Hi Florence,

Thanks for the email. As you have mentioned, I tried updating the corresponding python files under IPA Server and tried for the Upgrade. However I was getting the error below:

-----

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute

    return_value = self.run()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run

    server.upgrade()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade

    upgrade_configuration()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1788, in upgrade_configuration

    certificate_renewal_update(ca, ds, http),

  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 966, in certificate_renewal_update

    'cert-nickname': ds.get_server_cert_nickname(serverid),


ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance' object has no attribute 'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details:

AttributeError: 'DsInstance' object has no attribute 'get_server_cert_nickname'

ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

------

So do I need to define "get_server_cert_nickname"  in certs.py script too.


Awaiting your reply.


Thanks and Regards,

Alka Murali


On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <flo@redhat.com> wrote:
On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
Hello,

Currently my server is running on IPA Server Version 4.4. I have tried to upgrade the Version to 4.5 using the ipa-server-upgrade command and got ended with the following error:


--------

2017-09-26T02:27:32Z DEBUG stderr=

2017-09-26T02:27:50Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'

2017-09-26T02:27:53Z DEBUG Starting external process

2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt

2017-09-26T02:27:56Z DEBUG Process finished, return code=255

2017-09-26T02:27:56Z DEBUG stdout=

2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert: Server-Cert

: PR_FILE_NOT_FOUND_ERROR: File not found


2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.

2017-09-26T02:27:56Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute

return_value = self.run()

File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run

server.upgrade()

File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade

upgrade_configuration()

File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1788, in upgrade_configuration

certificate_renewal_update(ca, ds, http),

File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1018, in certificate_renewal_update

ds.start_tracking_certificates(serverid)

File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1046, in start_tracking_certificates

'restart_dirsrv %s' % serverid)

File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 362, in track_server_cert

cert_obj = x509.load_certificate(cert)

File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in load_certificate

return cryptography.x509.load_der_x509_certificate(data, default_backend())

File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", line 47, in load_der_x509_certificate

return backend.load_der_x509_certificate(data)

File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 350, in load_der_x509_certificate

return b.load_der_x509_certificate(data)

File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1185, in load_der_x509_certificate

raise ValueError("Unable to load certificate")


2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command failed, exception: ValueError: Unable to load certificate

2017-09-26T02:27:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:

ValueError: Unable to load certificate

2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

-------

I am using a third party signed certificate along with my IPA-CA. Is it an issue with my current CA. I can see that while fetching for the certificate, the name given to be "Server-cert" instead of the exact CA name.


--
Regards,
Alka Murali


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

Hi,

you are probably hitting issue 7141 [1]. The upgrade is trying to track the HTTPd/LDAP server certificates but shouldn't if they were issued by an external CA.

The fix is available in FreeIPA 4.6.1 [2]

HTH,
Flo

[1] https://pagure.io/freeipa/issue/7141
[2] http://www.freeipa.org/page/Releases/4.6.1



--
Regards,
Alka Murali