
> If the 3rd part cert is used by HTTPd:
> sudo getcert list -d /etc/httpd/alias/ -n Server-Cert
> => Extract the request ID
> sudo getcert stop-tracking -i 
> 
> HTH,
> Flo
>> On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud > > wrote:
>>On 09/28/2017 09:52 AM, Alka Murali wrote:
>>Hi Florence,
>>Thanks for the reply.
>>However do you mean that I need to create a new repo file for
>>Version 4.6 and try the Upgrade? Or do you mean that I need to
>>remove the current installation and go for a fresh install?
>>Hi,
>>the easiest path is to do:
>>sudo dnf copr enable @freeipa/freeipa-4-6
>>sudo dnf update freeipa-server
>>This will upgrade your existing installation to FreeIPA 4.6.
>>HTH,
>>Flo
>>Regards,
>>Alka Murali
>>On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud
>> >>> wrote:
>> On 09/28/2017 04:12 AM, Alka Murali wrote:
>> Hi Florence,
>> Thanks for the email. As you have mentioned, I tried
>>updating
>> the corresponding python files under IPA Server and
>>tried for
>> the Upgrade.
>> Hi,
>> do you mean that you manually edited the python files? In
>>this case
>> it is likely that some files were forgotten. The patch for 4-5
>> branch is
>>
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffreeipa%2Fc%2F52853875e298e38a1e5a9a56c02aac9e30916044=02%7C01%7Chedrick%40rutgers.edu%7C23f16a2f2fa84e0e08ae08d5096c2d8f%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636425282608083918=GBXWHSAqI5joXJK1X7scJcQ5mL9eRIHhg3iR38wbkb4%3D=0
>>
>> 
>>
>> >
>>

[Freeipa-users] Re: IPA Server Upgrade Error

2017-10-02 Thread Charles Hedrick via FreeIPA-users

Note that the —rename option of certutil doesn’t seem to work for this format 
of files. Extract the cert, delete and and add it back with the new nickname. 
e.g.

certutil -L -d /etc/httpd/alias -n ‘CN=…...' -a -o ~/krb1.cert

certutil -D -d /etc/httpd/alias -n ‘CN=…..'

certutil -A -d /etc/httpd/alias -n "Server-Cert" -t u,u,u -i ~/krb1.cert


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Server Upgrade Error

2017-10-02 Thread Florence Blanc-Renaud via FreeIPA-users

On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote:

Hi Florence,

Thanks for the email.

I am on CentOS 7 system and would like to use yum to go for the Upgrade. 
I beleive dnf is intended for Fedora. Can you please provide me a 
solution for CentOS on the Upgrade process.

Regards,
Alka Murali

Hi,

the fix hasn't been released yet in CentOS.
The workaround would be to rename your certificate into "Server-Cert" 
before running ipa-server-upgrade.

If the 3rd part certificate is used by HTTPd:
backup /etc/httpd/alias, use certutil --rename to rename the cert as 
"Server-Cert" and edit /etc/httpd/conf.d/nss.conf (replace NSSNickname 
xxx with NSSNickName Server-Cert)

If the 3rd part certificate is used by LDAP:
backup /etc/dirsrv/slapd-DOMxx, use certutil --rename to rename the cert 
as "Server-Cert" and edit /etc/dirsrv/slapd-DOMxx/dse.ldif (replace 
nsSSLPersonalitySSL: xxx with nsSSLPersonalitySSL: Server-Cert).

Restart both services and re-try ipa-server-upgrade. After the command 
completes, you will also need to stop-tracking the 3rd part certificate 
Server-Cert:

If the 3rd part cert is used by LDAP:
sudo getcert list -d /etc/dirsrv/slapd-DOMxxx -n Server-Cert
=> Extract the request ID, for instance Request ID '20170929163547'
sudo getcert stop-tracking -i 20170929163547

If the 3rd part cert is used by HTTPd:
sudo getcert list -d /etc/httpd/alias/ -n Server-Cert
=> Extract the request ID
sudo getcert stop-tracking -i 

HTH,
Flo

On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud > wrote:

On 09/28/2017 09:52 AM, Alka Murali wrote:

Hi Florence,

Thanks for the reply.

However do you mean that I need to create a new repo file for
Version 4.6 and try the Upgrade? Or do you mean that I need to
remove the current installation and go for a fresh install?

