Bug 1181767
Summary: | ipa-upgradeconfig fails in CA-less installs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Cholasta <jcholast> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | dpal, jcholast, mkosek, rcritten, spoore, tlavigne |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.1.0-16.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:19:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Cholasta
2015-01-13 17:22:55 UTC
Please add steps to verify 1. install CA-less IPA server 2. run ipa-upgradeconfig on the server Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130 ipa-4-1: https://fedorahosted.org/freeipa/changeset/065e2bbc9f2260d8c60c55f92a386513727576da This appears as if the CA checks are fixed but, I'm seeing another error now: [root@rhel7-1 ~]# ipa-upgradeconfig [Verifying that root certificate is published] Failed to backup CS.cfg: 'pki-cad' [Migrate CRL publish directory] CA is not configured [Verifying that CA proxy configuration is correct] CA is not configured [Verifying that KDC configuration is using ipa-kdb backend] Unexpected error DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files From ipaupgrade.log: 2015-01-20T01:59:25Z INFO [Verifying that root certificate is published] 2015-01-20T01:59:25Z DEBUG Certificate file exists 2015-01-20T01:59:25Z DEBUG Trying to find certificate subject base in sysupgrade 2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2015-01-20T01:59:25Z DEBUG Found certificate subject base in sysupgrade: O=EXAMPLE.TEST 2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-20T01:59:25Z WARNING Failed to backup CS.cfg: 'pki-cad' 2015-01-20T01:59:25Z DEBUG Ensuring that service pki-cad@pki-ca is not running while the next set of commands is being executed. 2015-01-20T01:59:25Z DEBUG Starting external process 2015-01-20T01:59:25Z DEBUG args='/bin/systemctl' 'is-active' 'pki-cad' 2015-01-20T01:59:25Z DEBUG Process finished, return code=3 2015-01-20T01:59:25Z DEBUG stdout=unknown 2015-01-20T01:59:25Z DEBUG stderr= 2015-01-20T01:59:25Z DEBUG Service pki-cad@pki-ca is not running, continue. 2015-01-20T01:59:25Z INFO [Migrate CRL publish directory] 2015-01-20T01:59:25Z INFO CA is not configured 2015-01-20T01:59:25Z INFO [Verifying that CA proxy configuration is correct] 2015-01-20T01:59:25Z INFO CA is not configured 2015-01-20T01:59:25Z INFO [Verifying that KDC configuration is using ipa-kdb backend] 2015-01-20T01:59:25Z DEBUG dbmodules already updated in /etc/krb5.conf 2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-20T01:59:25Z DEBUG Starting external process 2015-01-20T01:59:25Z DEBUG args='/usr/sbin/selinuxenabled' 2015-01-20T01:59:25Z DEBUG Process finished, return code=0 2015-01-20T01:59:25Z DEBUG stdout= 2015-01-20T01:59:25Z DEBUG stderr= 2015-01-20T01:59:25Z DEBUG Starting external process 2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect' 2015-01-20T01:59:25Z DEBUG Process finished, return code=0 2015-01-20T01:59:25Z DEBUG stdout=httpd_can_network_connect --> on 2015-01-20T01:59:25Z DEBUG stderr= 2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-20T01:59:25Z DEBUG Starting external process 2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa' 2015-01-20T01:59:25Z DEBUG Process finished, return code=0 2015-01-20T01:59:25Z DEBUG stdout=httpd_manage_ipa --> on 2015-01-20T01:59:25Z DEBUG stderr= 2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-01-20T01:59:25Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script return_value = main_function() File "/usr/sbin/ipa-upgradeconfig", line 1392, in main http.configure_certmonger_renewal_guard() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 233, in configure_certmonger_renewal_guard '/org/fedorahosted/certmonger') File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 241, in get_object follow_name_owner_changes=follow_name_owner_changes) File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 248, in __init__ self._named_service = conn.activate_name_owner(bus_name) File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 180, in activate_name_owner self.start_service_by_name(bus_name) File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 278, in start_service_by_name 'su', (bus_name, flags))) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) So, is this failure a bug in the fix or a new bug? The code where the exception occurs was introduced in the fix for bug 1173207. Anyway this shouldn't happen, do you have certmonger installed? It turns out that D-Bus can't find certmonger if it is not running, even if it is installed. I will prepare a patch for this. Problem described in Comment 7 fixed upstream master: https://fedorahosted.org/freeipa/changeset/82ab0eabf8b963023611ceb42f87244f40651c05 ipa-4-1: https://fedorahosted.org/freeipa/changeset/f204b28da316f60d85c6a6a0578e78ac74397fac adding Regression keyword here as this could affect upgrades. Verified. Version :: ipa-server-4.1.0-16.el7.x86_64 Results :: Installed CA-less IPA Server. Then: [root@rhel7-1 ~]# ipa-upgradeconfig [Verifying that root certificate is published] Failed to backup CS.cfg: 'pki-cad' [Migrate CRL publish directory] CA is not configured [Verifying that CA proxy configuration is correct] CA is not configured [Verifying that KDC configuration is using ipa-kdb backend] [Updating mod_nss protocol versions] [Fixing trust flags in /etc/httpd/alias] CA is not enabled [Fix DS schema file syntax] [Removing RA cert from DS NSS database] [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] Object-signing certificate was not found. Creating unsigned Firefox configuration extension. [Add missing CA DNS records] DNS is not configured [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Enabling "dnssec-enable" configuration in DNS] [Setting "bindkeys-file" option in named.conf] [Including named root key in named.conf] Changes to named.conf have been made, restart named [Verifying that CA service certificate profile is updated] CA is not configured [Update certmonger certificate renewal configuration to version 3] CA is not configured [Enable PKIX certificate path discovery and validation] CA is not configured The ipa-upgradeconfig command was successful Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |