[Freeipa-users] dns stops working after upgrade

Rob Verduijn rob.verduijn at gmail.com
Mon Oct 27 22:05:20 UTC 2014 

sorry for the xml formatting didn't realize it would mess up some mail
clients

The last bit of the message again

 ipa-upgradeconfig  gives the following :
[Verifying that root certificate is published]
Failed to backup CS.cfg: no magic attribute 'dogtag'
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful

Any ideas ?
I'm rather stuck now.
Rob

2014-10-27 22:59 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:

> Hello,
>
> I'm rather at a loss here.
> Everything seems to be running
>  ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> but the upgrade log is flooded with this error :
> 2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
> 2014-10-27T21:52:11Z DEBUG request '
> https://freeipa.x.x:443/ca/admin/ca/getStatus'
> 2014-10-27T21:52:11Z DEBUG request body ''
> 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
> 2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
> 2014-10-27T21:52:12Z DEBUG request '
> https://freeipa.x.x:443/ca/admin/ca/getStatus'
> 2014-10-27T21:52:12Z DEBUG request body ''
>
> I've tried the url and it works fine.
> https://freeipa.x.x/ca/admin/ca/getStatus
> it gives the following xml:
> <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>
> 1</State><Type>CA</Type><Status>running</Status><Version>10.2.0-3.fc20
> </Version></XMLResponse>
>
> After I run ipa-upgradeconfig it complains about a missing magic dog tag
> attribute
> ipa-upgradeconfig [Verifying that root certificate is published]Failed to
> backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL
> tree already moved[Verifying that CA proxy configuration is correct][Verifying
> that KDC configuration is using ipa-kdb backend][Fixing trust flags in
> /etc/httpd/alias]Trust flags already processed[Fix DS schema file syntax]Syntax
> already fixed[Removing RA cert from DS NSS database]RA cert already
> removed[Removing self-signed CA][Checking for deprecated KDC
> configuration files][Checking for deprecated backups of Samba
> configuration files][Setting up Firefox extension][Add missing CA DNS
> records]IPA CA DNS records already processed[Removing deprecated DNS
> configuration options][Ensuring minimal number of connections][Enabling
> serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
> pid-file configuration in DNS][Masking named]Changes to named.conf have
> been made, restart named[Verifying that CA service certificate profile is
> updated][Update certmonger certificate renewal configuration to version 2][Enable
> PKIX certificate path discovery and validation]PKIX already enabledThe
> ipa-upgradeconfig command was successful
>
> But my local dns zone does no longer resolve :(
>
> reverting back to the 3.3 snapshot again :(
>
> Please help
> Rob
>
> 2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>
>> Rob Verduijn wrote:
>> > hmmmm....
>> >
>> > after some more digging (monitoring the upgrade more closely.)
>> > I saw that the upgrade kept waiting for the ca to start, which it did
>> > not do.
>> > and after 5 minutes the upgrade gave up with the following errors in the
>> > ipaupgrade log :
>> >
>> > at 85% it says :
>> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
>> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
>> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
>> > 2014-10-26T15:04:35Z DEBUG Starting external process
>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>> > '/etc/httpd/alias' '-L'
>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>> > 2014-10-26T15:04:35Z DEBUG stdout=
>> > Certificate Nickname                                         Trust
>> > Attributes
>> >
>> >  SSL,S/MIME,JAR/XPI
>> >
>> > Signing-Cert                                                 u,u,u
>> > XXXX.XXXX IPA CA                                           CT,C,C
>> > ipaCert                                                      u,u,u
>> > Server-Cert                                                  u,u,u
>> >
>> > 2014-10-26T15:04:35Z DEBUG stderr=
>> > 2014-10-26T15:04:35Z DEBUG Starting external process
>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
>> > < certificate-removed >
>> > -----END CERTIFICATE-----
>> > 2014-10-26T15:04:35Z DEBUG stderr=
>> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
>> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
>>
>> This has nothing to do with the CA, the LDAP server didn't come up. I'd
>> start with those logs or look earlier in ipaupgrade.log
>>
>> The CA requires 389-ds to be running so if it isn't up, then it will
>> fail to start too.
>>
>> rob
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141027/79c56dde/attachment.htm>

More information about the Freeipa-users mailing list