Issue #5958: Upgrade is broken on servers without CA - freeipa

freeipa

#5958 Upgrade is broken on servers without CA

Closed: Fixed None Opened 7 years ago by pspacek.

ipa-server-upgrade failed on a replica which does not have CA installed. It seems that failure is related to latest changes to CA.

# ipa-server-upgrade
WARNING: yacc table file version is out of date
session memcached servers not running
Upgrading IPA:
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: starting directory server
  [6/10]: updating schema
  [7/10]: upgrading server
Update failed: Type or value exists: 
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
[Verifying that root certificate is published]
Missing Certification Authority file.
You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt
Failed to backup CS.cfg: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
[Migrate CRL publish directory]
CA is not configured
/etc/dirsrv/slapd-DOM-058-082-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made.
[Verifying that CA proxy configuration is correct]
CA is not configured
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start pki-tomcatd@pki-tomcat.service' returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Debug log contains following line:

2016-06-15T10:35:38Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: Command '/bin/systemctl start pki-tomcatd@pki-tomcat.service' returned non-zero exit status 1

cn=masters sub-tree does not contain CA entry for affected server. I guess that upgrade should not attempt to start non-existing CA service :-)

pspacek commented 7 years ago

attachment
ipaupgrade.log.bz2

mkosek commented 7 years ago

Obvious blocker for 4.4.

mbasti commented 7 years ago

master:

01795fc upgrade: do not try to start CA if not configured

mbasti commented 7 years ago

Regression caused by commit in 4.3.2 (#5868), moving this ticket to 4.3.2

ipa-4-3:

7514b8b upgrade: do not try to start CA if not configured

Metadata Update from @pspacek:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.3.2

7 years ago

Metadata

Assignee

ftweedal

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 4.3.2

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Certificate management

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#5958 Upgrade is broken on servers without CA Closed: Fixed None Opened 7 years ago by pspacek.

Metadata

#5958 Upgrade is broken on servers without CA

Closed: Fixed None Opened 7 years ago by pspacek.