#5868 Upgrader sometimes returns PR_ADDRESS_NOT_SUPPORTED_ERROR from dogtag upgrade
Closed: Fixed None Opened 7 years ago by mbasti.

This is not always reproducible.

I suspect that CA has not been running.

ipupgrade.log

2016-05-03T10:16:56Z DEBUG request GET https://vm-058-192.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login
2016-05-03T10:16:56Z DEBUG request body ''
2016-05-03T10:16:56Z DEBUG NSSConnection init vm-058-192.abc.idm.lab.eng.brq.redhat.com
2016-05-03T10:16:56Z DEBUG Connecting: 10.34.58.192:0
2016-05-03T10:16:56Z DEBUG Could not connect socket to 10.34.58.192:8443, error: (PR_CONNECT_RESET_ERROR) TCP connection reset by peer.
2016-05-03T10:16:56Z DEBUG Try to continue with next family...
2016-05-03T10:16:56Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2016-05-03T10:16:56Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1724, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1657, in upgrade_configuration
    ca_enable_ldap_profile_subsystem(ca)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 339, in ca_enable_ldap_profile_subsystem
    cainstance.migrate_profiles_to_ldap()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1719, in migrate_profiles_to_ldap
    _create_dogtag_profile(profile_id, profile_data)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1725, in _create_dogtag_profile
    with api.Backend.ra_certprofile as profile_api:
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 2037, in __enter__
    method='GET'
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 156, in https_request
    method=method, headers=headers)
  File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 207, in _httplib_request
    raise NetworkError(uri=uri, error=str(e))

2016-05-03T10:16:56Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://vm-058-192.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login': Could not connect to vm-058-192.abc.idm.lab.eng.brq.redhat.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
2016-05-03T10:16:56Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to 'https://vm-058-192.abc.idm.lab.eng.brq.redhat.com:8443/ca/rest/account/login': Could not connect to vm-058-192.abc.idm.lab.eng.brq.redhat.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.

What may mean that according the pki debug log, CA has not been running

[03/May/2016:12:14:28][CertStatusUpdateTask]: updateCertStatus done
[03/May/2016:12:14:30][Timer-0]: In LdapBoundConnFactory::getConn()
[03/May/2016:12:14:30][Timer-0]: masterConn is connected: true
[03/May/2016:12:14:30][Timer-0]: getConn: conn is connected true
[03/May/2016:12:14:30][Timer-0]: getConn: mNumConns now 2
[03/May/2016:12:14:30][Timer-0]: SecurityDomainSessionTable: getSessionIds():  no sessions have been created
[03/May/2016:12:14:30][Timer-0]: returnConn: mNumConns now 3

<<=== HERE upgrade tried to contact the CA, but here is no record in log ===>>

[03/May/2016:12:17:21][localhost-startStop-1]: ============================================
[03/May/2016:12:17:21][localhost-startStop-1]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
[03/May/2016:12:17:21][localhost-startStop-1]: ============================================
[03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false
[03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca
[03/May/2016:12:17:21][localhost-startStop-1]: CMSEngine: done init id=debug

Always reproducible by 'dnf reinstall freeipa-*'

The reason is that upgrade did not start CA server if CA server is turned off.

Steps to reproduce:

  1. systemctl stop pkitomcatd@pki-tomcatd
  2. ipa-server-upgrade

In fact CA was started but not fully operational, fix is to always call ca.start() which will wait until CA is operational.

master:

ipa-4-3:

Metadata Update from @mbasti:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.3.2

7 years ago

Login to comment on this ticket.

Metadata