Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Our custommer is trying to upgrade IPA but it ends with:
Upgrade failed with This entry already exists
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
My colleague, IPA specialist defined two options:
1. The problem is that all three certificates already in LDAP have the same value of ipaCertIssuerSerial and the check(attribute uniques plugin) fails automatically while adding any other cert.
2. Problem comes while importing cert to LDAP(CN=VIG Czech Republic - Root CA,DC=koop,DC=int) while the check plugin found a record with identical value of ipaCertIssuerSerial
IPA Upgrade log:
2017-10-02T08:28:16Z DEBUG stderr=
2017-10-02T08:28:16Z DEBUG Destroyed connection context.ldap2_94886096
2017-10-02T08:28:16Z ERROR Upgrade failed with This entry already exists
2017-10-02T08:28:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 220, in __upgrade
self.modified = (ld.update(self.files) or self.modified)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 911, in update
self._run_updates(all_updates)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 883, in _run_updates
self._run_update_plugin(update['plugin'])
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in _run_update_plugin
restart_ds, updates = self.api.Updater[plugin_name]()
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in _call_
return self.execute(**options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", line 84, in execute
ldap.update_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1553, in update_entry
self.conn.modify_s(str(entry.dn), modlist)
File "/usr/lib64/python2.7/contextlib.py", line 35, in _exit_
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler
raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists
2017-10-02T08:28:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 228, in __upgrade
raise RuntimeError(e)
RuntimeError: This entry already exists
2017-10-02T08:28:16Z DEBUG [error] RuntimeError: This entry already exists
2017-10-02T08:28:16Z DEBUG [cleanup]: stopping directory server
2017-10-02T08:28:16Z DEBUG Destroyed connection context.ldap2_57176400
2017-10-02T08:28:16Z DEBUG Starting external process
2017-10-02T08:28:16Z DEBUG args=/bin/systemctl stop dirsrv
2017-10-02T08:29:33Z DEBUG Process finished, return code=0
2017-10-02T08:29:33Z DEBUG stdout=
2017-10-02T08:29:33Z DEBUG stderr=
2017-10-02T08:29:33Z DEBUG duration: 76 seconds
2017-10-02T08:29:33Z DEBUG [cleanup]: restoring configuration
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
Version-Release number of selected component (if applicable):
How reproducible:
Always, while try to upgrade
Steps to Reproduce:
1.
2.
3.
Actual results:
based on all symtoms it seems like this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1480102#c2 but we are not able to workaround because in our case there's nothing to rename - https://access.redhat.com/solutions/3176421
Expected results:
Working upgrade - please help us to apply sollution
Additional info:
our configuration:
[root@ipa-tst-01 dklima]# certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
CN=VIG Czech Republic - Root CA,DC=koop,DC=int CT,C,C
INTERNAL.SERVICES IPA CA CT,C,C
ipaCert u,u,u
Server-Cert u,u,u
[root@ipa-tst-02 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services" dn ipaCertIssuerSerial
Enter LDAP Password:
dn: cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services
dn: cn=CN\3DVIG Czech Republic - Root CA\2CDC\3Dkoop\2CDC\3Dint,cn=certificate
s,cn=ipa,cn=etc,dc=internal,dc=services
ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;5568479957
1164127595453461947360030726
dn: cn=INTERNAL.SERVICES IPA CA,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=s
ervices
ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;2096270049
017594713081755922092318651133722692
dn: cn=CN\3DCertificate Authority\2CO\3DINTERNAL.SERVICES test,cn=certificates
,cn=ipa,cn=etc,dc=internal,dc=services
ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;2096270049
017594713081755922092318651133722692
Thank you for your support,
Lea Bradacova
Comment 2Florence Blanc-Renaud
2017-10-30 15:07:57 UTC
Hi,
it looks like the entries
cn=INTERNAL.SERVICES IPA CA,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services
and
cn=CN\3DCertificate Authority\2CO\3DINTERNAL.SERVICES test,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services
both contain the same certificate (same serial number).
The workaround (as described in BZ 1480102) would be to delete the entry cn=CN\3DCertificate Authority\2CO\3DINTERNAL.SERVICES test,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services
and re-run ipa-server-upgrade.
