[Freeipa-users] My IPA installation doesn't work after upgrade

Morgan Marodin morgan at marodin.it
Thu Nov 17 11:09:13 UTC 2016 

Hello.

This morning I've tried to upgrade my IPA server, but the upgrade failed,
and now the service doesn't start! :(

If I try lo launch the upgrade manually this is the output:



































*[root at mlv-ipa01 download]# ipa-server-upgradeUpgrading IPA:  [1/8]: saving
configuration  [2/8]: disabling listeners  [3/8]: enabling DS global lock
[4/8]: starting directory server  [5/8]: updating schema  [6/8]: upgrading
server  [7/8]: stopping directory server  [8/8]: restoring
configurationDone.Update completeUpgrading IPA servicesUpgrading the
configuration of the IPA services[Verifying that root certificate is
published][Migrate CRL publish directory]CRL tree already moved[Verifying
that CA proxy configuration is correct][Verifying that KDC configuration is
using ipa-kdb backend][Fix DS schema file syntax]Syntax already
fixed[Removing RA cert from DS NSS database]RA cert already removed[Enable
sidgen and extdom plugins by default][Updating HTTPD service IPA
configuration][Updating mod_nss protocol versions]Protocol versions already
updated[Updating mod_nss cipher suite][Fixing trust flags in
/etc/httpd/alias]Trust flags already processed[Exporting KRA agent PEM
file]KRA is not enabledIPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade
manually.Unexpected error - see /var/log/ipaupgrade.log for
details:CalledProcessError: Command '/bin/systemctl start httpd.service'
returned non-zero exit status 1The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information*

These are error logs of Apache:


*[Thu Nov 17 11:48:45.498510 2016] [suexec:notice] [pid 5664] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Thu Nov 17
11:48:45.499220 2016] [:warn] [pid 5664] NSSSessionCacheTimeout is
deprecated. Ignoring.[Thu Nov 17 11:48:45.830910 2016] [:error] [pid 5664]
Certificate not found: 'Server-Cert'*

The problem seems to be the *Server-Cert *that could not be found.
But if I try to execute the certutil command manually I can see it:






*[root at mlv-ipa01 log]# certutil -L -d /etc/httpd/alias/Certificate
Nickname                                         Trust
Attributes
SSL,S/MIME,JAR/XPISigning-Cert
u,u,uipaCert
u,u,uServer-Cert
Pu,u,uIPA.MYDOMAIN.COM <http://IPA.MYDOMAIN.COM> IPA
CA                                    CT,C,C*

Could you help me?
What could I try to do to restart my service?

Thanks, Morgan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161117/144f7181/attachment.htm>

More information about the Freeipa-users mailing list