Hi,

the easiest path is to do:
sudo dnf copr enable @freeipa/freeipa-4-6
sudo dnf update freeipa-server

This will upgrade your existing installation to FreeIPA 4.6.

HTH,
Flo

Regards,
Alka Murali

On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud
 >> wrote:

     On 09/28/2017 04:12 AM, Alka Murali wrote:

         Hi Florence,

         Thanks for the email. As you have mentioned, I tried
updating
         the corresponding python files under IPA Server and
tried for
         the Upgrade.

     Hi,

     do you mean that you manually edited the python files? In
this case
     it is likely that some files were forgotten. The patch for 4-5
     branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044

>
     but may depend on other commits applied on the branch
between the
     4.5.3 release and the patch.

     For consistency, I'd rather recommend to upgrade the
packages to 4.6
     (available in the copr repo @freeipa/freeipa-4-6 for fedora
26 and
     fedora27).

     Flo

         However I was getting the error below:

         -

         ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
DEBUG:
         File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
         line 172, in execute

         return_value = self.run()

         File

"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",

         line 46, in run

         server.upgrade()

         File

"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",

         line 1913, in upgrade

         upgrade_configuration()

         File

"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",

         line 1788, in upgrade_configuration

         certificate_renewal_update(ca, ds, http),

         File

"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",

         line 966, in certificate_renewal_update

         'cert-nickname': ds.get_server_cert_nickname(serverid),

         ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade:
DEBUG:
         The ipa-server-upgrade command failed, exception:
         AttributeError: 'DsInstance' object has no attribute
         'get_server_cert_nickname'

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Alka Murali via FreeIPA-users

Hi Florence,

Thanks for the email.

I am on CentOS 7 system and would like to use yum to go for the Upgrade. I
beleive dnf is intended for Fedora. Can you please provide me a solution
for CentOS on the Upgrade process.

Regards,
Alka Murali


On Thu, Sep 28, 2017 at 4:58 PM, Florence Blanc-Renaud 
wrote:

> On 09/28/2017 09:52 AM, Alka Murali wrote:
>
>> Hi Florence,
>>
>> Thanks for the reply.
>>
>> However do you mean that I need to create a new repo file for Version 4.6
>> and try the Upgrade? Or do you mean that I need to remove the current
>> installation and go for a fresh install?
>>
>> Hi,
>
> the easiest path is to do:
> sudo dnf copr enable @freeipa/freeipa-4-6
> sudo dnf update freeipa-server
>
> This will upgrade your existing installation to FreeIPA 4.6.
>
> HTH,
> Flo
>
> Regards,
>> Alka Murali
>>
>>
>> On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud > > wrote:
>>
>> On 09/28/2017 04:12 AM, Alka Murali wrote:
>>
>> Hi Florence,
>>
>> Thanks for the email. As you have mentioned, I tried updating
>> the corresponding python files under IPA Server and tried for
>> the Upgrade.
>>
>> Hi,
>>
>> do you mean that you manually edited the python files? In this case
>> it is likely that some files were forgotten. The patch for 4-5
>> branch is
>> https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044
>> > >
>> but may depend on other commits applied on the branch between the
>> 4.5.3 release and the patch.
>>
>> For consistency, I'd rather recommend to upgrade the packages to 4.6
>> (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
>> fedora27).
>>
>> Flo
>>
>> However I was getting the error below:
>>
>> -
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
>> File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
>> line 172, in execute
>>
>> return_value = self.run()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
>> server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 966, in certificate_renewal_update
>>
>> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>>
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
>> The ipa-server-upgrade command failed, exception:
>> AttributeError: 'DsInstance' object has no attribute
>> 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>
>> AttributeError: 'DsInstance' object has no attribute
>> 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
>> The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>>
>> --
>>
>> So do I need to define "get_server_cert_nickname"  in certs.py
>> script too.
>>
>>
>> Awaiting your reply.
>>
>>
>> Thanks and Regards,
>>
>> Alka Murali
>>
>>
>> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
>>  >
>> >> wrote:
>>
>>  On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>>
>>  Hello,
>>
>>  Currently my server is running on IPA Server Version
>> 4.4. I have
>>  tried to upgrade the Version to 4.5 using the
>> ipa-server-upgrade
>>  command and got ended with the following error:
>>
>>
>>  
>>
>>  2017-09-26T02:27:32Z DEBUG stderr=
>>
>>  2017-09-26T02:27:50Z DEBUG Loading Index file from
>>  '/var/lib/ipa/sysrestore/sysrestore.index'
>>
>>  2017-09-26T02:27:53Z DEBUG Starting external process
>>
>>  2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
>>  /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
>>  /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>>
>>  2017-09-26T02:27:56Z DEBUG Process finished, return
>>

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Florence Blanc-Renaud via FreeIPA-users


On 09/28/2017 09:52 AM, Alka Murali wrote:

Hi Florence,

Thanks for the reply.

