Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1
First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? Rob 2014-10-27 23:05 GMT+01:00 Rob Verduijn <[email protected]>: > sorry for the xml formatting didn't realize it would mess up some mail > clients > > The last bit of the message again > > ipa-upgradeconfig gives the following : > [Verifying that root certificate is published] > Failed to backup CS.cfg: no magic attribute 'dogtag' > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that CA proxy configuration is correct] > [Verifying that KDC configuration is using ipa-kdb backend] > [Fixing trust flags in /etc/httpd/alias] > Trust flags already processed > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Removing self-signed CA] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > [Setting up Firefox extension] > [Add missing CA DNS records] > IPA CA DNS records already processed > [Removing deprecated DNS configuration options] > [Ensuring minimal number of connections] > [Enabling serial autoincrement in DNS] > [Updating GSSAPI configuration in DNS] > [Updating pid-file configuration in DNS] > [Masking named] > Changes to named.conf have been made, restart named > [Verifying that CA service certificate profile is updated] > [Update certmonger certificate renewal configuration to version 2] > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > The ipa-upgradeconfig command was successful > > Any ideas ? > I'm rather stuck now. > Rob > > 2014-10-27 22:59 GMT+01:00 Rob Verduijn <[email protected]>: > >> Hello, >> >> I'm rather at a loss here. >> Everything seems to be running >> ipactl status >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> named Service: RUNNING >> ipa_memcached Service: RUNNING >> httpd Service: RUNNING >> pki-tomcatd Service: RUNNING >> ipa-otpd Service: RUNNING >> ipa-dnskeysyncd Service: RUNNING >> ipa: INFO: The ipactl command was successful >> >> but the upgrade log is flooded with this error : >> 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... >> 2014-10-27T21:52:11Z DEBUG request ' >> https://freeipa.x.x:443/ca/admin/ca/getStatus' >> 2014-10-27T21:52:11Z DEBUG request body '' >> 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted >> 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... >> 2014-10-27T21:52:12Z DEBUG request ' >> https://freeipa.x.x:443/ca/admin/ca/getStatus' >> 2014-10-27T21:52:12Z DEBUG request body '' >> >> I've tried the url and it works fine. >> https://freeipa.x.x/ca/admin/ca/getStatus >> it gives the following xml: >> <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse> >> <State>1</State><Type>CA</Type><Status>running</Status><Version> >> 10.2.0-3.fc20</Version></XMLResponse> >> >> After I run ipa-upgradeconfig it complains about a missing magic dog tag >> attribute >> ipa-upgradeconfig [Verifying that root certificate is published]Failed >> to backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish >> directory]CRL tree already moved[Verifying that CA proxy configuration >> is correct][Verifying that KDC configuration is using ipa-kdb backend][Fixing >> trust flags in /etc/httpd/alias]Trust flags already processed[Fix DS >> schema file syntax]Syntax already fixed[Removing RA cert from DS NSS >> database]RA cert already removed[Removing self-signed CA][Checking for >> deprecated KDC configuration files][Checking for deprecated backups of >> Samba configuration files][Setting up Firefox extension][Add missing CA >> DNS records]IPA CA DNS records already processed[Removing deprecated DNS >> configuration options][Ensuring minimal number of connections][Enabling >> serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating >> pid-file configuration in DNS][Masking named]Changes to named.conf have >> been made, restart named[Verifying that CA service certificate profile >> is updated][Update certmonger certificate renewal configuration to >> version 2][Enable PKIX certificate path discovery and validation]PKIX >> already enabledThe ipa-upgradeconfig command was successful >> >> But my local dns zone does no longer resolve :( >> >> reverting back to the 3.3 snapshot again :( >> >> Please help >> Rob >> >> 2014-10-26 21:38 GMT+01:00 Rob Crittenden <[email protected]>: >> >>> Rob Verduijn wrote: >>> > hmmmm.... >>> > >>> > after some more digging (monitoring the upgrade more closely.) >>> > I saw that the upgrade kept waiting for the ca to start, which it did >>> > not do. >>> > and after 5 minutes the upgrade gave up with the following errors in >>> the >>> > ipaupgrade log : >>> > >>> > at 85% it says : >>> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache >>> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket >>> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0> >>> > 2014-10-26T15:04:35Z DEBUG Starting external process >>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' >>> > '/etc/httpd/alias' '-L' >>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 >>> > 2014-10-26T15:04:35Z DEBUG stdout= >>> > Certificate Nickname Trust >>> > Attributes >>> > >>> > SSL,S/MIME,JAR/XPI >>> > >>> > Signing-Cert u,u,u >>> > XXXX.XXXX IPA CA CT,C,C >>> > ipaCert u,u,u >>> > Server-Cert u,u,u >>> > >>> > 2014-10-26T15:04:35Z DEBUG stderr= >>> > 2014-10-26T15:04:35Z DEBUG Starting external process >>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' >>> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' >>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 >>> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE----- >>> > < certificate-removed > >>> > -----END CERTIFICATE----- >>> > 2014-10-26T15:04:35Z DEBUG stderr= >>> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to >>> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\ >>> >>> This has nothing to do with the CA, the LDAP server didn't come up. I'd >>> start with those logs or look earlier in ipaupgrade.log >>> >>> The CA requires 389-ds to be running so if it isn't up, then it will >>> fail to start too. >>> >>> rob >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
