[Freeipa-users] Issue upgrading freeipa to ipa-server-4.4.0-14.el7.centos.4.x86_64

freeipa at netnerdz.se freeipa at netnerdz.se
Wed Mar 8 17:06:37 UTC 2017 

Hi all!

I'm trying to upgrade my ipa-server to the version in subject and 
hitting some bug that seems similar to
https://bugzilla.redhat.com/show_bug.cgi?id=1404910

The yum upgrade process took a bit longer than expected so i ctrl+c it 
and executed the command ipa-server-upgrade

The error message from ipa-server-upgrade is:
8<---
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run 
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory: 
'/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for 
more information
[root at o-ipa01-r ~]#
8<---


The lines that indicate an error in the /var/log/ipaupgrade.log file is:
8<---
2017-03-07T23:05:38Z DEBUG stdout=Authenticating as principal 
root/admin at NETNERDZ.SE with password.

2017-03-07T23:05:38Z DEBUG stderr=WARNING: no policy specified for 
dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE; defaulting to no policy
add_principal: Principal or policy already exists while creating 
"dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE".

2017-03-07T23:05:38Z INFO Retrieving keytab
2017-03-07T23:05:38Z DEBUG Starting external process
2017-03-07T23:05:38Z DEBUG args=kadmin.local -q ktadd -k 
/etc/pki/pki-tomcat/dogtag.keytab 
dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE -x 
ipa-setup-override-restrictions
2017-03-07T23:05:48Z DEBUG Process finished, return code=0
2017-03-07T23:05:48Z DEBUG stdout=Authenticating as principal 
root/admin at NETNERDZ.SE with password.

2017-03-07T23:05:48Z DEBUG stderr=kadmin.local: Server error while 
changing dogtag/o-ipa01-r.ovirt.netnerdz.se at NETNERDZ.SE's key

2017-03-07T23:05:48Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-03-07T23:05:48Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in 
execute
     return_value = self.run()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run
     server.upgrade()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1863, in upgrade
     upgrade_configuration()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1796, in upgrade_configuration
     ca.setup_lightweight_ca_key_retrieval()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
1400, in setup_lightweight_ca_key_retrieval
     self.__setup_lightweight_ca_key_retrieval_kerberos()
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
1431, in __setup_lightweight_ca_key_retrieval_kerberos
     os.chmod(keytab, 0o600)

2017-03-07T23:05:48Z DEBUG The ipa-server-upgrade command failed, 
exception: OSError: [Errno 2] No such file or directory: 
'/etc/pki/pki-tomcat/dogtag.keytab'
2017-03-07T23:05:48Z ERROR Unexpected error - see 
/var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory: 
'/etc/pki/pki-tomcat/dogtag.keytab'
2017-03-07T23:05:48Z ERROR The ipa-server-upgrade command failed. See 
/var/log/ipaupgrade.log for more information
8<---


Here's the output from the ipa-server-upgrade command:
[root at o-ipa01-r ~]# ipa-server-upgrade
Upgrading IPA:
   [1/8]: saving configuration
   [2/8]: disabling listeners
   [3/8]: enabling DS global lock
   [4/8]: starting directory server
   [5/8]: updating schema

   [6/8]: upgrading server
   [7/8]: stopping directory server
   [8/8]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
/etc/dirsrv/slapd-NETNERDZ-SE/certmap.conf is now managed by IPA. It 
will be overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating mod_nss protocol versions]
Protocol versions already updated
[Updating mod_nss cipher suite]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Exporting KRA agent PEM file]
KRA is not enabled
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Checking global forwarding policy in named.conf to avoid conflicts with 
automatic empty zones]
Changes to named.conf have been made, restart named
[Upgrading CA schema]
CA schema update complete (no changes)
[Verifying that CA audit signing cert has 2 year validity]
[Update certmonger certificate renewal configuration to version 5]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
[Ensuring presence of included profiles]
[Add default CA ACL]
Default CA ACL already added
[Set up lightweight CA key retrieval]
Creating principal
Retrieving keytab
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run 
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
OSError: [Errno 2] No such file or directory: 
'/etc/pki/pki-tomcat/dogtag.keytab'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for 
more information
[root at o-ipa01-r ~]#

Everything seems to be working as normal, but this error message worries 
me a bit since this is my only ipa server (setting up a secondary master 
have been on my todo list).
Can you help me troubleshoot this?
Or should I just setup a replica and propagate it to primary node for 
all clients and then reinstall the one that have problem?

Thank you in advance!
//Robert

More information about the Freeipa-users mailing list