On 09/28/2017 04:12 AM, Alka Murali wrote:
Hi Florence,Hi,
Thanks for the email. As you have mentioned, I tried updating the corresponding python files under IPA Server and tried for the Upgrade.
do you mean that you manually edited the python files? In this case it is likely that some files were forgotten. The patch for 4-5 branch is https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e but may depend on other commits applied on the branch between the 4.5.3 release and the patch.30916044
For consistency, I'd rather recommend to upgrade the packages to 4.6 (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and fedora27).
Flo
However I was getting the error below:
-----
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packa ges/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/ upgrade.py", line 1913, in upgrade
upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/ upgrade.py", line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/ upgrade.py", line 966, in certificate_renewal_update
'cert-nickname': ds.get_server_cert_nickname(serverid),
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance' object has no attribute 'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details:
AttributeError: 'DsInstance' object has no attribute 'get_server_cert_nickname'
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
------
So do I need to define "get_server_cert_nickname" in certs.py script too.
Awaiting your reply.
Thanks and Regards,
Alka Murali
<mailto:freeipa-users@lists.feOn Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com>> wrote:
On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote:
Hello,
Currently my server is running on IPA Server Version 4.4. I have
tried to upgrade the Version to 4.5 using the ipa-server-upgrade
command and got ended with the following error:
--------
2017-09-26T02:27:32Z DEBUG stderr=
2017-09-26T02:27:50Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-09-26T02:27:53Z DEBUG Starting external process
2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f
/etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt
2017-09-26T02:27:56Z DEBUG Process finished, return code=255
2017-09-26T02:27:56Z DEBUG stdout=
2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert:
Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-26T02:27:56Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
172, in execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ server_upgrade.py",
line 46, in run
server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/ upgrade.py",
line 1913, in upgrade
upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/ upgrade.py",
line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/ upgrade.py",
line 1018, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan ce.py",
line 1046, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs. py",
line 362, in track_server_cert
cert_obj = x509.load_certificate(cert)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line
119, in load_certificate
return cryptography.x509.load_der_x509_certificate(data,
default_backend())
File
"/usr/lib64/python2.7/site-packages/cryptography/x509/base. py",
line 47, in load_der_x509_certificate
return backend.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/back ends/multibackend.py",
line 350, in load_der_x509_certificate
return b.load_der_x509_certificate(data)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/back ends/openssl/backend.py",
line 1185, in load_der_x509_certificate
raise ValueError("Unable to load certificate")
2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command
failed, exception: ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR Unexpected error - see
/var/log/ipaupgrade.log for details:
ValueError: Unable to load certificate
2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command
failed. See /var/log/ipaupgrade.log for more information
-------
I am using a third party signed certificate along with my
IPA-CA. Is it an issue with my current CA. I can see that while
fetching for the certificate, the name given to be "Server-cert"
instead of the exact CA name.
-- Regards,
Alka Murali
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org dorahosted.org >
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org >
Hi,
you are probably hitting issue 7141 [1]. The upgrade is trying to
track the HTTPd/LDAP server certificates but shouldn't if they were
issued by an external CA.
The fix is available in FreeIPA 4.6.1 [2]
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7141
<https://pagure.io/freeipa/issue/7141 >
[2] http://www.freeipa.org/page/Releases/4.6.1
<http://www.freeipa.org/page/Releases/4.6.1 >
--
Regards,
Alka Murali