Hi Florence,
Thanks for the reply.
However do you mean that I need to create a new repo file for Version 4.6
and try the Upgrade? Or do you mean that I need to remove the current
installation and go for a fresh install?
Regards,
Alka Murali
On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 09/28/2017 04:12 AM, Alka Murali wrote:
> Hi Florence,
>
> Thanks for the email. As you have mentioned, I tried updating the
> corresponding python files under IPA Server and tried for the Upgrade.
>
Hi,
do you mean that you manually edited the python files? In this case it is
likely that some files were forgotten. The patch for 4-5 branch is
https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but
may depend on other commits applied on the branch between the 4.5.3 release
and the patch.
For consistency, I'd rather recommend to upgrade the packages to 4.6
(available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and
fedora27).
Flo
However I was getting the error below:
>
> -----
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
>
> return_value = self.run()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 46, in run
>
> server.upgrade()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1913, in upgrade
>
> upgrade_configuration()
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1788, in upgrade_configuration
>
> certificate_renewal_update(ca, ds, http),
>
> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 966, in certificate_renewal_update
>
> 'cert-nickname': ds.get_server_cert_nickname(serverid),
>
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
> ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance'
> object has no attribute 'get_server_cert_nickname'
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
> Unexpected error - see /var/log/ipaupgrade.log for details:
>
> AttributeError: 'DsInstance' object has no attribute
> 'get_server_cert_nickname'
>
> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
> information
>
> ------
>
> So do I need to define "get_server_cert_nickname" in certs.py script too.
>
>
> Awaiting your reply.
>
>
> Thanks and Regards,
>
> Alka Murali
>
>
> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
>
> Hello,
>
> Currently my server is running on IPA Server Version 4.4. I have
> tried to upgrade the Version to 4.5 using the ipa-server-upgrade
> command and got ended with the following error:
>
>
> --------
>
> 2017-09-26T02:27:32Z DEBUG stderr=
>
> 2017-09-26T02:27:50Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
>
> 2017-09-26T02:27:53Z DEBUG Starting external process
>
> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
>
> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255
>
> 2017-09-26T02:27:56Z DEBUG stdout=
>
> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
> Server-Cert
>
> : PR_FILE_NOT_FOUND_ERROR: File not found
>
>
> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade
> manually.
>
> 2017-09-26T02:27:56Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
> 172, in execute
>
> return_value = self.run()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_
> server_upgrade.py",
> line 46, in run
>
> server.upgrade()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1913, in upgrade
>
> upgrade_configuration()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1788, in upgrade_configuration
>
> certificate_renewal_update(ca, ds, http),
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/
> upgrade.py",
> line 1018, in certificate_renewal_update
>
> ds.start_tracking_certificates(serverid)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan
> ce.py",
> line 1046, in start_tracking_certificates
>
> 'restart_dirsrv %s' % serverid)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> line 362, in track_server_cert
>
> cert_obj = x509.load_certificate(cert)
>
> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
> 119, in load_certificate
>
> return cryptography.x509.load_der_x509_certificate(data,
> default_backend())
>
> File
> "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py",
> line 47, in load_der_x509_certificate
>
> return backend.load_der_x509_certificate(data)
>
> File
> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back
> ends/multibackend.py",
> line 350, in load_der_x509_certificate
>
> return b.load_der_x509_certificate(data)
>
> File
> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back
> ends/openssl/backend.py",
> line 1185, in load_der_x509_certificate
>
> raise ValueError("Unable to load certificate")
>
>
> 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
> failed, exception: ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
>
> ValueError: Unable to load certificate
>
> 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
> failed. See /var/log/ipaupgrade.log for more information
>
> -------
>
> I am using a third party signed certificate along with my
> IPA-CA. Is it an issue with my current CA. I can see that while
> fetching for the certificate, the name given to be "Server-cert"
> instead of the exact CA name.
>
>
> -- Regards,
> Alka Murali
>
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> Hi,
>
> you are probably hitting issue 7141 [1]. The upgrade is trying to
> track the HTTPd/LDAP server certificates but shouldn't if they were
> issued by an external CA.
>
> The fix is available in FreeIPA 4.6.1 [2]
>
> HTH,
> Flo
>
> [1]
https://pagure.io/freeipa/issue/7141
> <
https://pagure.io/freeipa/issue/7141>
> [2]
http://www.freeipa.org/page/Releases/4.6.1
> <
http://www.freeipa.org/page/Releases/4.6.1>
>
>
>
>
> --
> Regards,
> Alka Murali
>