[Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

Martin Babinsky mbabinsk at redhat.com
Tue Oct 18 05:49:07 UTC 2016 

On 10/18/2016 12:30 AM, Matt . wrote:
> Hi Guys,
>
> I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24
>
> I already checked some info and:
>
> ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>
> Gives me TU instead of MII as expected.
>
> Any suggestions further ?
>
> Thanks,
>
> Matt
>
>
> 2016-10-17T22:19:10Z DEBUG Starting external process
> 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
> 2016-10-17T22:19:10Z DEBUG Process finished, return code=255
> 2016-10-17T22:19:10Z DEBUG stdout=
> 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: Server-Cert
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
> 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2016-10-17T22:19:11Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
> in execute
>     return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
>     server.upgrade()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1867, in upgrade
>     upgrade_configuration()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1770, in upgrade_configuration
>     certificate_renewal_update(ca, ds, http),
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1027, in certificate_renewal_update
>     ds.start_tracking_certificates(serverid)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> line 996, in start_tracking_certificates
>     'restart_dirsrv %s' % serverid)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 307, in track_server_cert
>     nsscert = x509.load_certificate(cert, dbdir=self.secdir)
>   File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
> load_certificate
>     return nss.Certificate(buffer(data))  # pylint: disable=buffer-builtin
>
>
> 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
> security library failure.
> 2016-10-17T22:19:11Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
>

Hmmm strange,

looks like your DS certificate got lost or has some strange nickname in 
your directory server's NSS database.

Is this CA-less install, externally signed CA or 'self-signed' CA? 
Master or replica?

-- 
Martin^3 Babinsky

More information about the Freeipa-users mailing list