#7409 Upgrade fails in CAless installation due to missing CA
Closed: fixed 6 years ago Opened 6 years ago by rcritten.

Issue

I installed IPA as a CA-less master on Fedora 27 using freeipa 4.6.1-3.

# ipa-server-install -a password -p password --dirsrv-cert-file=/tmp/server.p12 --http-cert-file=/tmp/server.p12 --dirsrv-pin=password --http-pin=password -r EXAMPLE.COM -U --no-pkinit --ca-cert-file=/tmp/ca-chain.cert.pem

I tried to upgrade to master and it failed trying to back up the CA configuration:

2018-02-14T15:48:19Z INFO [Verifying that root certificate is published]
2018-02-14T15:48:19Z DEBUG Certificate file exists
2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2018-02-14T15:48:19Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2018-02-14T15:48:19Z DEBUG Trying to find certificate subject base in sysupgrade
2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-02-14T15:48:19Z DEBUG Found certificate subject base in sysupgrade: O=EXAMPLE.COM
2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-02-14T15:48:19Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2018-02-14T15:48:19Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2018-02-14T15:48:19Z DEBUG request POST http://ipa.example.com:8080/ca/admin/ca/getStatus
2018-02-14T15:48:19Z DEBUG request body ''
2018-02-14T15:48:19Z DEBUG httplib request failed:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 220, in _httplib_request
    conn.request(method, uri, body=request_body, headers=headers)
  File "/usr/lib64/python3.6/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.6/http/client.py", line 964, in send
    self.connect()
  File "/usr/lib64/python3.6/http/client.py", line 936, in connect
    (self.host,self.port), self.timeout, self.source_address)
  File "/usr/lib64/python3.6/socket.py", line 724, in create_connection
    raise err
  File "/usr/lib64/python3.6/socket.py", line 713, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
2018-02-14T15:48:19Z DEBUG Failed to check CA status: cannot connect to 'http://ipa.example.com:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused
2018-02-14T15:48:19Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2018-02-14T15:48:19Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2018-02-14T15:48:19Z DEBUG Ensuring that service pki-tomcatd@pki-tomcat is not running while the next set of commands is being executed.
2018-02-14T15:48:19Z DEBUG Starting external process
2018-02-14T15:48:19Z DEBUG args=/bin/systemctl is-active pki-tomcatd@pki-tomcat.service
2018-02-14T15:48:19Z DEBUG Process finished, return code=3
2018-02-14T15:48:19Z DEBUG stdout=inactive

2018-02-14T15:48:19Z DEBUG stderr=
2018-02-14T15:48:19Z DEBUG Service pki-tomcatd@pki-tomcat is not running, continue.
2018-02-14T15:48:19Z DEBUG Starting external process
2018-02-14T15:48:19Z DEBUG args=/bin/systemctl is-active pki-tomcatd@pki-tomcat.service
2018-02-14T15:48:19Z DEBUG Process finished, return code=3
2018-02-14T15:48:19Z DEBUG stdout=inactive

2018-02-14T15:48:19Z DEBUG stderr=
2018-02-14T15:48:19Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2018-02-14T15:48:19Z DEBUG   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 174, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 50, in run
    server.upgrade()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1945, in upgrade
    upgrade_configuration()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1634, in upgrade_configuration
    ca.backup_config()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/dogtaginstance.py", line 476, in backup_config
    shutil.copy(path, path + '.ipabkp')
  File "/usr/lib64/python3.6/shutil.py", line 241, in copy
    copyfile(src, dst, follow_symlinks=follow_symlinks)
  File "/usr/lib64/python3.6/shutil.py", line 120, in copyfile
    with open(src, 'rb') as fsrc:

2018-02-14T15:48:19Z DEBUG The ipa-server-upgrade command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
2018-02-14T15:48:19Z ERROR [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
2018-02-14T15:48:19Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

It doesn't detect that there is no CA available and to skip the CA routines.


You installed ipa-server then replica without CA.
Then tried upgrading replica to master and got issues?

No. Installed standalone IPA master as CA-less.

Update the packages. ipa-server-upgrade fails because it tries to do CA upgrades.

This was discovered while testing the mod_nss -> mod_ssl switch. On Fedora 27 I installed using freeipa-server-4.6.1-3 and upgraded using the locally built packages with the patches.

cannot repro on rhel-7.4
ipa-server-4.5.0-22.el7_4.x86_64
After ipa-server-install(without CA), ipa-server-upgrade ran successfully.

First step is to identify which releases this affects. It appears that the 4.5 branch is ok so start with 4.6.

A new upgrade test will be needed to confirm that this doesn't regress.

Metadata Update from @rcritten:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.6.4

6 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

6 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1550555

6 years ago

master:

  • 95a45a2 Don't try to backup CS.cfg during upgrade if CA is not configured

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

ipa-4-6:

  • f24a3ae Don't try to backup CS.cfg during upgrade if CA is not configured

As we need to backport to 4.5, see BZ 1577805, setting the milestone to 4.5.5

Metadata Update from @frenaud:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.6.4)

5 years ago

ipa-4-5:

  • 035f1cb Don't try to backup CS.cfg during upgrade if CA is not configured

Login to comment on this ticket.

Metadata