Bug 1270608
Summary: | IPA upgrade fails for server with CA cert signed by external CA | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | jcholast, ksiddiqu, lkrispen, lmiksik, mbasti, mkosek, nhosoi, nkinder, pvoborni, rcritten, rmeggins, spoore, tbordaz, vashirov |
Target Milestone: | rc | Keywords: | TestBlocker |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.2.0-14.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1267782 | Environment: | |
Last Closed: | 2015-11-19 12:07:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 4
Jan Cholasta
2015-10-12 05:29:51 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/275e1482de279081ca90ee2951bf379fbdab887f ipa-4-2: https://fedorahosted.org/freeipa/changeset/e92da55444d6b35b25246af811d6c30eee39d93b Verified. Version :: ipa-server.x86_64 3.3.3-28.el7 @beaker-rhel-7.0-server Available Packages ipa-server.x86_64 4.2.0-14.el7 rhel72 Results :: During yum update, the errors would appear between cleanup and verification stages. Now I see no errors: Cleanup : libgcc-4.8.2-16.el7.x86_64 773/773 2619 blocks rhel-7.2-server/productid | 1.6 kB 00:00:00 Verifying : libXext-1.3.3-3.el7.x86_64 1/773 And IPA is running after the upgrade: [root@rhel7-9 yum.repos.d]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful And just to check, ipa-server-upgrade completes too: [root@rhel7-9 yum.repos.d]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating mod_nss protocol versions] Protocol versions already updated [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] Changes to named.conf have been made, restart named [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 3] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Ensuring CA is using LDAPProfileSubsystem] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added The IPA services were upgraded The ipa-server-upgrade command was successful Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |