[Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.
Matt .
yamakasi.014 at gmail.com
Tue Oct 18 08:06:06 UTC 2016
Hi Martin,
Indeed strange as another master where I did the upgrade on went fine.
It is/was a master with CA and Externally Signed CA, which was
perfectly sychned to the other master.
I finally uninstalled the ipa server and did a new replica install on
it with dns and CA and all went smooth and fine. I also had some weird
DNS error and bind didn't want to start anymore because of expecting a
; I thought this had something todo with a forwarder which wasn't.
For now I'm good, but do you want extra info ?
Thanks,
Matt
2016-10-18 7:49 GMT+02:00 Martin Babinsky <mbabinsk at redhat.com>:
> On 10/18/2016 12:30 AM, Matt . wrote:
>>
>> Hi Guys,
>>
>> I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24
>>
>> I already checked some info and:
>>
>> ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX
>>
>> Gives me TU instead of MII as expected.
>>
>> Any suggestions further ?
>>
>> Thanks,
>>
>> Matt
>>
>>
>> 2016-10-17T22:19:10Z DEBUG Starting external process
>> 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d
>> /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a
>> 2016-10-17T22:19:10Z DEBUG Process finished, return code=255
>> 2016-10-17T22:19:10Z DEBUG stdout=
>> 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert:
>> Server-Cert
>> : PR_FILE_NOT_FOUND_ERROR: File not found
>>
>> 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2016-10-17T22:19:11Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172,
>> in execute
>> return_value = self.run()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 46, in run
>> server.upgrade()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1867, in upgrade
>> upgrade_configuration()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1770, in upgrade_configuration
>> certificate_renewal_update(ca, ds, http),
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>> line 1027, in certificate_renewal_update
>> ds.start_tracking_certificates(serverid)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
>> line 996, in start_tracking_certificates
>> 'restart_dirsrv %s' % serverid)
>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
>> line 307, in track_server_cert
>> nsscert = x509.load_certificate(cert, dbdir=self.secdir)
>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in
>> load_certificate
>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
>>
>>
>> 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed,
>> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE)
>> security library failure.
>> 2016-10-17T22:19:11Z ERROR Unexpected error - see
>> /var/log/ipaupgrade.log for details:
>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>> 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>>
>
> Hmmm strange,
>
> looks like your DS certificate got lost or has some strange nickname in your
> directory server's NSS database.
>
> Is this CA-less install, externally signed CA or 'self-signed' CA? Master or
> replica?
>
> --
> Martin^3 Babinsky
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list