ipa-server-upgrade failed on a replica which does not have CA installed. It seems that failure is related to latest changes to CA.
# ipa-server-upgrade WARNING: yacc table file version is out of date session memcached servers not running Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server Update failed: Type or value exists: [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] Missing Certification Authority file. You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt Failed to backup CS.cfg: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' [Migrate CRL publish directory] CA is not configured /etc/dirsrv/slapd-DOM-058-082-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] CA is not configured IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command '/bin/systemctl start pki-tomcatd@pki-tomcat.service' returned non-zero exit status 1 The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Debug log contains following line:
2016-06-15T10:35:38Z DEBUG The ipa-server-upgrade command failed, exception: CalledProcessError: Command '/bin/systemctl start pki-tomcatd@pki-tomcat.service' returned non-zero exit status 1
cn=masters sub-tree does not contain CA entry for affected server. I guess that upgrade should not attempt to start non-existing CA service :-)
cn=masters
CA
attachment ipaupgrade.log.bz2
Obvious blocker for 4.4.
master:
Regression caused by commit in 4.3.2 (#5868), moving this ticket to 4.3.2
ipa-4-3:
Metadata Update from @pspacek: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.3.2
Login to comment on this ticket.