<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>That's weird because the code is checking if a permission exists
before it tries to add a new one</p>
<p>Can you try to remove '<span style="color:#1F497D">System: Modify
Certificate Profile' manually from LDAP and re-run
ipa-server-upgrade?<br>
</span></p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 11.10.2016 15:53, John Popowitch
wrote:<br>
</div>
<blockquote
cite="mid:8A55E6003C19B34498C07A259B643BA90108586A@mbx032-e1-va-6.exch032.serverpod.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Updating managed permission: System: Modify
Certificate Profile<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Destroyed connection context.ldap2_82077392<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
ERROR Upgrade failed with This entry already exists<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Traceback (most recent call last):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 306, in __upgrade<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
self.modified = (ld.update(self.files) or self.modified)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 905, in update<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
self._run_updates(all_updates)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 877, in _run_updates<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
self._run_update_plugin(update['plugin'])<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 852, in _run_update_plugin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> restart_ds,
updates = self.api.Updater[plugin_name]()<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line
1400, in __call__<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> return
self.execute(**options)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
line 433, in execute<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
anonymous_read_aci)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/update_managed_permissions.py",
line 529, in update_permission<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
ldap.add_entry(entry)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1428, in add_entry<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
self.conn.add_s(str(entry.dn), attrs.items())<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib64/python2.7/contextlib.py", line 35, in __exit__<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
self.gen.throw(type, value, traceback)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 938, in error_handler<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> raise
errors.DuplicateEntry()<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">DuplicateEntry:
This entry already exists<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Traceback (most recent call last):<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 418, in start_creation<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
run_step(full_msg, method)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 408, in run_step<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> method()<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 314, in __upgrade<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> raise
RuntimeError(e)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">RuntimeError:
This entry already exists<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG [error] RuntimeError: This entry already exists<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG [cleanup]: stopping directory server<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG Starting external process<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:38Z
DEBUG args='/bin/systemctl' 'stop'
'<a class="moz-txt-link-abbreviated" href="mailto:dirsrv@AWS-CAPPEX-COM.service">dirsrv@AWS-CAPPEX-COM.service</a>'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Process finished, return code=0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG stdout=<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG stderr=<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG duration: 1 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG [cleanup]: restoring configuration<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG duration: 0 seconds<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 171, in execute<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">
return_value = self.run()<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 50, in run<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> raise
admintool.ScriptError(str(e))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
DEBUG The ipa-server-upgrade command failed, exception:
ScriptError: ('IPA upgrade failed.', 1)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">2016-10-10T19:51:40Z
ERROR ('IPA upgrade failed.', 1)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Martin Basti [<a class="moz-txt-link-freetext" href="mailto:mbasti@redhat.com">mailto:mbasti@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, October 11, 2016 1:53 AM<br>
<b>To:</b> John Popowitch; <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] FreeIPA v4.2 stopped
working, wants me to run ipa-server-upgrade, but has
errors<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 10.10.2016 23:30, John Popowitch
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hello FreeIPA community.<o:p></o:p></p>
<p class="MsoNormal">I've inherited a group of three FreeIPA
v4.2 servers on CentOS 7.2.<o:p></o:p></p>
<p class="MsoNormal">I had to reboot one of the servers and
now IPA won't run saying, "Upgrade required: please run
ipa-server-upgrade command."<o:p></o:p></p>
<p class="MsoNormal">But when I run ipa-server-upgrade I get
an error:<o:p></o:p></p>
<p class="MsoNormal">ipa: ERROR: Upgrade failed with This
entry already exists<o:p></o:p></p>
<p class="MsoNormal">When I run it in debug mode the last
action before the error is:<o:p></o:p></p>
<p class="MsoNormal">ipa.ipaserver.install.plugins.update_managed_permissions.update_managed_permissions:
DEBUG: Updating managed permission: System: Modify
Certificate Profile<o:p></o:p></p>
<p class="MsoNormal">It appears that several of the other
managed permissions are processed successfully.<o:p></o:p></p>
<p class="MsoNormal">When I look in the UI on one of the other
servers it appears that this permission exists under IPA
Server -> Role Based Access Control -> Permissions.<o:p></o:p></p>
<p class="MsoNormal">I'm not familiar with FreeIPA so any help
would be greatly appreciated.<o:p></o:p></p>
<p class="MsoNormal">Thanks in advance.<o:p></o:p></p>
<p class="MsoNormal">-John<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
<br>
<o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
Hello,<br>
<br>
can you post the related part of ipaupgrade.log here?<br>
<br>
Martin<o:p></o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>