[Freeipa-users] dns stops working after upgrade

Rob Crittenden rcritten at redhat.com
Sun Oct 26 20:38:10 UTC 2014


Rob Verduijn wrote:
> hmmmm....
> 
> after some more digging (monitoring the upgrade more closely.)
> I saw that the upgrade kept waiting for the ca to start, which it did
> not do.
> and after 5 minutes the upgrade gave up with the following errors in the
> ipaupgrade log :
> 
> at 85% it says : 
> 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
> 2014-10-26T15:04:35Z DEBUG Starting external process
> 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> '/etc/httpd/alias' '-L'
> 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> 2014-10-26T15:04:35Z DEBUG stdout=
> Certificate Nickname                                         Trust
> Attributes
>                                                            
>  SSL,S/MIME,JAR/XPI
> 
> Signing-Cert                                                 u,u,u
> XXXX.XXXX IPA CA                                           CT,C,C
> ipaCert                                                      u,u,u
> Server-Cert                                                  u,u,u
> 
> 2014-10-26T15:04:35Z DEBUG stderr=
> 2014-10-26T15:04:35Z DEBUG Starting external process
> 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
> 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
> < certificate-removed >
> -----END CERTIFICATE-----
> 2014-10-26T15:04:35Z DEBUG stderr=
> 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
> 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\

This has nothing to do with the CA, the LDAP server didn't come up. I'd
start with those logs or look earlier in ipaupgrade.log

The CA requires 389-ds to be running so if it isn't up, then it will
fail to start too.

rob




More information about the Freeipa-users mailing list