1181767 – ipa-upgradeconfig fails in CA-less installs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1181767 - ipa-upgradeconfig fails in CA-less installs

Summary: ipa-upgradeconfig fails in CA-less installs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-13 17:22 UTC by Jan Cholasta
Modified:	2015-03-05 10:19 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.1.0-16.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:19:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Jan Cholasta 2015-01-13 17:22:55 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4835

The failure is caused by:
{{{
2015-01-12T21:10:03Z INFO [Verifying that root certificate is published]
2015-01-12T21:10:03Z DEBUG Certificate file exists
2015-01-12T21:10:03Z DEBUG Trying to find certificate subject base in sysupgrade
2015-01-12T21:10:03Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2015-01-12T21:10:03Z DEBUG Found certificate subject base in sysupgrade: O=IDM.LAB.BOS.REDHAT.COM
2015-01-12T21:10:03Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-12T21:10:03Z WARNING Failed to backup CS.cfg: 'pki-cad'
2015-01-12T21:10:03Z DEBUG Ensuring that service pki-cad@pki-ca is not running while the next set of commands is being executed.
2015-01-12T21:10:03Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 642, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-upgradeconfig", line 1363, in main
    configured_constants.PKI_INSTANCE_NAME):

  File "/usr/lib64/python2.7/contextlib.py", line 17, in __enter__
    return self.gen.next()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 870, in stopped_service
    if not services.knownservices[service].is_running(instance_name):

  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 158, in __getitem__
    return self.__d[key]

2015-01-12T21:10:03Z DEBUG The ipa-upgradeconfig command failed, exception: KeyError: 'pki-cad'
}}}

Comment 1 Namita Soman 2015-01-13 17:37:19 UTC

Please add steps to verify

Comment 2 Jan Cholasta 2015-01-13 17:44:18 UTC

1. install CA-less IPA server
2. run ipa-upgradeconfig on the server

Comment 3 Jan Cholasta 2015-01-13 17:56:44 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5bf1c9a6f7d734c296c8eb987cfc4f7e2a345130
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/065e2bbc9f2260d8c60c55f92a386513727576da

Comment 5 Scott Poore 2015-01-20 02:20:55 UTC

This appears as if the CA checks are fixed but, I'm seeing another error now:

[root@rhel7-1 ~]# ipa-upgradeconfig 
[Verifying that root certificate is published]
Failed to backup CS.cfg: 'pki-cad'
[Migrate CRL publish directory]
CA is not configured
[Verifying that CA proxy configuration is correct]
CA is not configured
[Verifying that KDC configuration is using ipa-kdb backend]
Unexpected error
DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.fedorahosted.certmonger was not provided by any .service files

From ipaupgrade.log:

2015-01-20T01:59:25Z INFO [Verifying that root certificate is published]
2015-01-20T01:59:25Z DEBUG Certificate file exists
2015-01-20T01:59:25Z DEBUG Trying to find certificate subject base in sysupgrade
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2015-01-20T01:59:25Z DEBUG Found certificate subject base in sysupgrade: O=EXAMPLE.TEST
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z WARNING Failed to backup CS.cfg: 'pki-cad'
2015-01-20T01:59:25Z DEBUG Ensuring that service pki-cad@pki-ca is not running while the next set of commands is being executed.
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/bin/systemctl' 'is-active' 'pki-cad'
2015-01-20T01:59:25Z DEBUG Process finished, return code=3
2015-01-20T01:59:25Z DEBUG stdout=unknown

2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Service pki-cad@pki-ca is not running, continue.
2015-01-20T01:59:25Z INFO [Migrate CRL publish directory]
2015-01-20T01:59:25Z INFO CA is not configured
2015-01-20T01:59:25Z INFO [Verifying that CA proxy configuration is correct]
2015-01-20T01:59:25Z INFO CA is not configured
2015-01-20T01:59:25Z INFO [Verifying that KDC configuration is using ipa-kdb backend]
2015-01-20T01:59:25Z DEBUG dbmodules already updated in /etc/krb5.conf
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/selinuxenabled'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=
2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=httpd_can_network_connect --> on

2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Starting external process
2015-01-20T01:59:25Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa'
2015-01-20T01:59:25Z DEBUG Process finished, return code=0
2015-01-20T01:59:25Z DEBUG stdout=httpd_manage_ipa --> on

2015-01-20T01:59:25Z DEBUG stderr=
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-01-20T01:59:25Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-upgradeconfig", line 1392, in main
    http.configure_certmonger_renewal_guard()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 233, in configure_certmonger_renewal_guard
    '/org/fedorahosted/certmonger')

  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 241, in get_object
    follow_name_owner_changes=follow_name_owner_changes)

  File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 248, in __init__
    self._named_service = conn.activate_name_owner(bus_name)

  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 180, in activate_name_owner
    self.start_service_by_name(bus_name)

  File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 278, in start_service_by_name
    'su', (bus_name, flags)))

  File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)

So, is this failure a bug in the fix or a new bug?

Comment 6 Jan Cholasta 2015-01-20 08:36:18 UTC

The code where the exception occurs was introduced in the fix for bug 1173207. Anyway this shouldn't happen, do you have certmonger installed?

Comment 7 Jan Cholasta 2015-01-20 09:35:19 UTC

It turns out that D-Bus can't find certmonger if it is not running, even if it is installed.

I will prepare a patch for this.

Comment 9 Martin Kosek 2015-01-20 14:36:55 UTC

Problem described in Comment 7 fixed upstream

master:
https://fedorahosted.org/freeipa/changeset/82ab0eabf8b963023611ceb42f87244f40651c05
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/f204b28da316f60d85c6a6a0578e78ac74397fac

Comment 10 Scott Poore 2015-01-20 16:13:17 UTC

adding Regression keyword here as this could affect upgrades.

Comment 12 Scott Poore 2015-01-22 18:51:31 UTC

Verified.

Version ::

ipa-server-4.1.0-16.el7.x86_64

Results ::

Installed CA-less IPA Server.  

Then:

[root@rhel7-1 ~]# ipa-upgradeconfig 
[Verifying that root certificate is published]
Failed to backup CS.cfg: 'pki-cad'
[Migrate CRL publish directory]
CA is not configured
[Verifying that CA proxy configuration is correct]
CA is not configured
[Verifying that KDC configuration is using ipa-kdb backend]
[Updating mod_nss protocol versions]
[Fixing trust flags in /etc/httpd/alias]
CA is not enabled
[Fix DS schema file syntax]
[Removing RA cert from DS NSS database]
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
Object-signing certificate was not found. Creating unsigned Firefox configuration extension.
[Add missing CA DNS records]
DNS is not configured
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Enabling "dnssec-enable" configuration in DNS]
[Setting "bindkeys-file" option in named.conf]
[Including named root key in named.conf]
Changes to named.conf have been made, restart named
[Verifying that CA service certificate profile is updated]
CA is not configured
[Update certmonger certificate renewal configuration to version 3]
CA is not configured
[Enable PKIX certificate path discovery and validation]
CA is not configured
The ipa-upgradeconfig command was successful

Comment 14 errata-xmlrpc 2015-03-05 10:19:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.