#7141 Updating from RHEL 7.3 fails with Server-Cert not found (ipa-server-upgrade)
Closed: fixed 3 years ago Opened 3 years ago by frenaud.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1484428

Description of problem:
After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with;
2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n
Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt
2017-08-22T15:37:42Z DEBUG Process finished, return code=255
2017-08-22T15:37:42Z DEBUG stdout=
2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert

Here's a dump of what's in the certificates:
certutil -L -d /etc/dirsrv/slapd-XX
Certificate Nickname                                         Trust Attributes

XX IPA CA                                          CT,C,C
digicertRoot                                                 CT,,
digicert                                                     CT,,
CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North
Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorp
Organization u,u,u

The last certificate is the Server-Cert with a different name. Renaming it
makes dirsrv@.service fail on start.

kinit works. Logging in from the web does not.

Version-Release number of selected component (if applicable):

How reproducible:
I'm only done an upgrade once. Not sure.

Steps to Reproduce:
yum update on a server running 7.3 with ipa-server which has a signed cert from
a 3rd party CA.

Actual results:

Expected results:
Upgrade succeeds.

Additional info:

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1484428

3 years ago

Metadata Update from @frenaud:
- Issue assigned to frenaud

3 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1045

3 years ago

Metadata Update from @pvoborni:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.5.4 (was: 0.0 NEEDS_TRIAGE)
- Issue tagged with: regression

3 years ago

Related issue for dealing with the case when HTTP/DS service cert is issued by
an IPA lightweight CA: https://pagure.io/freeipa/issue/7160


  • 87540fe Fix ipa-server-upgrade with server cert tracking


  • 5285387 Backport 4-5: Fix ipa-server-upgrade with server cert tracking


  • 726a8b2 Fix ipa-server-upgrade with server cert tracking

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.