<div dir="ltr">sorry for the xml formatting didn't realize it would mess up some mail clients<div><br></div><div>The last bit of the message again</div><div><br></div><div><div> ipa-upgradeconfig gives the following :</div><div>[Verifying that root certificate is published]<br></div><div>Failed to backup CS.cfg: no magic attribute 'dogtag'</div><div>[Migrate CRL publish directory]</div><div>CRL tree already moved</div><div>[Verifying that CA proxy configuration is correct]</div><div>[Verifying that KDC configuration is using ipa-kdb backend]</div><div>[Fixing trust flags in /etc/httpd/alias]</div><div>Trust flags already processed</div><div>[Fix DS schema file syntax]</div><div>Syntax already fixed</div><div>[Removing RA cert from DS NSS database]</div><div>RA cert already removed</div><div>[Removing self-signed CA]</div><div>[Checking for deprecated KDC configuration files]</div><div>[Checking for deprecated backups of Samba configuration files]</div><div>[Setting up Firefox extension]</div><div>[Add missing CA DNS records]</div><div>IPA CA DNS records already processed</div><div>[Removing deprecated DNS configuration options]</div><div>[Ensuring minimal number of connections]</div><div>[Enabling serial autoincrement in DNS]</div><div>[Updating GSSAPI configuration in DNS]</div><div>[Updating pid-file configuration in DNS]</div><div>[Masking named]</div><div>Changes to named.conf have been made, restart named</div><div>[Verifying that CA service certificate profile is updated]</div><div>[Update certmonger certificate renewal configuration to version 2]</div><div>[Enable PKIX certificate path discovery and validation]</div><div>PKIX already enabled</div><div>The ipa-upgradeconfig command was successful</div></div><div><br></div><div>Any ideas ?</div><div>I'm rather stuck now.</div><div>Rob</div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-27 22:59 GMT+01:00 Rob Verduijn <span dir="ltr"><<a href="mailto:rob.verduijn@gmail.com" target="_blank">rob.verduijn@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I'm rather at a loss here.</div><div>Everything seems to be running</div><div><div> ipactl status</div><div>Directory Service: RUNNING</div><div>krb5kdc Service: RUNNING</div><div>kadmin Service: RUNNING</div><div>named Service: RUNNING</div><div>ipa_memcached Service: RUNNING</div><div>httpd Service: RUNNING</div><div>pki-tomcatd Service: RUNNING</div><div>ipa-otpd Service: RUNNING</div><div>ipa-dnskeysyncd Service: RUNNING</div><div>ipa: INFO: The ipactl command was successful</div></div><div><br></div><div>but the upgrade log is flooded with this error :</div><div><div>2014-10-27T21:52:10Z DEBUG Waiting for CA to start...</div><div>2014-10-27T21:52:11Z DEBUG request '<a href="https://freeipa.x.x:443/ca/admin/ca/getStatus" target="_blank">https://freeipa.x.x:443/ca/admin/ca/getStatus</a>'</div><div>2014-10-27T21:52:11Z DEBUG request body ''</div><div>2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted</div><div>2014-10-27T21:52:11Z DEBUG Waiting for CA to start...</div><div>2014-10-27T21:52:12Z DEBUG request '<a href="https://freeipa.x.x:443/ca/admin/ca/getStatus" target="_blank">https://freeipa.x.x:443/ca/admin/ca/getStatus</a>'</div><div>2014-10-27T21:52:12Z DEBUG request body ''</div><div><br></div><div>I've tried the url and it works fine.</div><div><a href="https://freeipa.x.x/ca/admin/ca/getStatus" target="_blank">https://freeipa.x.x/ca/admin/ca/getStatus</a><br></div></div><div>it gives the following xml:<br></div><div><table><tbody><tr><td value="1"></td><td><span><?xml version="1.0" encoding="UTF-8" standalone="no"?></span><span><XMLResponse></span><span><State></span>1<span></State></span><span><Type></span>CA<span></Type></span><span><Status></span>running<span></Status></span><span><Version></span>10.2.0-3.fc20<span></Version></span><span></XMLResponse><br><br>After I run ipa-upgradeconfig it complains about a missing magic dog tag attribute<br></span></td><td>ipa-upgradeconfig </td><td>[Verifying that root certificate is published]</td><td>Failed to backup CS.cfg: no magic attribute 'dogtag'</td><td>[Migrate CRL publish directory]</td><td>CRL tree already moved</td><td>[Verifying that CA proxy configuration is correct]</td><td>[Verifying that KDC configuration is using ipa-kdb backend]</td><td>[Fixing trust flags in /etc/httpd/alias]</td><td>Trust flags already processed</td><td>[Fix DS schema file syntax]</td><td>Syntax already fixed</td><td>[Removing RA cert from DS NSS database]</td><td>RA cert already removed</td><td>[Removing self-signed CA]</td><td>[Checking for deprecated KDC configuration files]</td><td>[Checking for deprecated backups of Samba configuration files]</td><td>[Setting up Firefox extension]</td><td>[Add missing CA DNS records]</td><td>IPA CA DNS records already processed</td><td>[Removing deprecated DNS configuration options]</td><td>[Ensuring minimal number of connections]</td><td>[Enabling serial autoincrement in DNS]</td><td>[Updating GSSAPI configuration in DNS]</td><td>[Updating pid-file configuration in DNS]</td><td>[Masking named]</td><td>Changes to named.conf have been made, restart named</td><td>[Verifying that CA service certificate profile is updated]</td><td>[Update certmonger certificate renewal configuration to version 2]</td><td>[Enable PKIX certificate path discovery and validation]</td><td>PKIX already enabled</td><td>The ipa-upgradeconfig command was successful<br><br>But my local dns zone does no longer resolve :(<br><br>reverting back to the 3.3 snapshot again :(<br><br>Please help<span class="HOEnZb"><font color="#888888"><br>Rob</font></span></td></tr></tbody></table></div></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="">2014-10-26 21:38 GMT+01:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br></span><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Rob Verduijn wrote:<br> > hmmmm....<br> ><br> > after some more digging (monitoring the upgrade more closely.)<br> > I saw that the upgrade kept waiting for the ca to start, which it did<br> > not do.<br> > and after 5 minutes the upgrade gave up with the following errors in the<br> > ipaupgrade log :<br> ><br> > at 85% it says :<br> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache<br> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket<br> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0><br> > 2014-10-26T15:04:35Z DEBUG Starting external process<br> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'<br> > '/etc/httpd/alias' '-L'<br> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0<br> > 2014-10-26T15:04:35Z DEBUG stdout=<br> > Certificate Nickname Trust<br> > Attributes<br> ><br> > SSL,S/MIME,JAR/XPI<br> ><br> > Signing-Cert u,u,u<br> > XXXX.XXXX IPA CA CT,C,C<br> > ipaCert u,u,u<br> > Server-Cert u,u,u<br> ><br> > 2014-10-26T15:04:35Z DEBUG stderr=<br> > 2014-10-26T15:04:35Z DEBUG Starting external process<br> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'<br> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'<br> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0<br> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----<br> > < certificate-removed ><br> > -----END CERTIFICATE-----<br> > 2014-10-26T15:04:35Z DEBUG stderr=<br> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to<br> </div></div>> 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\<br> <br> This has nothing to do with the CA, the LDAP server didn't come up. I'd<br> start with those logs or look earlier in ipaupgrade.log<br> <br> The CA requires 389-ds to be running so if it isn't up, then it will<br> fail to start too.<br> <span><font color="#888888"><br> rob<br> <br> </font></span></blockquote></div></div></div><br></div> </blockquote></div><br></div>