Bug 1181767
| Summary: | ipa-upgradeconfig fails in CA-less installs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Cholasta <jcholast> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dpal, jcholast, mkosek, rcritten, spoore, tlavigne |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.1.0-16.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:19:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Cholasta
2015-01-13 17:22:55 UTC
Please add steps to verify 1. install CA-less IPA server 2. run ipa-upgradeconfig on the server Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: https://fedorahosted.org/freeipa/changeset/065e2bbc9f2260d8c60c55f92a386513727576da This appears as if the CA checks are fixed but, I'm seeing another error now:
[root@rhel7-1 ~]# ipa-upgradeconfig
[Verifying that root certificate is published]
Failed to backup CS.cfg: 'pki-cad'
[Migrate CRL publish directory]
CA is not configured
[Verifying that CA proxy configuration is correct]
CA is not configured
[Verifying that KDC configuration is using ipa-kdb backend]
Unexpected error
DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files
From ipaupgrade.log:
2015-01-20T01:59:25Z INFO [Verifying that root certificate is published]
2015-01-20T01:59:25Z DEBUG Certificate file exists
2015-01-20T01:59:25Z DEBUG Trying to find certificate subject base in sysupgrade
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2015-01-20T01:59:25Z DEBUG Found certificate subject base in sysupgrade: O=EXAMPLE.TEST
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z WARNING Failed to backup CS.cfg: 'pki-cad'
2015-01-20T01:59:25Z DEBUG Ensuring that service pki-cad@pki-ca is not running while the next set of commands is being executed.
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/bin/systemctl' 'is-active' 'pki-cad'
2015-01-20T01:59:25Z DEBUG Process finished, return code=3
2015-01-20T01:59:25Z DEBUG stdout=unknown
2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Service pki-cad@pki-ca is not running, continue.
2015-01-20T01:59:25Z INFO [Migrate CRL publish directory]
2015-01-20T01:59:25Z INFO CA is not configured
2015-01-20T01:59:25Z INFO [Verifying that CA proxy configuration is correct]
2015-01-20T01:59:25Z INFO CA is not configured
2015-01-20T01:59:25Z INFO [Verifying that KDC configuration is using ipa-kdb backend]
2015-01-20T01:59:25Z DEBUG dbmodules already updated in /etc/krb5.conf
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/selinuxenabled'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=
2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=httpd_can_network_connect --> on
2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=httpd_manage_ipa --> on
2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
return_value = main_function()
File "/usr/sbin/ipa-upgradeconfig", line 1392, in main
http.configure_certmonger_renewal_guard()
File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 233, in configure_certmonger_renewal_guard
'/org/fedorahosted/certmonger')
File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 241, in get_object
follow_name_owner_changes=follow_name_owner_changes)
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 248, in __init__
self._named_service = conn.activate_name_owner(bus_name)
File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 180, in activate_name_owner
self.start_service_by_name(bus_name)
File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 278, in start_service_by_name
'su', (bus_name, flags)))
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
So, is this failure a bug in the fix or a new bug?
The code where the exception occurs was introduced in the fix for bug 1173207. Anyway this shouldn't happen, do you have certmonger installed? It turns out that D-Bus can't find certmonger if it is not running, even if it is installed. I will prepare a patch for this. Problem described in Comment 7 fixed upstream master: https://fedorahosted.org/freeipa/changeset/82ab0eabf8b963023611ceb42f87244f40651c05 ipa-4-1: https://fedorahosted.org/freeipa/changeset/f204b28da316f60d85c6a6a0578e78ac74397fac adding Regression keyword here as this could affect upgrades. Verified. Version :: ipa-server-4.1.0-16.el7.x86_64 Results :: Installed CA-less IPA Server. Then: [root@rhel7-1 ~]# ipa-upgradeconfig [Verifying that root certificate is published] Failed to backup CS.cfg: 'pki-cad' [Migrate CRL publish directory] CA is not configured [Verifying that CA proxy configuration is correct] CA is not configured [Verifying that KDC configuration is using ipa-kdb backend] [Updating mod_nss protocol versions] [Fixing trust flags in /etc/httpd/alias] CA is not enabled [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] Object-signing certificate was not found. Creating unsigned Firefox configuration extension. [Add missing CA DNS records] DNS is not configured [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Enabling "dnssec-enable" configuration in DNS] [Setting "bindkeys-file" option in named.conf] [Including named root key in named.conf] Changes to named.conf have been made, restart named [Verifying that CA service certificate profile is updated] CA is not configured [Update certmonger certificate renewal configuration to version 3] CA is not configured [Enable PKIX certificate path discovery and validation] CA is not configured The ipa-upgradeconfig command was successful Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |