[Freeipa-users] dns stops working after upgrade

Rob Verduijn rob.verduijn at gmail.com
Mon Oct 27 21:59:11 UTC 2014


I'm rather at a loss here.
Everything seems to be running
 ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

but the upgrade log is flooded with this error :
2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
2014-10-27T21:52:11Z DEBUG request '
2014-10-27T21:52:11Z DEBUG request body ''
2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
2014-10-27T21:52:12Z DEBUG request '
2014-10-27T21:52:12Z DEBUG request body ''

I've tried the url and it works fine.
it gives the following xml:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>1

After I run ipa-upgradeconfig it complains about a missing magic dog tag
ipa-upgradeconfig [Verifying that root certificate is published]Failed to
backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL
tree already moved[Verifying that CA proxy configuration is correct][Verifying
that KDC configuration is using ipa-kdb backend][Fixing trust flags in
/etc/httpd/alias]Trust flags already processed[Fix DS schema file syntax]Syntax
already fixed[Removing RA cert from DS NSS database]RA cert already
self-signed CA][Checking for deprecated KDC configuration files][Checking
for deprecated backups of Samba configuration files][Setting up Firefox
extension][Add missing CA DNS records]IPA CA DNS records already
deprecated DNS configuration options][Ensuring minimal number of
connections][Enabling serial autoincrement in DNS][Updating GSSAPI
configuration in DNS][Updating pid-file configuration in DNS][Masking
to named.conf have been made, restart named[Verifying that CA service
certificate profile is updated][Update certmonger certificate renewal
configuration to version 2][Enable PKIX certificate path discovery and
validation]PKIX already enabledThe ipa-upgradeconfig command was successful

But my local dns zone does no longer resolve :(

reverting back to the 3.3 snapshot again :(

Please help

2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:

> Rob Verduijn wrote:
> > hmmmm....
> >
> > after some more digging (monitoring the upgrade more closely.)
> > I saw that the upgrade kept waiting for the ca to start, which it did
> > not do.
> > and after 5 minutes the upgrade gave up with the following errors in the
> > ipaupgrade log :
> >
> > at 85% it says :
> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
> > 2014-10-26T15:04:35Z DEBUG Starting external process
> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> > '/etc/httpd/alias' '-L'
> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> > 2014-10-26T15:04:35Z DEBUG stdout=
> > Certificate Nickname                                         Trust
> > Attributes
> >
> >
> > Signing-Cert                                                 u,u,u
> > XXXX.XXXX IPA CA                                           CT,C,C
> > ipaCert                                                      u,u,u
> > Server-Cert                                                  u,u,u
> >
> > 2014-10-26T15:04:35Z DEBUG stderr=
> > 2014-10-26T15:04:35Z DEBUG Starting external process
> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
> > < certificate-removed >
> > -----END CERTIFICATE-----
> > 2014-10-26T15:04:35Z DEBUG stderr=
> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
> This has nothing to do with the CA, the LDAP server didn't come up. I'd
> start with those logs or look earlier in ipaupgrade.log
> The CA requires 389-ds to be running so if it isn't up, then it will
> fail to start too.
> rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/98bb9d83/attachment.htm>

More information about the Freeipa-users mailing list