<div dir="ltr">Hello,<div><br></div><div>I'm rather at a loss here.</div><div>Everything seems to be running</div><div><div> ipactl status</div><div>Directory Service: RUNNING</div><div>krb5kdc Service: RUNNING</div><div>kadmin Service: RUNNING</div><div>named Service: RUNNING</div><div>ipa_memcached Service: RUNNING</div><div>httpd Service: RUNNING</div><div>pki-tomcatd Service: RUNNING</div><div>ipa-otpd Service: RUNNING</div><div>ipa-dnskeysyncd Service: RUNNING</div><div>ipa: INFO: The ipactl command was successful</div></div><div><br></div><div>but the upgrade log is flooded with this error :</div><div><div>2014-10-27T21:52:10Z DEBUG Waiting for CA to start...</div><div>2014-10-27T21:52:11Z DEBUG request '<a href="https://freeipa.x.x:443/ca/admin/ca/getStatus">https://freeipa.x.x:443/ca/admin/ca/getStatus</a>'</div><div>2014-10-27T21:52:11Z DEBUG request body ''</div><div>2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted</div><div>2014-10-27T21:52:11Z DEBUG Waiting for CA to start...</div><div>2014-10-27T21:52:12Z DEBUG request '<a href="https://freeipa.x.x:443/ca/admin/ca/getStatus">https://freeipa.x.x:443/ca/admin/ca/getStatus</a>'</div><div>2014-10-27T21:52:12Z DEBUG request body ''</div><div><br></div><div>I've tried the url and it works fine.</div><div><a href="https://freeipa.x.x/ca/admin/ca/getStatus">https://freeipa.x.x/ca/admin/ca/getStatus</a><br></div></div><div>it gives the following xml:<br></div><div><table><tbody><tr><td class="" value="1"></td><td class=""><span class=""><?xml version="1.0" encoding="UTF-8" standalone="no"?></span><span class=""><XMLResponse></span><span class=""><State></span>1<span class=""></State></span><span class=""><Type></span>CA<span class=""></Type></span><span class=""><Status></span>running<span class=""></Status></span><span class=""><Version></span>10.2.0-3.fc20<span class=""></Version></span><span class=""></XMLResponse><br><br>After I run ipa-upgradeconfig it complains about a missing magic dog tag attribute<br></span></td><td class="">ipa-upgradeconfig </td><td class="">[Verifying that root certificate is published]</td><td class="">Failed to backup CS.cfg: no magic attribute 'dogtag'</td><td class="">[Migrate CRL publish directory]</td><td class="">CRL tree already moved</td><td class="">[Verifying that CA proxy configuration is correct]</td><td class="">[Verifying that KDC configuration is using ipa-kdb backend]</td><td class="">[Fixing trust flags in /etc/httpd/alias]</td><td class="">Trust flags already processed</td><td class="">[Fix DS schema file syntax]</td><td class="">Syntax already fixed</td><td class="">[Removing RA cert from DS NSS database]</td><td class="">RA cert already removed</td><td class="">[Removing self-signed CA]</td><td class="">[Checking for deprecated KDC configuration files]</td><td class="">[Checking for deprecated backups of Samba configuration files]</td><td class="">[Setting up Firefox extension]</td><td class="">[Add missing CA DNS records]</td><td class="">IPA CA DNS records already processed</td><td class="">[Removing deprecated DNS configuration options]</td><td class="">[Ensuring minimal number of connections]</td><td class="">[Enabling serial autoincrement in DNS]</td><td class="">[Updating GSSAPI configuration in DNS]</td><td class="">[Updating pid-file configuration in DNS]</td><td class="">[Masking named]</td><td class="">Changes to named.conf have been made, restart named</td><td class="">[Verifying that CA service certificate profile is updated]</td><td class="">[Update certmonger certificate renewal configuration to version 2]</td><td class="">[Enable PKIX certificate path discovery and validation]</td><td class="">PKIX already enabled</td><td class="">The ipa-upgradeconfig command was successful<br><br>But my local dns zone does no longer resolve :(<br><br>reverting back to the 3.3 snapshot again :(<br><br>Please help<br>Rob</td></tr></tbody></table></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-26 21:38 GMT+01:00 Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Rob Verduijn wrote:<br>
> hmmmm....<br>
><br>
> after some more digging (monitoring the upgrade more closely.)<br>
> I saw that the upgrade kept waiting for the ca to start, which it did<br>
> not do.<br>
> and after 5 minutes the upgrade gave up with the following errors in the<br>
> ipaupgrade log :<br>
><br>
> at 85% it says :<br>
> 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache<br>
> url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket<br>
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0><br>
> 2014-10-26T15:04:35Z DEBUG Starting external process<br>
> 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'<br>
> '/etc/httpd/alias' '-L'<br>
> 2014-10-26T15:04:35Z DEBUG Process finished, return code=0<br>
> 2014-10-26T15:04:35Z DEBUG stdout=<br>
> Certificate Nickname                                         Trust<br>
> Attributes<br>
><br>
>  SSL,S/MIME,JAR/XPI<br>
><br>
> Signing-Cert                                                 u,u,u<br>
> XXXX.XXXX IPA CA                                           CT,C,C<br>
> ipaCert                                                      u,u,u<br>
> Server-Cert                                                  u,u,u<br>
><br>
> 2014-10-26T15:04:35Z DEBUG stderr=<br>
> 2014-10-26T15:04:35Z DEBUG Starting external process<br>
> 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'<br>
> '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'<br>
> 2014-10-26T15:04:35Z DEBUG Process finished, return code=0<br>
> 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE-----<br>
> < certificate-removed ><br>
> -----END CERTIFICATE-----<br>
> 2014-10-26T15:04:35Z DEBUG stderr=<br>
> 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to<br>
</div></div>> 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\<br>
<br>
This has nothing to do with the CA, the LDAP server didn't come up. I'd<br>
start with those logs or look earlier in ipaupgrade.log<br>
<br>
The CA requires 389-ds to be running so if it isn't up, then it will<br>
fail to start too.<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
<br>
</font></span></blockquote></div><br></div>