Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1181767 - ipa-upgradeconfig fails in CA-less installs
ipa-upgradeconfig fails in CA-less installs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-13 12:22 EST by Jan Cholasta
Modified: 2015-03-05 05:19 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.1.0-16.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 05:19:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 09:50:39 EST

  None (edit)
Description Jan Cholasta 2015-01-13 12:22:55 EST 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4835

The failure is caused by:
{{{
2015-01-12T21:10:03Z INFO [Verifying that root certificate is published]
2015-01-12T21:10:03Z DEBUG Certificate file exists
2015-01-12T21:10:03Z DEBUG Trying to find certificate subject base in sysupgrade
2015-01-12T21:10:03Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2015-01-12T21:10:03Z DEBUG Found certificate subject base in sysupgrade: O=IDM.LAB.BOS.REDHAT.COM
2015-01-12T21:10:03Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-12T21:10:03Z WARNING Failed to backup CS.cfg: 'pki-cad'
2015-01-12T21:10:03Z DEBUG Ensuring that service pki-cad@pki-ca is not running while the next set of commands is being executed.
2015-01-12T21:10:03Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 642, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-upgradeconfig", line 1363, in main
    configured_constants.PKI_INSTANCE_NAME):

  File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__
    return self.gen.next()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 870, in stopped_service
    if not services.knownservices[service].is_running(instance_name):

  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 158, in __getitem__
    return self.__d[key]

2015-01-12T21:10:03Z DEBUG The ipa-upgradeconfig command failed, exception: KeyError: 'pki-cad'
}}}
Comment 1 Namita Soman 2015-01-13 12:37:19 EST 
Please add steps to verify
Comment 2 Jan Cholasta 2015-01-13 12:44:18 EST 
1. install CA-less IPA server
2. run ipa-upgradeconfig on the server
Comment 5 Scott Poore 2015-01-19 21:20:55 EST 
This appears as if the CA checks are fixed but, I'm seeing another error now:

[root@rhel7-1 ~]# ipa-upgradeconfig 
[Verifying that root certificate is published]
Failed to backup CS.cfg: 'pki-cad'
[Migrate CRL publish directory]
CA is not configured
[Verifying that CA proxy configuration is correct]
CA is not configured
[Verifying that KDC configuration is using ipa-kdb backend]
Unexpected error
DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files

From ipaupgrade.log:

2015-01-20T01:59:25Z INFO [Verifying that root certificate is published]
2015-01-20T01:59:25Z DEBUG Certificate file exists
2015-01-20T01:59:25Z DEBUG Trying to find certificate subject base in sysupgrade
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2015-01-20T01:59:25Z DEBUG Found certificate subject base in sysupgrade: O=EXAMPLE.TEST
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z WARNING Failed to backup CS.cfg: 'pki-cad'
2015-01-20T01:59:25Z DEBUG Ensuring that service pki-cad@pki-ca is not running while the next set of commands is being executed.
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/bin/systemctl' 'is-active' 'pki-cad@pki-ca.service'
2015-01-20T01:59:25Z DEBUG Process finished, return code=3
2015-01-20T01:59:25Z DEBUG stdout=unknown

2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Service pki-cad@pki-ca is not running, continue.
2015-01-20T01:59:25Z INFO [Migrate CRL publish directory]
2015-01-20T01:59:25Z INFO CA is not configured
2015-01-20T01:59:25Z INFO [Verifying that CA proxy configuration is correct]
2015-01-20T01:59:25Z INFO CA is not configured
2015-01-20T01:59:25Z INFO [Verifying that KDC configuration is using ipa-kdb backend]
2015-01-20T01:59:25Z DEBUG dbmodules already updated in /etc/krb5.conf
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/selinuxenabled'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=
2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=httpd_can_network_connect --> on

2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=httpd_manage_ipa --> on

2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-upgradeconfig", line 1392, in main
    http.configure_certmonger_renewal_guard()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 233, in configure_certmonger_renewal_guard
    '/org/fedorahosted/certmonger')

  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 241, in get_object
    follow_name_owner_changes=follow_name_owner_changes)

  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 248, in __init__
    self._named_service = conn.activate_name_owner(bus_name)

  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 180, in activate_name_owner
    self.start_service_by_name(bus_name)

  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 278, in start_service_by_name
    'su', (bus_name, flags)))

  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)

So, is this failure a bug in the fix or a new bug?
Comment 6 Jan Cholasta 2015-01-20 03:36:18 EST 
The code where the exception occurs was introduced in the fix for bug 1173207. Anyway this shouldn't happen, do you have certmonger installed?
Comment 7 Jan Cholasta 2015-01-20 04:35:19 EST 
It turns out that D-Bus can't find certmonger if it is not running, even if it is installed.

I will prepare a patch for this.
Comment 10 Scott Poore 2015-01-20 11:13:17 EST 
adding Regression keyword here as this could affect upgrades.
Comment 12 Scott Poore 2015-01-22 13:51:31 EST 
Verified.

Version ::

ipa-server-4.1.0-16.el7.x86_64

Results ::

Installed CA-less IPA Server.  

Then:

[root@rhel7-1 ~]# ipa-upgradeconfig 
[Verifying that root certificate is published]
Failed to backup CS.cfg: 'pki-cad'
[Migrate CRL publish directory]
CA is not configured
[Verifying that CA proxy configuration is correct]
CA is not configured
[Verifying that KDC configuration is using ipa-kdb backend]
[Updating mod_nss protocol versions]
[Fixing trust flags in /etc/httpd/alias]
CA is not enabled
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
Object-signing certificate was not found. Creating unsigned Firefox configuration extension.
[Add missing CA DNS records]
DNS is not configured
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Enabling "dnssec-enable" configuration in DNS]
[Setting "bindkeys-file" option in named.conf]
[Including named root key in named.conf]
Changes to named.conf have been made, restart named
[Verifying that CA service certificate profile is updated]
CA is not configured
[Update certmonger certificate renewal configuration to version 3]
CA is not configured
[Enable PKIX certificate path discovery and validation]
CA is not configured
The ipa-upgradeconfig command was successful
Comment 14 errata-xmlrpc 2015-03-05 05:19:23 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.