Re: [Freeipa-users] FreeIPA update guidance
Hi All, As you might be interested, today we re-attempted to create a replica. Apparently, exactly the same problem was reported to Red Hat Bugzilla ten days ago: https://bugzilla.redhat.com/show_bug.cgi?id=1432016 Our replica install also fails on the following point: [...] Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance < hangs here indefinitely > At this moment we are thus stuck and waiting for the new package to be released. Thanks for the pointers! Bennie Original Message Subject: Re: [Freeipa-users] FreeIPA update guidance Local Time: 21 april 2017 5:55 PM UTC Time: 21 april 2017 15:55 From: b.harr...@protonmail.com To: Jochen Hein freeipa-users\@redhat.com Hi Jochen, Thanks for your quick reply! As I just left the office I don't have the log ATM. The installation however failed after setting up de Tomcat PKI service, where the ipa-replica-install script was waiting for the service to come up. While manually trying to reach the service using Curl, I also never got a response. After running the Tomcat PKI service manually, I got an error stating that the user "cn=,cn=config" doesn't exist in the directory. When manually querying the directory I noticed the same, it did however exist with an additional CN. I will retry the replication excersise next monday and hopefully your tip will help me. Then I can also provide the logs. I will keep you updated! Thanks, Bennie Original Message ---- Subject: Re: [Freeipa-users] FreeIPA update guidance Local Time: April 21, 2017 5:29 PM UTC Time: April 21, 2017 3:29 PM From: joc...@jochen.org To: B.harries freeipa-users\@redhat.com "B.harries" writes: > Second attempt > We then tried to install a fresh CentOS server, having FreeIPA version > 4.4 and attaching it as a second master to our IPA instance. This > however didn't work out as well, I did that to move my installation from Fedora to CentOS - it worked quite well. First adding a replica failed, because python-jwcrypto on CentOS is quite old. I've installed the package from Fedora (python-jwcrypto-0.3.2-1.fc23.noarch.rpm) and all went well. After I decomissioned the Fedora system I've downgraded the package again. That's what I found: https://www.redhat.com/archives/freeipa-users/2016-December/msg00024.html (Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails) Can you provide logs/messages what didn't work? Jochen -- This space is intentionally left blank.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA update guidance
Hi Jochen, Thanks for your quick reply! As I just left the office I don't have the log ATM. The installation however failed after setting up de Tomcat PKI service, where the ipa-replica-install script was waiting for the service to come up. While manually trying to reach the service using Curl, I also never got a response. After running the Tomcat PKI service manually, I got an error stating that the user "cn=,cn=config" doesn't exist in the directory. When manually querying the directory I noticed the same, it did however exist with an additional CN. I will retry the replication excersise next monday and hopefully your tip will help me. Then I can also provide the logs. I will keep you updated! Thanks, Bennie Original Message ---- Subject: Re: [Freeipa-users] FreeIPA update guidance Local Time: April 21, 2017 5:29 PM UTC Time: April 21, 2017 3:29 PM From: joc...@jochen.org To: B.harries freeipa-users\@redhat.com "B.harries" writes: > Second attempt > We then tried to install a fresh CentOS server, having FreeIPA version > 4.4 and attaching it as a second master to our IPA instance. This > however didn't work out as well, I did that to move my installation from Fedora to CentOS - it worked quite well. First adding a replica failed, because python-jwcrypto on CentOS is quite old. I've installed the package from Fedora (python-jwcrypto-0.3.2-1.fc23.noarch.rpm) and all went well. After I decomissioned the Fedora system I've downgraded the package again. That's what I found: https://www.redhat.com/archives/freeipa-users/2016-December/msg00024.html (Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails) Can you provide logs/messages what didn't work? Jochen -- This space is intentionally left blank.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA update guidance
I don't know that what we did is the most correct or even best way to manage an upgrade, but here's what I did. We started with two nodes, ipa1 and ipa2. Both running Fedora. I built a new system, ipa3, and installed IPA on it, then made it a replica. I then removed the replication agreements to ipa1 and upgraded it. Then made it a replica again using ipa3 as the master. Finally, I removed ipa2's replication agreement and upgraded it. Again, it was brought back into replication by creating a replication file on ipa3 and copying it to ipa2. Somewhere in there, I'm pretty sure I had to do something with the CA to ensure we still had one, but for the life of me, I can't remember what I did! Good luck! Bret On 04/21/2017 10:06 AM, B.harries wrote: Hi All, As I am new to the list, I'd like to introduce myself as Bennie. In my fairly small (CentOS based) organization we use FreeIPA and we are honestly really happy with this all in one solution. Lately however we are facing an issue regarding updating FreeIPA and I was hoping I could find some guidance on this mail list =). *Current situation* We are currently running FreeIPA 4.3.1 on Fedora 23. When we started using FreeIPA, CentOS was lacking quite behind so we choose to go with Fedora. As Fedora 23 is quite out of date now we tried to perform a dist-upgrade, enabling us to continue using FreeIPA on the 4.4 branch. This dist-upgrade however led to an inoperable condition of FreeIPA, mainly the PKI service fails miserably. *Second attempt* We then tried to install a fresh CentOS server, having FreeIPA version 4.4 and attaching it as a second master to our IPA instance. This however didn't work out as well, probably because the directory structures are not equal. So far, everything failed. I was wondering if anyone here faced similar problems and might be able to point in the right direction? Thanks in advance for a reply! Bennie -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA update guidance
"B.harries" writes: > Second attempt > We then tried to install a fresh CentOS server, having FreeIPA version > 4.4 and attaching it as a second master to our IPA instance. This > however didn't work out as well, I did that to move my installation from Fedora to CentOS - it worked quite well. First adding a replica failed, because python-jwcrypto on CentOS is quite old. I've installed the package from Fedora (python-jwcrypto-0.3.2-1.fc23.noarch.rpm) and all went well. After I decomissioned the Fedora system I've downgraded the package again. That's what I found: https://www.redhat.com/archives/freeipa-users/2016-December/msg00024.html (Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails) Can you provide logs/messages what didn't work? Jochen -- This space is intentionally left blank. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project