sorry for the xml formatting didn't realize it would mess up some mail clients
The last bit of the message again ipa-upgradeconfig gives the following : [Verifying that root certificate is published] Failed to backup CS.cfg: no magic attribute 'dogtag' [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking named] Changes to named.conf have been made, restart named [Verifying that CA service certificate profile is updated] [Update certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful Any ideas ? I'm rather stuck now. Rob 2014-10-27 22:59 GMT+01:00 Rob Verduijn <[email protected]>: > Hello, > > I'm rather at a loss here. > Everything seems to be running > ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > but the upgrade log is flooded with this error : > 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... > 2014-10-27T21:52:11Z DEBUG request ' > https://freeipa.x.x:443/ca/admin/ca/getStatus' > 2014-10-27T21:52:11Z DEBUG request body '' > 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted > 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... > 2014-10-27T21:52:12Z DEBUG request ' > https://freeipa.x.x:443/ca/admin/ca/getStatus' > 2014-10-27T21:52:12Z DEBUG request body '' > > I've tried the url and it works fine. > https://freeipa.x.x/ca/admin/ca/getStatus > it gives the following xml: > <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State> > 1</State><Type>CA</Type><Status>running</Status><Version>10.2.0-3.fc20 > </Version></XMLResponse> > > After I run ipa-upgradeconfig it complains about a missing magic dog tag > attribute > ipa-upgradeconfig [Verifying that root certificate is published]Failed to > backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL > tree already moved[Verifying that CA proxy configuration is correct][Verifying > that KDC configuration is using ipa-kdb backend][Fixing trust flags in > /etc/httpd/alias]Trust flags already processed[Fix DS schema file > syntax]Syntax > already fixed[Removing RA cert from DS NSS database]RA cert already > removed[Removing self-signed CA][Checking for deprecated KDC > configuration files][Checking for deprecated backups of Samba > configuration files][Setting up Firefox extension][Add missing CA DNS > records]IPA CA DNS records already processed[Removing deprecated DNS > configuration options][Ensuring minimal number of connections][Enabling > serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating > pid-file configuration in DNS][Masking named]Changes to named.conf have > been made, restart named[Verifying that CA service certificate profile is > updated][Update certmonger certificate renewal configuration to version > 2][Enable > PKIX certificate path discovery and validation]PKIX already enabledThe > ipa-upgradeconfig command was successful > > But my local dns zone does no longer resolve :( > > reverting back to the 3.3 snapshot again :( > > Please help > Rob > > 2014-10-26 21:38 GMT+01:00 Rob Crittenden <[email protected]>: > >> Rob Verduijn wrote: >> > hmmmm.... >> > >> > after some more digging (monitoring the upgrade more closely.) >> > I saw that the upgrade kept waiting for the ca to start, which it did >> > not do. >> > and after 5 minutes the upgrade gave up with the following errors in the >> > ipaupgrade log : >> > >> > at 85% it says : >> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache >> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket >> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0> >> > 2014-10-26T15:04:35Z DEBUG Starting external process >> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' >> > '/etc/httpd/alias' '-L' >> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 >> > 2014-10-26T15:04:35Z DEBUG stdout= >> > Certificate Nickname Trust >> > Attributes >> > >> > SSL,S/MIME,JAR/XPI >> > >> > Signing-Cert u,u,u >> > XXXX.XXXX IPA CA CT,C,C >> > ipaCert u,u,u >> > Server-Cert u,u,u >> > >> > 2014-10-26T15:04:35Z DEBUG stderr= >> > 2014-10-26T15:04:35Z DEBUG Starting external process >> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' >> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' >> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 >> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE----- >> > < certificate-removed > >> > -----END CERTIFICATE----- >> > 2014-10-26T15:04:35Z DEBUG stderr= >> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to >> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\ >> >> This has nothing to do with the CA, the LDAP server didn't come up. I'd >> start with those logs or look earlier in ipaupgrade.log >> >> The CA requires 389-ds to be running so if it isn't up, then it will >> fail to start too. >> >> rob >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
