[Freeipa-users] dns stops working after upgrade

Rob Verduijn rob.verduijn at gmail.com
Sun Oct 26 15:24:02 UTC 2014


after some more digging (monitoring the upgrade more closely.)
I saw that the upgrade kept waiting for the ca to start, which it did not
and after 5 minutes the upgrade gave up with the following errors in the
ipaupgrade log :

at 85% it says :
2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0>
2014-10-26T15:04:35Z DEBUG Starting external process
2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias'
2014-10-26T15:04:35Z DEBUG Process finished, return code=0
2014-10-26T15:04:35Z DEBUG stdout=
Certificate Nickname                                         Trust


Signing-Cert                                                 u,u,u
XXXX.XXXX IPA CA                                           CT,C,C
ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u

2014-10-26T15:04:35Z DEBUG stderr=
2014-10-26T15:04:35Z DEBUG Starting external process
2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias'
'-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
2014-10-26T15:04:35Z DEBUG Process finished, return code=0
2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----
< certificate-removed >
2014-10-26T15:04:35Z DEBUG stderr=
2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
2014-10-26T15:04:36Z DEBUG Traceback (most recent call last):
line 152, in __upgrade
    self.modified = (ld.update(self.files, ordered=True) or
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 874, in update
    updates = api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)
line 131, in update
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 889, in update_from_dict
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 799, in _run_updates
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 661, in _update_record
    e = self._get_entry(new_entry.dn)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
line 544, in _get_entry
    return self.conn.get_entries(dn, scope, searchfilter, sattrs)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1421,
in get_entries
    base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1527,
in find_entries
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1206,
in error_handler
NetworkError: cannot connect to

and in the end it says :

2014-10-26T14:46:13Z DEBUG The CA status is: check interrupted
2014-10-26T14:46:13Z DEBUG Waiting for CA to start...
2014-10-26T14:46:14Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
646, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-upgradeconfig", line 1457, in main

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 282, in restart
    self.service.restart(instance_name, capture_output=capture_output,

  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py",
line 209, in restart

  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py",
line 197, in wait_until_running
    raise RuntimeError('CA did not start in %ss' % timeout)

2014-10-26T14:46:14Z DEBUG The ipa-upgradeconfig command failed, exception:
RuntimeError: CA did not start in 300.0s

I guess its something with the update for the ca certificate server that

Any clues on how to proceed ?


2014-10-26 11:39 GMT+01:00 John Obaterspok <john.obaterspok at gmail.com>:

> Hello Rob,
> Did systemd report any failed services? (systemctl --failed)
> -- john
> 2014-10-25 16:40 GMT+02:00 Rob Verduijn <rob.verduijn at gmail.com>:
>> Hello all,
>> I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main
>> dns server.
>> I've tried the upgrade to 4.1 using the copr repositorie.
>> I performed the following steps:
>> 1 apply latest fedora updates
>> 2 shutdown system
>> 3 create a snapshot from the freeipa vm as a backup (which is why I'm
>> back at 3.3)
>> 4 added the copr repo to my repositories
>> 5 issue 'yum update' and grab a coffee
>> 6 see the update complete and start to check if everything still works.
>> all authentication seems to work fine, however all my local dns enties no
>> longer work.
>> all internet dns queries work fine, just not my own entries.
>> they are all still there.
>> so I shutdown my freeipa vm and reverted the snapshot, everything is back
>> up and running again with 3.3.0
>> I've digged through my logs but see no errors whatsoever.
>> Did I miss something that needs to be done when doing an upgrade ?
>> Rob
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141026/d65e9df1/attachment.htm>

More information about the Freeipa-users mailing list