This is not always reproducible.
I suspect that CA has not been running.
ipupgrade.log
2016-05-03T10:16:56Z DEBUG request GET https://vm-058-192.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login 2016-05-03T10:16:56Z DEBUG request body '' 2016-05-03T10:16:56Z DEBUG NSSConnection init vm-058-192.abc.idm.lab.eng.brq.redhat.com 2016-05-03T10:16:56Z DEBUG Connecting: 10.34.58.192:0 2016-05-03T10:16:56Z DEBUG Could not connect socket to 10.34.58.192:8443, error: (PR_CONNECT_RESET_ERROR) TCP connection reset by peer. 2016-05-03T10:16:56Z DEBUG Try to continue with next family... 2016-05-03T10:16:56Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-05-03T10:16:56Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1724, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1657, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 339, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1719, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1725, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 2037, in __enter__ method='GET' File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 156, in https_request method=method, headers=headers) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 207, in _httplib_request raise NetworkError(uri=uri, error=str(e)) 2016-05-03T10:16:56Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://vm-058-192.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login': Could not connect to vm-058-192.abc.idm.lab.eng.brq.redhat.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported. 2016-05-03T10:16:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://vm-058-192.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login': Could not connect to vm-058-192.abc.idm.lab.eng.brq.redhat.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
What may mean that according the pki debug log, CA has not been running
[03/May/2016:12:14:28][CertStatusUpdateTask]: updateCertStatus done [03/May/2016:12:14:30][Timer-0]: In LdapBoundConnFactory::getConn() [03/May/2016:12:14:30][Timer-0]: masterConn is connected: true [03/May/2016:12:14:30][Timer-0]: getConn: conn is connected true [03/May/2016:12:14:30][Timer-0]: getConn: mNumConns now 2 [03/May/2016:12:14:30][Timer-0]: SecurityDomainSessionTable: getSessionIds(): no sessions have been created [03/May/2016:12:14:30][Timer-0]: returnConn: mNumConns now 3 <<=== HERE upgrade tried to contact the CA, but here is no record in log ===>> [03/May/2016:12:17:21][localhost-startStop-1]: ============================================ [03/May/2016:12:17:21][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [03/May/2016:12:17:21][localhost-startStop-1]: ============================================ [03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: done init id=debug
Always reproducible by 'dnf reinstall freeipa-*'
The reason is that upgrade did not start CA server if CA server is turned off.
Steps to reproduce:
In fact CA was started but not fully operational, fix is to always call ca.start() which will wait until CA is operational.
master:
ipa-4-3:
Metadata Update from @mbasti: - Issue assigned to mbasti - Issue set to the milestone: FreeIPA 4.3.2
Login to comment on this ticket.