Hi Florence, Thanks for the reply.
However do you mean that I need to create a new repo file for Version 4.6 and try the Upgrade? Or do you mean that I need to remove the current installation and go for a fresh install? Regards, Alka Murali On Thu, Sep 28, 2017 at 3:43 PM, Florence Blanc-Renaud <[email protected]> wrote: > On 09/28/2017 04:12 AM, Alka Murali wrote: > >> Hi Florence, >> >> Thanks for the email. As you have mentioned, I tried updating the >> corresponding python files under IPA Server and tried for the Upgrade. >> > Hi, > > do you mean that you manually edited the python files? In this case it is > likely that some files were forgotten. The patch for 4-5 branch is > https://pagure.io/freeipa/c/52853875e298e38a1e5a9a56c02aac9e30916044 but > may depend on other commits applied on the branch between the 4.5.3 release > and the patch. > > For consistency, I'd rather recommend to upgrade the packages to 4.6 > (available in the copr repo @freeipa/freeipa-4-6 for fedora 26 and > fedora27). > > Flo > > However I was getting the error below: >> >> ----- >> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in >> execute >> >> return_value = self.run() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 46, in run >> >> server.upgrade() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1913, in upgrade >> >> upgrade_configuration() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1788, in upgrade_configuration >> >> certificate_renewal_update(ca, ds, http), >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 966, in certificate_renewal_update >> >> 'cert-nickname': ds.get_server_cert_nickname(serverid), >> >> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >> ipa-server-upgrade command failed, exception: AttributeError: 'DsInstance' >> object has no attribute 'get_server_cert_nickname' >> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >> Unexpected error - see /var/log/ipaupgrade.log for details: >> >> AttributeError: 'DsInstance' object has no attribute >> 'get_server_cert_nickname' >> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more >> information >> >> ------ >> >> So do I need to define "get_server_cert_nickname" in certs.py script too. >> >> >> Awaiting your reply. >> >> >> Thanks and Regards, >> >> Alka Murali >> >> >> On Tue, Sep 26, 2017 at 5:01 PM, Florence Blanc-Renaud <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 09/26/2017 05:18 AM, Alka Murali via FreeIPA-users wrote: >> >> Hello, >> >> Currently my server is running on IPA Server Version 4.4. I have >> tried to upgrade the Version to 4.5 using the ipa-server-upgrade >> command and got ended with the following error: >> >> >> -------- >> >> 2017-09-26T02:27:32Z DEBUG stderr= >> >> 2017-09-26T02:27:50Z DEBUG Loading Index file from >> '/var/lib/ipa/sysrestore/sysrestore.index' >> >> 2017-09-26T02:27:53Z DEBUG Starting external process >> >> 2017-09-26T02:27:53Z DEBUG args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-LGA-NET-SG -L -n Server-Cert -a -f >> /etc/dirsrv/slapd-LGA-NET-SG/pwdfile.txt >> >> 2017-09-26T02:27:56Z DEBUG Process finished, return code=255 >> >> 2017-09-26T02:27:56Z DEBUG stdout= >> >> 2017-09-26T02:27:56Z DEBUG stderr=certutil: Could not find cert: >> Server-Cert >> >> : PR_FILE_NOT_FOUND_ERROR: File not found >> >> >> 2017-09-26T02:27:56Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade >> manually. >> >> 2017-09-26T02:27:56Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line >> 172, in execute >> >> return_value = self.run() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ >> server_upgrade.py", >> line 46, in run >> >> server.upgrade() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/ >> upgrade.py", >> line 1913, in upgrade >> >> upgrade_configuration() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/ >> upgrade.py", >> line 1788, in upgrade_configuration >> >> certificate_renewal_update(ca, ds, http), >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/ >> upgrade.py", >> line 1018, in certificate_renewal_update >> >> ds.start_tracking_certificates(serverid) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstan >> ce.py", >> line 1046, in start_tracking_certificates >> >> 'restart_dirsrv %s' % serverid) >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 362, in track_server_cert >> >> cert_obj = x509.load_certificate(cert) >> >> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line >> 119, in load_certificate >> >> return cryptography.x509.load_der_x509_certificate(data, >> default_backend()) >> >> File >> "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", >> line 47, in load_der_x509_certificate >> >> return backend.load_der_x509_certificate(data) >> >> File >> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back >> ends/multibackend.py", >> line 350, in load_der_x509_certificate >> >> return b.load_der_x509_certificate(data) >> >> File >> "/usr/lib64/python2.7/site-packages/cryptography/hazmat/back >> ends/openssl/backend.py", >> line 1185, in load_der_x509_certificate >> >> raise ValueError("Unable to load certificate") >> >> >> 2017-09-26T02:27:56Z DEBUG The ipa-server-upgrade command >> failed, exception: ValueError: Unable to load certificate >> >> 2017-09-26T02:27:56Z ERROR Unexpected error - see >> /var/log/ipaupgrade.log for details: >> >> ValueError: Unable to load certificate >> >> 2017-09-26T02:27:56Z ERROR The ipa-server-upgrade command >> failed. See /var/log/ipaupgrade.log for more information >> >> ------- >> >> I am using a third party signed certificate along with my >> IPA-CA. Is it an issue with my current CA. I can see that while >> fetching for the certificate, the name given to be "Server-cert" >> instead of the exact CA name. >> >> >> -- Regards, >> Alka Murali >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- >> [email protected] >> <mailto:[email protected]> >> To unsubscribe send an email to >> [email protected] >> <mailto:[email protected]> >> >> Hi, >> >> you are probably hitting issue 7141 [1]. The upgrade is trying to >> track the HTTPd/LDAP server certificates but shouldn't if they were >> issued by an external CA. >> >> The fix is available in FreeIPA 4.6.1 [2] >> >> HTH, >> Flo >> >> [1] https://pagure.io/freeipa/issue/7141 >> <https://pagure.io/freeipa/issue/7141> >> [2] http://www.freeipa.org/page/Releases/4.6.1 >> <http://www.freeipa.org/page/Releases/4.6.1> >> >> >> >> >> -- >> Regards, >> Alka Murali >> > > -- Regards, Alka Murali
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