However do you mean that I need to create a new repo file for Version 
4.6 and try the Upgrade? Or do you mean that I need to remove the 
current installation and go for a fresh install?



Hi,

the easiest path is to do:
sudo dnf copr enable @freeipa/freeipa-4-6
sudo dnf update freeipa-server

This will upgrade your existing installation to FreeIPA 4.6.

HTH,
Flo


Regards,
Alka Murali

On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud > wrote:


On 09/28/2017 04:12 AM, Alka Murali wrote:

Hi Florence,

Thanks for the email. As you have mentioned, I tried updating
the corresponding python files under IPA Server and tried for
the Upgrade.

Hi,

do you mean that you manually edited the python files? In this case
it is likely that some files were forgotten. The patch for 4-5
branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044

but may depend on other commits applied on the branch between the
4.5.3 release and the patch.

For consistency, I'd rather recommend to upgrade the packages to 4.6
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
fedora27).

Flo

However I was getting the error below:

-

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
File "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute

return_value = self.run()

File

"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run

server.upgrade()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade

upgrade_configuration()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration

certificate_renewal_update(ca, ds, http),

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 966, in certificate_renewal_update

'cert-nickname': ds.get_server_cert_nickname(serverid),


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:
The ipa-server-upgrade command failed, exception:
AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
Unexpected error - see /var/log/ipaupgrade.log for details:

AttributeError: 'DsInstance' object has no attribute
'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information

--

So do I need to define "get_server_cert_nickname"  in certs.py
script too.


Awaiting your reply.


Thanks and Regards,

Alka Murali


On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud
 >> wrote:

     On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:

         Hello,

         Currently my server is running on IPA Server Version
4.4. I have
         tried to upgrade the Version to 4.5 using the
ipa-server-upgrade
         command and got ended with the following error:


         

         2017-09-26T02:27:32Z DEBUG stderr=

         2017-09-26T02:27:50Z DEBUG Loading Index file from
         '/var/lib/ipa/sysrestore/sysrestore.index'

         2017-09-26T02:27:53Z DEBUG Starting external process

         2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
         /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
         /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt

         2017-09-26T02:27:56Z DEBUG Process finished, return
code=255

         2017-09-26T02:27:56Z DEBUG stdout=

         2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not
find cert:
         Server-Cert

         : PR_FILE_NOT_FOUND_ERROR: File not found


         2017-09-26T02:27:56Z ERROR IPA server upgrade failed:
Inspect
         /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.

         2017-09-26T02:27:56Z DEBUG File

"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line

         172, in execute

         return_value = self.run()

         File

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Alka Murali via FreeIPA-users

Hi Florence,

Thanks for the reply.

However do you mean that I need to create a new repo file for Version 4.6
and try the Upgrade? Or do you mean that I need to remove the current
installation and go for a fresh install?

Regards,
Alka Murali

On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud 
wrote:

