[Freeipa-devel] [PATCH] 1098 catch cert-find errors on upgraded servers

Rob Crittenden rcritten at redhat.com
Fri May 3 20:08:11 UTC 2013 

Petr Viktorin wrote:
> On 04/29/2013 10:52 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 04/26/2013 09:53 PM, Rob Crittenden wrote:
>>>> A dogtag 9 -> 10 upgraded server doesn't provide the RESTful API so
>>>> therefore the cert-find command doesn't work. Starting with dogtag
>>>> 10.0.2 it is going to send back a 501 (HTTP Not implemented) in this
>>>> case so we at least have something to catch.
>>>>
>>>> This patch catches a 501 and returns a more specific message.
>>>>
>>>> 10.0.2 builds should be available this weekend, or you can pull from
>>>> their devel repo at:
>>>>
>>>> [dogtag-devel]
>>>> name=Dogtag development $releasever - $basearch
>>>> baseurl=http://nkinder.fedorapeople.org/dogtag-devel/fedora/$releasever/$basearch/os/
>>>>
>>>>
>>>>
>>>>
>>>> enabled=0
>>>> gpgcheck=0
>>>>
>>>
>>> With the new Dogtag, /root/.pki/pki-tomcat/ca_admin_cert.p12 is not
>>> created. Installation of a new server fails on copying that to
>>> /root/ca-agent.p12. Adding Ade to the thread, he should know more.
>>>
>>>
>>> On my instance upgraded from f17 to f18, I get 404 errors, not 501.
>>>
>>> $ rpm -q pki-base
>>> pki-base-10.0.2-1.fc18.noarch
>>> $ ./ipa cert-find
>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>> communicate with CMS (Not Found)
>>> $ curl -v http://`hostname`:9180/ca/rest/certs/search
>>> [...]
>>> < HTTP/1.1 404 Not Found
>>> < Server: Apache-Coyote/1.1
>>> < Content-Type: text/html
>>> < Content-Length: 5723
>>> < Date: Sun, 28 Apr 2013 23:08:44 GMT
>>> [...]
>>
>> This is caused by some syntax errors in the dogtag upgrade script. They
>> are working on a respin. See /var/log/pki/pki-server-upgrade-*.log
>>
>> rob
>>
>
> When I used yum upgrade for f17→f18, the pki-server-upgrade scriptlet
> failed; /var/log/pki/pki-server-upgrade-10.0.2.log says:
>
> Upgrading server at Fri May  3 07:37:44 EDT 2013.
> Upgrading from version 10.0.0 to 10.0.1:
> No upgrade scriptlets.
>
> Upgrading from version 10.0.1 to 10.0.2:
> 1. Replace random number generator
> ERROR:
> Failed upgrading Dogtag 9 pki-ca/ca subsystem.
> Upgrade failed in Dogtag 9 pki-ca/ca:
>
> However, after running the script manually, everything is back to
> normal. The patch works fine, it just needs a changelog rebase.
>
> ACK
>

Rebased and pushed to master

rob

More information about the Freeipa-devel mailing list