[Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches
Martin Basti
mbasti at redhat.com
Mon Jun 1 07:52:24 UTC 2015
On 29/05/15 18:57, Thomas Sailer wrote:
> Hello everyone.
>
> I upgraded a freeipa server from fedora 20 to fedora 22. It mostly
> worked ok, but there are a few issues:
>
> - pki-tomcat didn't start after the upgrade, and that in turn made
> ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
> had the wrong owner (root).
>
> - ipa-ldap-updater stumbles over two problems:
> - Pre schema upgrade failed
> - when trying to modify cn=encryption,cn=config, it stumbles over
> allowWeakCipher not allowed
>
> Does anyone know how to fix this? Is the pre schema upgrade failure
> spurious? what bits am I missing about the allowWeakCipher issue?
>
> Thomas
>
>
>
> 2015-05-28T13:04:55Z DEBUG [4/10]: starting directory server
> 2015-05-28T13:04:55Z DEBUG Starting external process
> 2015-05-28T13:04:55Z DEBUG args='/bin/systemctl' 'start'
> 'dirsrv at XXXXX-COM.service'
> 2015-05-28T13:04:55Z DEBUG Process finished, return code=0
> 2015-05-28T13:04:55Z DEBUG stdout=
> 2015-05-28T13:04:55Z DEBUG stderr=Running in chroot, ignoring request.
>
> 2015-05-28T13:04:55Z DEBUG duration: 0 seconds
> 2015-05-28T13:04:55Z DEBUG [5/10]: preparing server upgrade
> 2015-05-28T13:05:36Z ERROR Pre schema upgrade failed with [Errno 2] No
> such file or directory
> 2015-05-28T13:05:36Z DEBUG Traceback (most recent call last):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 128, in __pre_schema_upgrade
> ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True,
> live_run=self.live_run, plugins=True)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 220, in __init__
> self.create_connection()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 783, in create_connection
> dm_password=self.dm_password, pw_name=self.pw_name)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 65, in connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1761, in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1747, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1733, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
> 1183, in wait_for_open_socket
> raise e
> error: [Errno 2] No such file or directory
>
> 2015-05-28T13:05:36Z DEBUG duration: 40 seconds
> 2015-05-28T13:05:36Z DEBUG [6/10]: updating schema
> 2015-05-28T13:05:46Z DEBUG Traceback (most recent call last):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 388, in start_creation
> run_step(full_msg, method)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 378, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 145, in __update_schema
> dm_password='', ldapi=True, live_run=self.live_run) or self.modified
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py",
> line 112, in update_schema
> fqdn=installutils.get_fqdn())
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 65, in connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1761, in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1747, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1733, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
> 1183, in wait_for_open_socket
> raise e
> error: [Errno 2] No such file or directory
>
> 2015-05-28T13:05:46Z DEBUG [error] error: [Errno 2] No such file or
> directory
> 2015-05-28T13:05:46Z DEBUG [cleanup]: stopping directory server
> 2015-05-28T13:05:46Z DEBUG Starting external process
> 2015-05-28T13:05:46Z DEBUG args='/bin/systemctl' 'stop'
> 'dirsrv at XXXXX-COM.service'
> 2015-05-28T13:05:46Z DEBUG Process finished, return code=0
> 2015-05-28T13:05:46Z DEBUG stdout=
> 2015-05-28T13:05:46Z DEBUG stderr=Running in chroot, ignoring request.
>
> 2015-05-28T13:05:46Z DEBUG duration: 0 seconds
> 2015-05-28T13:05:46Z DEBUG [cleanup]: restoring configuration
> 2015-05-28T13:05:46Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-05-28T13:05:46Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2015-05-28T13:05:46Z DEBUG duration: 0 seconds
> 2015-05-28T13:05:46Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
> in execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
> line 144, in run
> upgrade.create_instance()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 93, in create_instance
> show_service_name=False)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 388, in start_creation
> run_step(full_msg, method)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 378, in run_step
> method()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
> line 145, in __update_schema
> dm_password='', ldapi=True, live_run=self.live_run) or self.modified
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py",
> line 112, in update_schema
> fqdn=installutils.get_fqdn())
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 65, in connect
> conn.do_external_bind(pw_name)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1761, in do_external_bind
> self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1747, in __bind_with_wait
> self.__wait_for_connection(timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1733, in __wait_for_connection
> wait_for_open_socket(lurl.hostport, timeout)
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line
> 1183, in wait_for_open_socket
> raise e
>
> 2015-05-28T13:05:46Z DEBUG The ipa-ldap-updater command failed,
> exception: error: [Errno 2] No such file or directory
> 2015-05-28T13:05:46Z ERROR [Errno 2] No such file or directory
> 2015-05-28T13:05:47Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked
> with options: {'debug': False, 'quiet': True}
> 2015-05-28T13:05:47Z DEBUG IPA version 4.1.4-2.fc22
> 2015-05-28T13:05:47Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2015-05-28T13:05:47Z DEBUG importing all plugin modules in
> '/usr/lib/python2.7/site-packages/ipalib/plugins'...
