[Freeipa-users] Issue upgrading freeipa to ipa-server-4.4.0-14.el7.centos.4.x86_64
freeipa at netnerdz.se
freeipa at netnerdz.se
Wed Mar 8 17:06:37 UTC 2017
Hi all!
I'm trying to upgrade my ipa-server to the version in subject and
hitting some bug that seems similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1404910
The yum upgrade process took a bit longer than expected so i ctrl+c it
and executed the command ipa-server-upgrade
The error message from ipa-server-upgrade is:
8<---
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
[root at o-ipa01-r ~]#
8<---
The lines that indicate an error in the /var/log/ipaupgrade.log file is:
8<---
2017-03-07T23:05:38Z DEBUG stdout=Authenticating as principal
root/admin at NETNERDZ.SE with password.
2017-03-07T23:05:38Z DEBUG stderr=WARNING: no policy specified for
dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE; defaulting to no policy
add_principal: Principal or policy already exists while creating
"dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE".
2017-03-07T23:05:38Z INFO Retrieving keytab
2017-03-07T23:05:38Z DEBUG Starting external process
2017-03-07T23:05:38Z DEBUG args=kadmin.local -q ktadd -k
/etc/pki/pki-tomcat/dogtag.keytab
dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE -x
ipa-setup-override-restrictions
2017-03-07T23:05:48Z DEBUG Process finished, return code=0
2017-03-07T23:05:48Z DEBUG stdout=Authenticating as principal
root/admin at NETNERDZ.SE with password.
2017-03-07T23:05:48Z DEBUG stderr=kadmin.local: Server error while
changing dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE's key
2017-03-07T23:05:48Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-07T23:05:48Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1863, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1796, in upgrade_configuration
ca.setup_lightweight_ca_key_retrieval()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1400, in setup_lightweight_ca_key_retrieval
self.__setup_lightweight_ca_key_retrieval_kerberos()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1431, in __setup_lightweight_ca_key_retrieval_kerberos
os.chmod(keytab, 0o600)
2017-03-07T23:05:48Z DEBUG The ipa-server-upgrade command failed,
exception: OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
2017-03-07T23:05:48Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
2017-03-07T23:05:48Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information
8<---
Here's the output from the ipa-server-upgrade command:
[root at o-ipa01-r ~]# ipa-server-upgrade
Upgrading IPA:
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
[4/8]: starting directory server
[5/8]: updating schema
[6/8]: upgrading server
[7/8]: stopping directory server
[8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-NETNERDZ-SE/certmap.conf is now managed by IPA. It
will be overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with
automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 5]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
[root at o-ipa01-r ~]#
Everything seems to be working as normal, but this error message worries
me a bit since this is my only ipa server (setting up a secondary master
have been on my todo list).
Can you help me troubleshoot this?
Or should I just setup a replica and propagate it to primary node for
all clients and then reinstall the one that have problem?
Thank you in advance!
//Robert
More information about the Freeipa-users
mailing list