> On 09/28/2017 04:12 AM, Alka Murali wrote:
>
>> Hi Florence,
>>
>> Thanks for the email. As you have mentioned, I tried updating the
>> corresponding python files under IPA Server and tried for the Upgrade.
>>
> Hi,
>
> do you mean that you manually edited the python files? In this case it is
> likely that some files were forgotten. The patch for 4-5 branch is
> https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but
> may depend on other commits applied on the branch between the 4.5.3 release
> and the patch.
>
> For consistency, I'd rather recommend to upgrade the packages to 4.6
> (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
> fedora27).
>
> Flo
>
> However I was getting the error below:
>>
>> -
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
>> execute
>>
>> return_value = self.run()
>>
>> File 
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 966, in certificate_renewal_update
>>
>> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>>
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
>> ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
>> object has no attribute 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>
>> AttributeError: 'DsInstance' object has no attribute
>> 'get_server_cert_nickname'
>>
>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
>> information
>>
>> --
>>
>> So do I need to define "get_server_cert_nickname"  in certs.py script too.
>>
>>
>> Awaiting your reply.
>>
>>
>> Thanks and Regards,
>>
>> Alka Murali
>>
>>
>> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud > > wrote:
>>
>> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>>
>> Hello,
>>
>> Currently my server is running on IPA Server Version 4.4. I have
>> tried to upgrade the Version to 4.5 using the ipa-server-upgrade
>> command and got ended with the following error:
>>
>>
>> 
>>
>> 2017-09-26T02:27:32Z DEBUG stderr=
>>
>> 2017-09-26T02:27:50Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>
>> 2017-09-26T02:27:53Z DEBUG Starting external process
>>
>> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
>> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>>
>> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>>
>> 2017-09-26T02:27:56Z DEBUG stdout=
>>
>> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
>> Server-Cert
>>
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>>
>> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade
>> manually.
>>
>> 2017-09-26T02:27:56Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>> 172, in execute
>>
>> return_value = self.run()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
>> server_upgrade.py",
>> line 46, in run
>>
>> server.upgrade()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1913, in upgrade
>>
>> upgrade_configuration()
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1788, in upgrade_configuration
>>
>> certificate_renewal_update(ca, ds, http),
>>
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
>> upgrade.py",
>> line 1018, in certificate_renewal_update
>>
>> ds.start_tracking_certificates(serverid)
>>
>> File
>>

[Freeipa-users] Re: IPA Server Upgrade Error

2017-09-28 Thread Florence Blanc-Renaud via FreeIPA-users


On 09/28/2017 04:12 AM, Alka Murali wrote:

Hi Florence,

Thanks for the email. As you have mentioned, I tried updating the 
corresponding python files under IPA Server and tried for the Upgrade. 

Hi,

do you mean that you manually edited the python files? In this case it 
is likely that some files were forgotten. The patch for 4-5 branch is 
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but 
may depend on other commits applied on the branch between the 4.5.3 
release and the patch.


For consistency, I'd rather recommend to upgrade the packages to 4.6 
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and 
fedora27).


Flo


However I was getting the error below:

-

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in 
execute


return_value = self.run()

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run


server.upgrade()

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1913, in upgrade


upgrade_configuration()

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1788, in upgrade_configuration


certificate_renewal_update(ca, ds, http),

File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 966, in certificate_renewal_update


'cert-nickname': ds.get_server_cert_nickname(serverid),


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The 
ipa-server-upgrade command failed, exception: AttributeError: 
'DsInstance' object has no attribute 'get_server_cert_nickname'


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: 
Unexpected error - see /var/log/ipaupgrade.log for details:


AttributeError: 'DsInstance' object has no attribute 
'get_server_cert_nickname'


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The 
ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
information


--

So do I need to define "get_server_cert_nickname"  in certs.py script too.


Awaiting your reply.


Thanks and Regards,

Alka Murali


On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud > wrote:


On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:

Hello,

Currently my server is running on IPA Server Version 4.4. I have
tried to upgrade the Version to 4.5 using the ipa-server-upgrade
command and got ended with the following error:




2017-09-26T02:27:32Z DEBUG stderr=

2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'

2017-09-26T02:27:53Z DEBUG Starting external process

2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt

2017-09-26T02:27:56Z DEBUG Process finished, return code=255

2017-09-26T02:27:56Z DEBUG stdout=

2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
Server-Cert

: PR_FILE_NOT_FOUND_ERROR: File not found


2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.

2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
172, in execute

return_value = self.run()

File

"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run

server.upgrade()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1913, in upgrade

upgrade_configuration()

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1788, in upgrade_configuration

certificate_renewal_update(ca, ds, http),

File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1018, in certificate_renewal_update

ds.start_tracking_certificates(serverid)

File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
line 1046, in start_tracking_certificates

'restart_dirsrv %s' % serverid)

File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
line 362, in track_server_cert

cert_obj = x509.load_certificate(cert)

File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
119, in load_certificate

return cryptography.x509.load_der_x509_certificate(data,
default_backend())

File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
line 47, in load_der_x509_certificate

return backend.load_der_x509_certificate(data)

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

[Freeipa-users] Re: IPA Server Upgrade Error

7 matches

Site Navigation

Mail list logo

Footer information