I installed IPA as a CA-less master on Fedora 27 using freeipa 4.6.1-3.
# ipa-server-install -a password -p password --dirsrv-cert-file=/tmp/server.p12 --http-cert-file=/tmp/server.p12 --dirsrv-pin=password --http-pin=password -r EXAMPLE.COM -U --no-pkinit --ca-cert-file=/tmp/ca-chain.cert.pem
I tried to upgrade to master and it failed trying to back up the CA configuration:
2018-02-14T15:48:19Z INFO [Verifying that root certificate is published] 2018-02-14T15:48:19Z DEBUG Certificate file exists 2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-02-14T15:48:19Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-02-14T15:48:19Z DEBUG Trying to find certificate subject base in sysupgrade 2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-02-14T15:48:19Z DEBUG Found certificate subject base in sysupgrade: O=EXAMPLE.COM 2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-02-14T15:48:19Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state' 2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-02-14T15:48:19Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-02-14T15:48:19Z DEBUG request POST http://ipa.example.com:8080/ca/admin/ca/getStatus 2018-02-14T15:48:19Z DEBUG request body '' 2018-02-14T15:48:19Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 220, in _httplib_request conn.request(method, uri, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1239, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1285, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1234, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1026, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 964, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 936, in connect (self.host,self.port), self.timeout, self.source_address) File "/usr/lib64/python3.6/socket.py", line 724, in create_connection raise err File "/usr/lib64/python3.6/socket.py", line 713, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused 2018-02-14T15:48:19Z DEBUG Failed to check CA status: cannot connect to 'http://ipa.example.com:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused 2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2018-02-14T15:48:19Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-02-14T15:48:19Z DEBUG Ensuring that service pki-tomcatd@pki-tomcat is not running while the next set of commands is being executed. 2018-02-14T15:48:19Z DEBUG Starting external process 2018-02-14T15:48:19Z DEBUG args=/bin/systemctl is-active pki-tomcatd@pki-tomcat.service 2018-02-14T15:48:19Z DEBUG Process finished, return code=3 2018-02-14T15:48:19Z DEBUG stdout=inactive 2018-02-14T15:48:19Z DEBUG stderr= 2018-02-14T15:48:19Z DEBUG Service pki-tomcatd@pki-tomcat is not running, continue. 2018-02-14T15:48:19Z DEBUG Starting external process 2018-02-14T15:48:19Z DEBUG args=/bin/systemctl is-active pki-tomcatd@pki-tomcat.service 2018-02-14T15:48:19Z DEBUG Process finished, return code=3 2018-02-14T15:48:19Z DEBUG stdout=inactive 2018-02-14T15:48:19Z DEBUG stderr= 2018-02-14T15:48:19Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2018-02-14T15:48:19Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1945, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1634, in upgrade_configuration ca.backup_config() File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 476, in backup_config shutil.copy(path, path + '.ipabkp') File "/usr/lib64/python3.6/shutil.py", line 241, in copy copyfile(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib64/python3.6/shutil.py", line 120, in copyfile with open(src, 'rb') as fsrc: 2018-02-14T15:48:19Z DEBUG The ipa-server-upgrade command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' 2018-02-14T15:48:19Z ERROR [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' 2018-02-14T15:48:19Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
It doesn't detect that there is no CA available and to skip the CA routines.
You installed ipa-server then replica without CA. Then tried upgrading replica to master and got issues?
No. Installed standalone IPA master as CA-less.
Update the packages. ipa-server-upgrade fails because it tries to do CA upgrades.
This was discovered while testing the mod_nss -> mod_ssl switch. On Fedora 27 I installed using freeipa-server-4.6.1-3 and upgraded using the locally built packages with the patches.
cannot repro on rhel-7.4 ipa-server-4.5.0-22.el7_4.x86_64 After ipa-server-install(without CA), ipa-server-upgrade ran successfully.
First step is to identify which releases this affects. It appears that the 4.5 branch is ok so start with 4.6.
A new upgrade test will be needed to confirm that this doesn't regress.
Metadata Update from @rcritten: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.6.4
Metadata Update from @rcritten: - Issue assigned to rcritten
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1550555
Issue linked to Bugzilla: Bug 1550555
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
As we need to backport to 4.5, see BZ 1577805, setting the milestone to 4.5.5
Metadata Update from @frenaud: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.6.4)
ipa-4-5:
Login to comment on this ticket.