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/otpconfig.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
> 2015-05-28T13:05:47Z DEBUG Starting external process
> 2015-05-28T13:05:47Z DEBUG args='klist' '-V'
> 2015-05-28T13:05:47Z DEBUG Process finished, return code=0
> 2015-05-28T13:05:47Z DEBUG stdout=Kerberos 5 version 1.13.1
>
> 2015-05-28T13:05:47Z DEBUG stderr=
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
> 2015-05-28T13:05:47Z DEBUG importing plugin module
> '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
>
>
>
>
> 2015-05-28T17:11:53Z INFO Updating existing entry:
> cn=encryption,cn=config
> 2015-05-28T17:11:53Z DEBUG ---------------------------------------------
> 2015-05-28T17:11:53Z DEBUG Initial value
> 2015-05-28T17:11:53Z DEBUG dn: cn=encryption,cn=config
> 2015-05-28T17:11:53Z DEBUG nsSSL3:
> 2015-05-28T17:11:53Z DEBUG off
> 2015-05-28T17:11:53Z DEBUG nsSSL2:
> 2015-05-28T17:11:53Z DEBUG off
> 2015-05-28T17:11:53Z DEBUG cn:
> 2015-05-28T17:11:53Z DEBUG encryption
> 2015-05-28T17:11:53Z DEBUG objectClass:
> 2015-05-28T17:11:53Z DEBUG top
> 2015-05-28T17:11:53Z DEBUG nsEncryptionConfig
> 2015-05-28T17:11:53Z DEBUG sslVersionMax:
> 2015-05-28T17:11:53Z DEBUG TLS1.2
> 2015-05-28T17:11:53Z DEBUG nsSSLSessionTimeout:
> 2015-05-28T17:11:53Z DEBUG 0
> 2015-05-28T17:11:53Z DEBUG sslVersionMin:
> 2015-05-28T17:11:53Z DEBUG TLS1.0
> 2015-05-28T17:11:53Z DEBUG nsSSLSupportedCiphers:
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_MD5::NULL::MD5::0
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
> 2015-05-28T17:11:53Z DEBUG
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128
> 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG
> SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG nsSSLClientAuth:
> 2015-05-28T17:11:53Z DEBUG allowed
> 2015-05-28T17:11:53Z DEBUG nssslenabledciphers:
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG nsTLS1:
> 2015-05-28T17:11:53Z DEBUG on
> 2015-05-28T17:11:53Z DEBUG nsSSL3Ciphers:
> 2015-05-28T17:11:53Z DEBUG
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> 2015-05-28T17:11:53Z DEBUG only: set nsSSL3Ciphers to '+all', current
> value
> ['-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha']
> 2015-05-28T17:11:53Z DEBUG only: updated value ['+all']
> 2015-05-28T17:11:53Z DEBUG addifnew: 'off' to allowWeakCipher, current
> value []
> 2015-05-28T17:11:53Z DEBUG addifnew: set allowWeakCipher to ['off']
> 2015-05-28T17:11:53Z DEBUG ---------------------------------------------
> 2015-05-28T17:11:53Z DEBUG Final value after applying updates
> 2015-05-28T17:11:53Z DEBUG dn: cn=encryption,cn=config
> 2015-05-28T17:11:53Z DEBUG nsSSL3:
> 2015-05-28T17:11:53Z DEBUG off
> 2015-05-28T17:11:53Z DEBUG nsSSL2:
> 2015-05-28T17:11:53Z DEBUG off
> 2015-05-28T17:11:53Z DEBUG cn:
> 2015-05-28T17:11:53Z DEBUG encryption
> 2015-05-28T17:11:53Z DEBUG objectClass:
> 2015-05-28T17:11:53Z DEBUG top
> 2015-05-28T17:11:53Z DEBUG nsEncryptionConfig
> 2015-05-28T17:11:53Z DEBUG sslVersionMax:
> 2015-05-28T17:11:53Z DEBUG TLS1.2
> 2015-05-28T17:11:53Z DEBUG nsSSLSessionTimeout:
> 2015-05-28T17:11:53Z DEBUG 0
> 2015-05-28T17:11:53Z DEBUG sslVersionMin:
> 2015-05-28T17:11:53Z DEBUG TLS1.0
> 2015-05-28T17:11:53Z DEBUG nsSSLSupportedCiphers:
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5::RC2::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG TLS_ECDH_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_SHA256::NULL::SHA256::0
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_NULL_MD5::NULL::MD5::0
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG
> SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
> 2015-05-28T17:11:53Z DEBUG
