[Freeipa-users] F20 Problem upgrading to 4.1
Martin Basti
mbasti at redhat.com
Mon Oct 27 19:09:24 UTC 2014
On 27/10/14 19:57, John Obaterspok wrote:
> Hello Martin,
>
> Still no go.
>
> I installed the softhsm-devel package (that only contains header
> files), removed the token directory, reinstalled the bind &
> bind-pkcs11, did ipa-dns-install that completed ok (I guess):
>
> To accept the default shown in brackets, press the Enter key.
>
> Existing BIND configuration detected, overwrite? [no]: yes
> Directory Manager password:
>
> # ipa-upgradeconfig
> [Verifying that root certificate is published]
> *Failed to backup CS.cfg: no magic attribute 'dogtag'*
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Removing self-signed CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Enabling serial autoincrement in DNS]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Masking named]
> Changes to named.conf have been made, restart named
> *Failed to restart named: Command ''/bin/systemctl' 'restart'
> 'named-pkcs11.service'' returned non-zero exit status 1*
> [Verifying that CA service certificate profile is updated]
> [Update certmonger certificate renewal configuration to version 2]
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> The ipa-upgradeconfig command was successful
>
>
> # systemctl restart named-pkcs11 && journalctl -xn
> 19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate
> object store in /var/lib/ipa/dnssec/tokens
> 19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the
> object store
> 19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization
> failed
> 19:38:54 named-pkcs11[838]: exiting (due to fatal error)
> 19:38:54 systemd[1]: named-pkcs11.service: control process exited,
> code=exited status=1
> 19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain
> (DNS) with native PKCS#11.
>
>
> It seems the problem is now there are no tokens:
> # ll /var/lib/ipa/dnssec/
> total 4.0K
> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
This is interesting, ipa-dns-install should detect missing directory and
create new one.
Could you send me tail of /var/log/ipaserver-install.log, where DNS
debug lines are?
Martin^2
>
> Any ideas?
>
> -- john
>
> 2014-10-27 19:05 GMT+01:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> On 27/10/14 18:53, John Obaterspok wrote:
>>
>>
>> 2014-10-27 12:19 GMT+01:00 Martin Basti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>>:
>>
>> On 26/10/14 21:39, John Obaterspok wrote:
>>> Hi,
>>>
>>> I enabled mkosek-freeipa repo for F20 and updated
>>> freeipa-server from 3.3.5 to 4.1. The yum update reported
>>> just a single error:
>>>
>>> Could not load host key: /etc/ssh/ssh_host_dsa_key
>>>
>>> After reboot I had 3 services that failed to start:
>>> ipa, kadmin, named-pkcs11
>>>
>>> Doing "strace -f named-pkcs11 -u named -f -g" I can see:
>>> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
>>> initializing DST: PKCS#11 initialization failed
>>> exiting (due to fatal error)
>>>
>>>
>>> For kadmin the error is due to not being able to connect to
>>> sldap
>>>
>>> I noticed that softhsm2-util --show-slots reported "ERROR:
>>> Could not initialize the library." But that seemed to be
>>> because wasn't part of the update. After that I could show
>>> the default slot and then I manually called following (as root):
>>>
>>> "/usr/bin/softhsm2-util --init-token --slot 0 --label
>>> ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"
>>>
>>> But the problems won't go away. Any clues?
>>>
>>> -- john
>>>
>>>
>>>
>>>
>> Hello,
>>
>> 1)
>> can you share your /var/log/ipaupgrade.log ?
>>
>>
>> Unfortunatly I removed the original ipaupgrade.log file when I
>> did I retry to install freeipa-server. The current ipaupgrade.log
>> has two errors:
>> First)
>>
>> 2014-10-26T12:45:15Z DEBUG Live 1, updated 1
>> 2014-10-26T12:45:15Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
>> {'desc': 'Operations error'}
>> 2014-10-26T12:45:15Z ERROR Update failed: Operations error:
>> 2014-10-26T12:45:15Z INFO Updating existing entry: cn=MemberOf
>> Plugin,cn=plugins,cn=config
>> 2014-10-26T12:45:15Z DEBUG
>> ---------------------------------------------
> Are there some information about entry which is updated above?
