[Freeipa-users] dns stops working after upgrade

Rob Verduijn rob.verduijn at gmail.com
Tue Oct 28 15:10:45 UTC 2014 

Hello all,

I've been digging into my problem of being unable to update from 3.3.5 to
4.1

First I add the repo from copr

Then  I used to update it by issueing 'yum update' which resulted in an
update in which my local dns zone entries no longer resolved.

So i tried the instructions mentioned on the site :
yum update freeipa-server
And this failed with a conflict in

bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
bind-utils-32:9.9.4-15.P2.fc20.x86_64

I noticed the new bind comes from the copr repo and the old bind utils from
fedora.

So I first run 'yum update bind-utils -y'
Then I ran yum update freeipa-server
and see it fail with errors about softhsm

I remembered reading about package errors with softhsm and installed the
softhsm-devel package first.

so revert back the freeipa kvm snapshot to 3.3.5  and try again
yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
freeipa-server -y

However when restarting named-pkcs11 I can see in the system log that it
has 0 zones loaded

Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded
serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN:
loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded
serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.127.in-addr.arpa/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
localhost.localdomain/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance
'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

It claims 0 zones loaded but I can see my forward and reverse zones in ipa

what could cause it not to load the zones that I defined in ipa ?
Rob


2014-10-27 23:05 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:

> sorry for the xml formatting didn't realize it would mess up some mail
> clients
>
> The last bit of the message again
>
>  ipa-upgradeconfig  gives the following :
> [Verifying that root certificate is published]
> Failed to backup CS.cfg: no magic attribute 'dogtag'
> [Migrate CRL publish directory]
> CRL tree already moved
> [Verifying that CA proxy configuration is correct]
> [Verifying that KDC configuration is using ipa-kdb backend]
> [Fixing trust flags in /etc/httpd/alias]
> Trust flags already processed
> [Fix DS schema file syntax]
> Syntax already fixed
> [Removing RA cert from DS NSS database]
> RA cert already removed
> [Removing self-signed CA]
> [Checking for deprecated KDC configuration files]
> [Checking for deprecated backups of Samba configuration files]
> [Setting up Firefox extension]
> [Add missing CA DNS records]
> IPA CA DNS records already processed
> [Removing deprecated DNS configuration options]
> [Ensuring minimal number of connections]
> [Enabling serial autoincrement in DNS]
> [Updating GSSAPI configuration in DNS]
> [Updating pid-file configuration in DNS]
> [Masking named]
> Changes to named.conf have been made, restart named
> [Verifying that CA service certificate profile is updated]
> [Update certmonger certificate renewal configuration to version 2]
> [Enable PKIX certificate path discovery and validation]
> PKIX already enabled
> The ipa-upgradeconfig command was successful
>
> Any ideas ?
> I'm rather stuck now.
> Rob
>
> 2014-10-27 22:59 GMT+01:00 Rob Verduijn <rob.verduijn at gmail.com>:
>
>> Hello,
>>
>> I'm rather at a loss here.
>> Everything seems to be running
>>  ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: RUNNING
>> kadmin Service: RUNNING
>> named Service: RUNNING
>> ipa_memcached Service: RUNNING
>> httpd Service: RUNNING
>> pki-tomcatd Service: RUNNING
>> ipa-otpd Service: RUNNING
>> ipa-dnskeysyncd Service: RUNNING
>> ipa: INFO: The ipactl command was successful
>>
>> but the upgrade log is flooded with this error :
>> 2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
>> 2014-10-27T21:52:11Z DEBUG request '
>> https://freeipa.x.x:443/ca/admin/ca/getStatus'
>> 2014-10-27T21:52:11Z DEBUG request body ''
>> 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
>> 2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
>> 2014-10-27T21:52:12Z DEBUG request '
>> https://freeipa.x.x:443/ca/admin/ca/getStatus'
>> 2014-10-27T21:52:12Z DEBUG request body ''
>>
>> I've tried the url and it works fine.
>> https://freeipa.x.x/ca/admin/ca/getStatus
>> it gives the following xml:
>> <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse>
>> <State>1</State><Type>CA</Type><Status>running</Status><Version>
>> 10.2.0-3.fc20</Version></XMLResponse>
>>
>> After I run ipa-upgradeconfig it complains about a missing magic dog tag
>> attribute
>> ipa-upgradeconfig [Verifying that root certificate is published]Failed
>> to backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish
>> directory]CRL tree already moved[Verifying that CA proxy configuration
>> is correct][Verifying that KDC configuration is using ipa-kdb backend][Fixing
>> trust flags in /etc/httpd/alias]Trust flags already processed[Fix DS
>> schema file syntax]Syntax already fixed[Removing RA cert from DS NSS
>> database]RA cert already removed[Removing self-signed CA][Checking for
>> deprecated KDC configuration files][Checking for deprecated backups of
>> Samba configuration files][Setting up Firefox extension][Add missing CA
>> DNS records]IPA CA DNS records already processed[Removing deprecated DNS
>> configuration options][Ensuring minimal number of connections][Enabling
>> serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
>> pid-file configuration in DNS][Masking named]Changes to named.conf have
>> been made, restart named[Verifying that CA service certificate profile
>> is updated][Update certmonger certificate renewal configuration to
>> version 2][Enable PKIX certificate path discovery and validation]PKIX
>> already enabledThe ipa-upgradeconfig command was successful
>>
>> But my local dns zone does no longer resolve :(
>>
>> reverting back to the 3.3 snapshot again :(
>>
>> Please help
>> Rob
>>
>> 2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>
>>> Rob Verduijn wrote:
>>> > hmmmm....
>>> >
>>> > after some more digging (monitoring the upgrade more closely.)
>>> > I saw that the upgrade kept waiting for the ca to start, which it did
>>> > not do.
>>> > and after 5 minutes the upgrade gave up with the following errors in
>>> the
>>> > ipaupgrade log :
>>> >
>>> > at 85% it says :
>>> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
>>> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket
>>> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
>>> > 2014-10-26T15:04:35Z DEBUG Starting external process
>>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>>> > '/etc/httpd/alias' '-L'
>>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>>> > 2014-10-26T15:04:35Z DEBUG stdout=
>>> > Certificate Nickname                                         Trust
>>> > Attributes
>>> >
>>> >  SSL,S/MIME,JAR/XPI
>>> >
>>> > Signing-Cert                                                 u,u,u
>>> > XXXX.XXXX IPA CA                                           CT,C,C
>>> > ipaCert                                                      u,u,u
>>> > Server-Cert                                                  u,u,u
>>> >
>>> > 2014-10-26T15:04:35Z DEBUG stderr=
>>> > 2014-10-26T15:04:35Z DEBUG Starting external process
>>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
>>> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
>>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0
>>> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
>>> > < certificate-removed >
>>> > -----END CERTIFICATE-----
>>> > 2014-10-26T15:04:35Z DEBUG stderr=
>>> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
>>> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\
>>>
>>> This has nothing to do with the CA, the LDAP server didn't come up. I'd
>>> start with those logs or look earlier in ipaupgrade.log
>>>
>>> The CA requires 389-ds to be running so if it isn't up, then it will
>>> fail to start too.
>>>
>>> rob
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141028/382c1098/attachment.htm>

More information about the Freeipa-users mailing list