#7125 ipa-server-upgrade failes with "This entry already exists"
Closed: fixed 4 years ago Opened 4 years ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1480102

Description of problem:

ipa-server-upgrade fails with:

===========================================================
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_100258128
ipa: ERROR: Upgrade failed with This entry already exists
ipa: DEBUG: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 220, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
911, in update
    self._run_updates(all_updates)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
883, in _run_updates
    self._run_update_plugin(update['plugin'])
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
859, in _run_update_plugin
    restart_ds, updates = self.api.Updater[plugin_name]()
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in
__call__
    return self.execute(**options)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py",
line 84, in execute
    ldap.update_entry(entry)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1553, in
update_entry
    self.conn.modify_s(str(entry.dn), modlist)
  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in
error_handler
    raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

ipa: DEBUG: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
504, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
494, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 228, in __upgrade
    raise RuntimeError(e)
RuntimeError: This entry already exists
===========================================================

"plugins.upload_cacrt"


Taking a look at the logs we see operations like these failing by constraint
violation trying to add entries under
"cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com"


[09/Aug/2017:09:15:18.481708979 +091800] conn=5 op=352 ADD dn="cn=CN\3DITS-ROOT
-CA,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com"
[09/Aug/2017:09:15:18.482796949 +091800] conn=5 op=352 RESULT err=19 tag=105
nentries=0 etime=0
[09/Aug/2017:09:15:18.614559050 +091800] conn=5 op=353 ADD dn="cn=CN\3D><some
identifier>,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com"
[09/Aug/2017:09:15:18.615085522 +091800] conn=5 op=353 RESULT err=19 tag=105
nentries=0 etime=0
[09/Aug/2017:09:15:18.741092201 +091800] conn=5 op=354 ADD dn="cn=<REALM> IPA
CA,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com"
[09/Aug/2017:09:15:18.741626613 +091800] conn=5 op=354 RESULT err=19 tag=105
nentries=0 etime=0
[09/Aug/2017:09:15:18.742198157 +091800] conn=5 op=355 MOD dn="cn=<REALM> IPA
CA,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com"
[09/Aug/2017:09:15:18.742698466 +091800] conn=5 op=355 RESULT err=19 tag=103
nentries=0 etime=0
[09/Aug/2017:09:15:18.745671297 +091800] conn=5 op=356 UNBIND


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7.x86_64


How reproducible: very often. I have seen it in two customers. So, I am logging
this bug.

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1480102

4 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1480102

4 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

4 years ago

The issue can be reproduced with the following scenario:
- configure ipa server with a custom CA subject (ipa-server-install --subject=...)
- configure a replica
The replica installation creates a duplicate entry in cn=certificates,cn=ipa,cn=etc,$BASEDN while it should not. This happens because
1/ the attribute uniqueness plugin has been configured but DS not restarted => the pugin is not working yet
2/ the replica installation is using the nickname from the local NSS DB /etc/httpd/alias instead of "$DOMAIN IPA CA" when uploading the CA cert

master:

  • 69bda6b Fix ipa-server-upgrade: This entry already exists

ipa-4-5:

  • d9035a0 Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists

Metadata Update from @stlaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

master:

  • 0a2b6ca Only restart DS when duplicate cacrt was found

ipa-4-8:

  • be7efc4 Only restart DS when duplicate cacrt was found

master:

  • b606fa6 Duplicate CA CRT: ignore expected cert

ipa-4-8:

  • d7f3928 Duplicate CA CRT: ignore expected cert

Login to comment on this ticket.

Metadata