>
>>
>> Second) It complains about not being able to start named-pkcs11
>> service.
>>
>> 2)
>> your issue with softhsm can be caused by missing enviroment
>> variable
>> IPA internally uses
>>
>> SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>> please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
>> softhsm2-util --show-slots, and let me know if it works
>>
>> same with named-pkcs11,
>>
>>
>> The filestamps for softhsm_pin & tokens match the time I did the
>> original update
>>
>> # ll /var/lib/ipa/dnssec/
>> -rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin
>> drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens
>>
>> # ll /var/lib/ipa/dnssec/tokens/
>> total 0
>>
>> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
>> --show-slots
>> Available slots:
>> Slot 0
>> Slot info:
>> Description: SoftHSM slot 0
>> Manufacturer ID: SoftHSM project
>> Hardware version: 2.0
>> Firmware version: 2.0
>> Token present: yes
>> Token info:
>> Manufacturer ID: SoftHSM project
>> Model: SoftHSM v2
>> Hardware version: 2.0
>> Firmware version: 2.0
>> Serial number:
>> Initialized: no
>> User PIN init.: no
>> Label:
> Slot was not initialized by IPA
>>
>> 3)
>> can you share journalctl -u named-pkcs11 output?
>>
>>
>> 10:35:48 systemd[1]: named-pkcs11.service: control process
>> exited, code=exited status=1
>> 10:35:48 systemd[1]: Failed to start Berkeley Internet Name
>> Domain (DNS) with native PKCS#11.
>> 10:35:48 systemd[1]: Unit named-pkcs11.service entered failed state.
>> 10:35:48 systemd[1]: Stopped Berkeley Internet Name Domain (DNS)
>> with native PKCS#11.
>> -- Reboot --
>> 10:58:05 named-pkcs11[1496]: initializing DST: no PKCS#11 provider
>> 10:58:05 named-pkcs11[1496]: exiting (due to fatal error)
>> 10:58:05 systemd[1]: named-pkcs11.service: control process
>> exited, code=exited status=1
>> 10:58:05 systemd[1]: Failed to start Berkeley Internet Name
>> Domain (DNS) with native PKCS#11.
>> 10:58:05 systemd[1]: Unit named-pkcs11.service entered failed state.
>> 10:58:05 systemd[1]: Stopped Berkeley Internet Name Domain (DNS)
>> with native PKCS#11.
>>
>> ... After some fiddeling a restart says this:
>>
>> 19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:
>> 19:26:21 named-pkcs11[8807]: RUNTIME_CHECK(pk11_get_session(ctx,
>> OP_DIGEST, isc_boolean_true, isc_boolean_false, isc_bo
>> 19:26:21 named-pkcs11[8807]: exiting (due to fatal error in library)
>> 19:26:21 systemd[1]: named-pkcs11.service: control process
>> exited, code=exited status=1
>> 19:26:21 systemd[1]: Failed to start Berkeley Internet Name
>> Domain (DNS) with native PKCS#11.
>> 19:26:21 systemd[1]: Unit named-pkcs11.service entered failed state.
>>
>> 4)
>> I'm not aware of that we need, krb5-libs/openssl, I was
>> getting this error if tokens directory doesnt exists, but IPA
>> uses own configuration (see 2) not default.
>>
>>
>> ok
>
> I took a deeper look, and I found there some packaging errors with
> softhsm.
> You was right with missing dependency.
>
> Please install softhsm-devel package, remove
> /var/lib/ipa/dnssec/tokens directory, then reinstall DNS,
> ipa-dns-install (requires running directory server)
>
> Or if you have snapshot, install softhsm-devel before upgrading ipa
>
> HTH
> Martin^2
>
> --
> Martin Basti
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/16a875cf/attachment.htm>
More information about the Freeipa-users
mailing list