[Freeipa-users] Upgrade failed -- how to recover?

Bret Wortman bret.wortman at damascusgrp.com
Wed Aug 14 13:25:46 UTC 2013 

I believe you. I'm not upset at all that things go sideways every now and
again. I'm surprised it doesn't happen more.

Original failure (or, at least, first occurrence of "ERROR") follows:

2013-08-13T13:56:07Z INFO [Setting up Firefox extension]
2013-08-13T13:56:07Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2013-08-13T13:56:07Z INFO
/usr/share/ipa/html/krb.js<http://bl-1.com/click/load/U2ILOlY2ADdTO1A9BDQ-b0231>exists,
skipping install of Firefox extension
2013-08-13T13:56:07Z INFO [Add missing CA DNS records]
2013-08-13T13:56:07Z ERROR Cannot connect to LDAP to add DNS records:
cannot connect to u'ldapi://%2fvar%2frun%2fslapd-SPX-NET.socket': LDAP
Server Down
2013-08-13T13:56:07Z INFO [Enabling persistent search in DNS]
2013-08-13T13:56:07Z DEBUG [Saving StateFile to
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2013-08-13T13:56:07Z DEBUG Persistent search enabled
2013-08-13T13:56:07Z DEBUG Connections set to 4

Then it goes on for a while, leading to:

2013-08-13T13:56:11Z DEBUG Process finished, return code=1
2013-08-13T13:56:11Z DEBUG stdout=Error connecting to DBus.
Please verify that the message bus (D-Bus) service is running.

2013-08-13T13:56:11Z DEBUG stderr=
2013-08-13T13:56:11Z ERROR cretmonger failed to start tracking certificate:
Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n
auditSigningCert cert-pki-ca -c dogtag-ipa-retrieve-agent-submit -B
/usr/lib64/ipa/certmonger/stop_pkicad -C
/usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" -P
XXXXXXXX -T auditSigningCert cert-pki-ca' returned non-zero exit status 1
2013-08-13T13:56:11Z DEBUG Starting external process
2013-08-13T13:56:11Z DEBUG args=/usr/bin/certutil -L
-d/var/lib/pki-ca/alias -n ocspSigningCert cert-pki-ca
2013-08-13T13:56:11Z DEBUG Process finished, return code=0

Does that help at all? Do you need more?

I'm upgrading a slave today and will try just doing the --upgrade (_if_ the
automatic upgrade has issues again).


*
*
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Wed, Aug 14, 2013 at 9:10 AM, Rob Crittenden <rcritten at redhat.com> wrote:

> Bret Wortman wrote:
>
>> Rob, I got past this, as you indicated, by doing that after first running:
>>
>> # ipa-ldap-updater --ldapi ./schema.update
>>
>> Using a schema.update tip file I found in a note from you after some
>> hard core googling. Should that extra step have been necessary?
>>
>
> No, it shouldn't be necessary. Can look in /var/log/ipaupgrade.log (likely
> humongous) for the original failure and post that section of the log?
>
> Updating schema is hard. We are actually completely revamping the way we
> handle schema changes between version which should be a lot more stable.
>
> rob
>
>
>>
>> _
>> _
>> *Bret Wortman*
>>
>>
>> http://damascusgrp.com/
>> http://about.me/wortmanbret
>>
>>
>> On Tue, Aug 13, 2013 at 3:39 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>     Bret Wortman wrote:
>>
>>         I tried this, but no joy:
>>
>>         # /usr/sbin/ipa-upgradeconfig --debug
>>         :
>>         :
>>         DEBUG: caSignedLogCert.cfg
>>         <http://bl-1.com/click/load/__**VWRaa1w-b0221U28CYQNlAT4-b0231<http://bl-1.com/click/load/__VWRaa1w-b0221U28CYQNlAT4-b0231>
>>         <http://bl-1.com/click/load/**VWRaa1w-b0221U28CYQNlAT4-b0231<http://bl-1.com/click/load/VWRaa1w-b0221U28CYQNlAT4-b0231>
>> **>__>
>>
>>         profile
>>
>>         validity range is 720
>>         INFO: [Certificate renewal should stop the CA]
>>         ERROR: Unable to find certmonger request ID for auditSigning Cert
>>         INFO: The ipa-upgradeconfig command was successful
>>         #
>>
>>
>>     Run getcert list and sift through the output and see if you have a
>>     request tracking for nickname auditSigningCert cert-pki-ca (or
>> similar).
>>
>>         But I still can't connect to http://ipamaster/ipa/ui/; I get a
>>         903 error
>>         every time, and /var/log/httpd/error_log shows, in part:
>>
>>         [Tue Aug 13 13:07:20.786566 2013] [:error] [pid 5890] KeyError:
>>         'ipadnszone'
>>         [Tue Aug 13 13:07:20.786717 2013] [:error] [pid 5890] ipa: INFO:
>>         bretw at FOO.NET <mailto:bretw at FOO.NET> <mailto:bretw at FOO.NET
>>
>>         <mailto:bretw at FOO.NET>>: json_metadata(None, None,
>>
>>         object=u'all'): KeyError
>>         [Tue Aug 13 13:07:21.001525 2013] [:error] [pid 5890] ipa: INFO:
>>         bretw at FOO.NET <mailto:bretw at FOO.NET> <mailto:bretw at FOO.NET
>>
>>         <mailto:bretw at FOO.NET>>: json_metadata(None, None,
>>         command=u'all'): SUCCESS
>>
>>         DNS resolution, authentication and authorization all /appear/ to
>> be
>>         working fine.
>>
>>
>>     The DNS schema was not updated properly. I'd run:
>>
>>     # ipa-ldap-updater --upgrade
>>
>>     rob
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130814/2acc308c/attachment.htm>

More information about the Freeipa-users mailing list