Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1480102
Description of problem: ipa-server-upgrade fails with: =========================================================== ipa: DEBUG: stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_100258128 ipa: ERROR: Upgrade failed with This entry already exists ipa: DEBUG: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 220, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 911, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 883, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", line 84, in execute ldap.update_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1553, in update_entry self.conn.modify_s(str(entry.dn), modlist) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists ipa: DEBUG: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 228, in __upgrade raise RuntimeError(e) RuntimeError: This entry already exists =========================================================== "plugins.upload_cacrt" Taking a look at the logs we see operations like these failing by constraint violation trying to add entries under "cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com" [09/Aug/2017:09:15:18.481708979 +091800] conn=5 op=352 ADD dn="cn=CN\3DITS-ROOT -CA,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com" [09/Aug/2017:09:15:18.482796949 +091800] conn=5 op=352 RESULT err=19 tag=105 nentries=0 etime=0 [09/Aug/2017:09:15:18.614559050 +091800] conn=5 op=353 ADD dn="cn=CN\3D><some identifier>,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com" [09/Aug/2017:09:15:18.615085522 +091800] conn=5 op=353 RESULT err=19 tag=105 nentries=0 etime=0 [09/Aug/2017:09:15:18.741092201 +091800] conn=5 op=354 ADD dn="cn=<REALM> IPA CA,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com" [09/Aug/2017:09:15:18.741626613 +091800] conn=5 op=354 RESULT err=19 tag=105 nentries=0 etime=0 [09/Aug/2017:09:15:18.742198157 +091800] conn=5 op=355 MOD dn="cn=<REALM> IPA CA,cn=certificates,cn=ipa,cn=etc,dc=rh,dc=ad,dc=example,dc=com" [09/Aug/2017:09:15:18.742698466 +091800] conn=5 op=355 RESULT err=19 tag=103 nentries=0 etime=0 [09/Aug/2017:09:15:18.745671297 +091800] conn=5 op=356 UNBIND Version-Release number of selected component (if applicable): ipa-server-4.5.0-21.el7.x86_64 How reproducible: very often. I have seen it in two customers. So, I am logging this bug.
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1480102
Metadata Update from @frenaud: - Issue assigned to frenaud
The issue can be reproduced with the following scenario: - configure ipa server with a custom CA subject (ipa-server-install --subject=...) - configure a replica The replica installation creates a duplicate entry in cn=certificates,cn=ipa,cn=etc,$BASEDN while it should not. This happens because 1/ the attribute uniqueness plugin has been configured but DS not restarted => the pugin is not working yet 2/ the replica installation is using the nickname from the local NSS DB /etc/httpd/alias instead of "$DOMAIN IPA CA" when uploading the CA cert
master:
ipa-4-5:
Metadata Update from @stlaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-8:
Log in to comment on this ticket.