Rob Verduijn wrote: > Ok after some more digging : > > I found some warnings (see below) > > Is any of these the cause for the error ? > > Rob > > <snip>
<snip> > <snip> > 2014-10-27T13:56:28Z INFO Updating existing entry: > cn=ipaConfig,cn=etc,dc=XXXXX,dc=XXXXX > <snip> > 2014-10-27T13:56:28Z WARNING remove: 'AllowLMhash' not in ipaConfigString > <snip> AFAICT these are all normal. It basically means the LDAP data is already in the state we want. > and then we get to the traceback: > 2014-10-27T13:56:34Z ERROR Upgrade failed with cannot connect to > 'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket': > 2014-10-27T13:56:34Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 152, in __upgrade > self.modified = (ld.update(self.files, ordered=True) or > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line > 874, in update > updates = api.Backend.updateclient.update(POST_UPDATE, > self.dm_password, self.ldapi, self.live_run) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", > line 131, in update > ld.update_from_dict(updates) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line > 889, in update_from_dict > self._run_updates(updates) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line > 799, in _run_updates > self._update_record(update) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line > 661, in _update_record > e = self._get_entry(new_entry.dn) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line > 544, in _get_entry > return self.conn.get_entries(dn, scope, searchfilter, sattrs) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1421, in get_entries > base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1527, in find_entries > break > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1206, in error_handler > error=info) > NetworkError: cannot connect to > 'ldapi://%2fvar%2frun%2fslapd-XXXXX-XXXXX.socket': I'd poke around more in the ipaupgrade.log to see if you can find a failed dirsrv restart. Looking at the 389-ds logs might be handy too, and I'd check (dmesg, for example) to see if it core dumped. rob > > > > 2014-10-26 21:38 GMT+01:00 Rob Crittenden <[email protected] > <mailto:[email protected]>>: > > Rob Verduijn wrote: > > hmmmm.... > > > > after some more digging (monitoring the upgrade more closely.) > > I saw that the upgrade kept waiting for the ca to start, which it did > > not do. > > and after 5 minutes the upgrade gave up with the following errors > in the > > ipaupgrade log : > > > > at 85% it says : > > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache > > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket > > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0> > > 2014-10-26T15:04:35Z DEBUG Starting external process > > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' > > '/etc/httpd/alias' '-L' > > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 > > 2014-10-26T15:04:35Z DEBUG stdout= > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > Signing-Cert u,u,u > > XXXX.XXXX IPA CA CT,C,C > > ipaCert u,u,u > > Server-Cert u,u,u > > > > 2014-10-26T15:04:35Z DEBUG stderr= > > 2014-10-26T15:04:35Z DEBUG Starting external process > > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' > > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' > > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 > > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE----- > > < certificate-removed > > > -----END CERTIFICATE----- > > 2014-10-26T15:04:35Z DEBUG stderr= > > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to > > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\ > > This has nothing to do with the CA, the LDAP server didn't come up. I'd > start with those logs or look earlier in ipaupgrade.log > > The CA requires 389-ds to be running so if it isn't up, then it will > fail to start too. > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
