[root@kdc1 ~]# getcert list-cas
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'certmaster':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/local-submit
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-server-guard
/usr/libexec/certmonger/ipa-submit
I have no idea whet this means though
> On Mar 4, 2020, at 12:16 PM, Rob Crittenden <[email protected]> wrote:
>
> David Carter via FreeIPA-users wrote:
>> Freeipa was running fine, then I guess it tried to update and now I have an
>> unusable system and it's impacting other systems. I've seen this error in a
>> few online postings but no fix that I can apply.
>>
>> When I run it manually:
>>
>> [root@kdc1 log]# ipa-server-upgrade
>> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>> [1/11]: stopping directory server
>> [2/11]: saving configuration
>> [3/11]: disabling listeners
>> [4/11]: enabling DS global lock
>> [5/11]: disabling Schema Compat
>> [6/11]: starting directory server
>> [7/11]: updating schema
>> [8/11]: upgrading server
>> [9/11]: stopping directory server
>> [10/11]: restoring configuration
>> [11/11]: starting directory server
>> Done.
>> Update complete
>> Upgrading IPA services
>> Upgrading the configuration of the IPA services
>> [Verifying that root certificate is published]
>> [Migrate CRL publish directory]
>> CRL tree already moved
>> [Verifying that CA proxy configuration is correct]
>> [Verifying that KDC configuration is using ipa-kdb backend]
>> [Fix DS schema file syntax]
>> Syntax already fixed
>> [Removing RA cert from DS NSS database]
>> RA cert already removed
>> [Enable sidgen and extdom plugins by default]
>> [Updating HTTPD service IPA configuration]
>> [Updating HTTPD service IPA WSGI configuration]
>> Nothing to do for configure_httpd_wsgi_conf
>> [Updating mod_nss protocol versions]
>> Protocol versions already updated
>> [Updating mod_nss cipher suite]
>> [Updating mod_nss enabling OCSP]
>> [Fixing trust flags in /etc/httpd/alias]
>> Trust flags already processed
>> [Moving HTTPD service keytab to gssproxy]
>> [Removing self-signed CA]
>> [Removing Dogtag 9 CA]
>> [Checking for deprecated KDC configuration files]
>> [Checking for deprecated backups of Samba configuration files]
>> [Add missing CA DNS records]
>> IPA CA DNS records already processed
>> [Removing deprecated DNS configuration options]
>> DNS is not configured
>> [Ensuring minimal number of connections]
>> DNS is not configured
>> [Updating GSSAPI configuration in DNS]
>> DNS is not configured
>> [Updating pid-file configuration in DNS]
>> DNS is not configured
>> DNS is not configured
>> DNS is not configured
>> DNS is not configured
>> DNS is not configured
>> DNS is not configured
>> DNS is not configured
>> DNS is not configured
>> [Upgrading CA schema]
>> CA schema update complete (no changes)
>> [Verifying that CA audit signing cert has 2 year validity]
>> [Update certmonger certificate renewal configuration]
>> Failed to get request: bus, object_path and dbus_interface must not be None.
>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
>> ipa-server-upgrade manually.
>> bus, object_path and dbus_interface must not be None.
>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
>> information
>> The tail of the log file (it is very long):
>>
>> 2020-03-03T03:51:44Z DEBUG stderr=
>> 2020-03-03T03:51:44Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2020-03-03T03:51:44Z DEBUG Starting external process
>> 2020-03-03T03:51:44Z DEBUG args=/usr/bin/certutil -d
>> dbm:/etc/pki/pki-tomcat/alias -L -f /etc/pki/pki-tomcat/alias/pwdfile.txt
>> 2020-03-03T03:51:44Z DEBUG Process finished, return code=0
>> 2020-03-03T03:51:44Z DEBUG stdout=
>> Certificate Nickname Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> auditSigningCert cert-pki-ca u,u,Pu
>> Server-Cert cert-pki-ca u,u,u
>> ocspSigningCert cert-pki-ca u,u,u
>> subsystemCert cert-pki-ca u,u,u
>>
>> 2020-03-03T03:51:44Z DEBUG stderr=
>> 2020-03-03T03:51:44Z ERROR Failed to get request: bus, object_path and
>> dbus_interface must not be None.
>> 2020-03-03T03:51:44Z ERROR IPA server upgrade failed: Inspect
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>> 2020-03-03T03:51:44Z DEBUG File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
>> execute
>> return_value = self.run()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>> line 56, in run
>> raise admintool.ScriptError(str(e))
>>
>> 2020-03-03T03:51:44Z DEBUG The ipa-server-upgrade command failed, exception:
>> ScriptError: bus, object_path and dbus_interface must not be None.
>> 2020-03-03T03:51:44Z ERROR bus, object_path and dbus_interface must not be
>> None.
>> 2020-03-03T03:51:44Z ERROR The ipa-server-upgrade command failed. See
>> /var/log/ipaupgrade.log for more information
>> I can run the certutil command separately, so it doesn't seem to be that. I
>> have no idea what the issue is, where to look, or how I can fix this.
>> Suggestions?
>>
>> OS: CentOS 7
>> IPA version: VERSION: 4.6.5, API_VERSION: 2.231
>
> What is the output of getcert list-cas
>
> One or more is missing.
>
> BTW this terrible error message is fixed upstream and will appear in
> future versions of RHEL 8 with a much better description.
>
> rob
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