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG SSL_CK_RC2_128_CBC_WITH_MD5::RC2::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG SSL_CK_RC4_128_WITH_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG TLS_DHE_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG TLS_ECDH_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG SSL_CK_DES_64_CBC_WITH_MD5::DES::MD5::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_EXPORT_WITH_RC4_40_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_AES_256_CBC_SHA256::AES::SHA256::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA::CAMELLIA::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5::RC2::MD5::128
> 2015-05-28T17:11:53Z DEBUG TLS_DHE_DSS_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA::CAMELLIA::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_AES_128_CBC_SHA256::AES::SHA256::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_128_CBC_SHA::AES::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_SEED_CBC_SHA::SEED::SHA1::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> TLS_RSA_WITH_AES_128_GCM_SHA256::AES-GCM::AEAD::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_AES_256_CBC_SHA::AES::SHA1::256
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_ECDSA_WITH_NULL_SHA::NULL::SHA1::0
> 2015-05-28T17:11:53Z DEBUG
> SSL_CK_RC4_128_EXPORT40_WITH_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG TLS_ECDHE_RSA_WITH_RC4_128_SHA::RC4::SHA1::128
> 2015-05-28T17:11:53Z DEBUG nsSSLClientAuth:
> 2015-05-28T17:11:53Z DEBUG allowed
> 2015-05-28T17:11:53Z DEBUG nssslenabledciphers:
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG SSL_RSA_FIPS_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_DES_CBC_SHA::DES::SHA1::64
> 2015-05-28T17:11:53Z DEBUG TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
> 2015-05-28T17:11:53Z DEBUG
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA::3DES::SHA1::192
> 2015-05-28T17:11:53Z DEBUG nsTLS1:
> 2015-05-28T17:11:53Z DEBUG on
> 2015-05-28T17:11:53Z DEBUG allowWeakCipher:
> 2015-05-28T17:11:53Z DEBUG off
> 2015-05-28T17:11:53Z DEBUG nsSSL3Ciphers:
> 2015-05-28T17:11:53Z DEBUG +all
> 2015-05-28T17:11:53Z DEBUG [(2, u'allowWeakCipher', ['off']), (0,
> u'nsSSL3Ciphers', ['+all']), (1, u'nsSSL3Ciphers',
> ['-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha'])]
> 2015-05-28T17:11:53Z DEBUG Live 1, updated 1
> 2015-05-28T17:11:53Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
> in execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
> line 213, in run
> modified = ld.update(self.files, ordered=True) or modified
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 854, in update
> self._run_updates(all_updates)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 799, in _run_updates
> self._update_record(update)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py",
> line 720, in _update_record
> self.conn.update_entry(entry)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1628, in update_entry
> self.conn.modify_s(entry.dn, modlist)
> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> self.gen.throw(type, value, traceback)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1191, in error_handler
> raise errors.ObjectclassViolation(info=info)
>
> 2015-05-28T17:11:53Z DEBUG The ipa-ldap-updater command failed,
> exception: ObjectclassViolation: attribute "allowWeakCipher" not allowed
> 2015-05-28T17:11:53Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
> ObjectclassViolation: attribute "allowWeakCipher" not allowed
> 2015-05-29T12:46:04Z DEBUG Logging to /var/log/ipaupgrade.log
>
Hello,
1)
Actually you have there more errors,
This causes the neither pre-schema upgrade or schema upgrade are executed.
error: [Errno 2] No such file or directory
Could DS in chroot, cause the ipa-ldap-updater --upgrade cannot locate
the DS socket?
2015-05-28T13:04:55Z DEBUG stderr=Running in chroot, ignoring request.
2)
Allow weak ciphers.
can you check objectclass definitions in /etc/dirsrv/slapd-XXXXX-COM/schema
# grep 'allowWeakCipher' *
If you find more than on objectclass definition, please remove the old
from the ldif files and restart DS. (Probably there will be old in
99user.ldif)
Martin
--
Martin Basti
More information about the Freeipa-users
mailing list