Please refer to BZ
https://bugzilla.redhat.com/show_bug.cgi?id=1489817 for the errata providing the fix.
The custommer choosed to restore machines from backup before update, delete the certificate:
dn: cn=CN\3DCertificate Authority\,O\3DINTERNAL.SERVICES test,cn=certificates,
cn=ipa,cn=etc,dc=internal,dc=services
changetype: delete
and made update
Everything was OK then.
Comment 4Florence Blanc-Renaud
2017-11-13 06:59:19 UTC
Thank you for the update, which confirms that the issue is a duplicate of BZ #1480102.
Hence closing this bug as duplicate.
*** This bug has been marked as a duplicate of bug 1480102 ***
Description of problem: Our custommer is trying to upgrade IPA but it ends with: Upgrade failed with This entry already exists IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ('IPA upgrade failed.', 1) The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information My colleague, IPA specialist defined two options: 1. The problem is that all three certificates already in LDAP have the same value of ipaCertIssuerSerial and the check(attribute uniques plugin) fails automatically while adding any other cert. 2. Problem comes while importing cert to LDAP(CN=VIG Czech Republic - Root CA,DC=koop,DC=int) while the check plugin found a record with identical value of ipaCertIssuerSerial IPA Upgrade log: 2017-10-02T08:28:16Z DEBUG stderr= 2017-10-02T08:28:16Z DEBUG Destroyed connection context.ldap2_94886096 2017-10-02T08:28:16Z ERROR Upgrade failed with This entry already exists 2017-10-02T08:28:16Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 220, in __upgrade self.modified = (ld.update(self.files) or self.modified) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 911, in update self._run_updates(all_updates) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 883, in _run_updates self._run_update_plugin(update['plugin']) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in _run_update_plugin restart_ds, updates = self.api.Updater[plugin_name]() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in _call_ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", line 84, in execute ldap.update_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1553, in update_entry self.conn.modify_s(str(entry.dn), modlist) File "/usr/lib64/python2.7/contextlib.py", line 35, in _exit_ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2017-10-02T08:28:16Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 228, in __upgrade raise RuntimeError(e) RuntimeError: This entry already exists 2017-10-02T08:28:16Z DEBUG [error] RuntimeError: This entry already exists 2017-10-02T08:28:16Z DEBUG [cleanup]: stopping directory server 2017-10-02T08:28:16Z DEBUG Destroyed connection context.ldap2_57176400 2017-10-02T08:28:16Z DEBUG Starting external process 2017-10-02T08:28:16Z DEBUG args=/bin/systemctl stop dirsrv 2017-10-02T08:29:33Z DEBUG Process finished, return code=0 2017-10-02T08:29:33Z DEBUG stdout= 2017-10-02T08:29:33Z DEBUG stderr= 2017-10-02T08:29:33Z DEBUG duration: 76 seconds 2017-10-02T08:29:33Z DEBUG [cleanup]: restoring configuration 2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-02T08:29:33Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' Version-Release number of selected component (if applicable): How reproducible: Always, while try to upgrade Steps to Reproduce: 1. 2. 3. Actual results: based on all symtoms it seems like this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1480102#c2 but we are not able to workaround because in our case there's nothing to rename - https://access.redhat.com/solutions/3176421 Expected results: Working upgrade - please help us to apply sollution Additional info: our configuration: [root@ipa-tst-01 dklima]# certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u CN=VIG Czech Republic - Root CA,DC=koop,DC=int CT,C,C INTERNAL.SERVICES IPA CA CT,C,C ipaCert u,u,u Server-Cert u,u,u [root@ipa-tst-02 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services" dn ipaCertIssuerSerial Enter LDAP Password: dn: cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services dn: cn=CN\3DVIG Czech Republic - Root CA\2CDC\3Dkoop\2CDC\3Dint,cn=certificate s,cn=ipa,cn=etc,dc=internal,dc=services ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;5568479957 1164127595453461947360030726 dn: cn=INTERNAL.SERVICES IPA CA,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=s ervices ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;2096270049 017594713081755922092318651133722692 dn: cn=CN\3DCertificate Authority\2CO\3DINTERNAL.SERVICES test,cn=certificates ,cn=ipa,cn=etc,dc=internal,dc=services ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;2096270049 017594713081755922092318651133722692 Thank you for your support, Lea Bradacova