1505369 – ERROR while updating IPA from RHEL 7.3 to RHEL 7.4 packages

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1505369 - ERROR while updating IPA from RHEL 7.3 to RHEL 7.4 packages

Summary: ERROR while updating IPA from RHEL 7.3 to RHEL 7.4 packages

Keywords:
Status:	CLOSED DUPLICATE of bug 1480102
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-23 12:40 UTC by Lea Bradacova
Modified:	2017-11-13 06:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-13 06:59:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1480102	0	high	CLOSED	ipa-server-upgrade failes with "This entry already exists"	2021-02-22 00:41:40 UTC

Description Lea Bradacova 2017-10-23 12:40:06 UTC

Description of problem:

Our custommer is trying to upgrade IPA but it ends with:

Upgrade failed with This entry already exists
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
('IPA upgrade failed.', 1)
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

My colleague, IPA specialist defined two options:

1. The problem is that all three certificates already in LDAP have the same value of ipaCertIssuerSerial and the check(attribute uniques plugin) fails automatically while adding any other cert. 

2. Problem comes while importing cert to LDAP(CN=VIG Czech Republic - Root CA,DC=koop,DC=int) while the check plugin found a record with identical value of ipaCertIssuerSerial

IPA Upgrade log:

2017-10-02T08:28:16Z DEBUG stderr=
2017-10-02T08:28:16Z DEBUG Destroyed connection context.ldap2_94886096
2017-10-02T08:28:16Z ERROR Upgrade failed with This entry already exists
2017-10-02T08:28:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 220, in __upgrade
self.modified = (ld.update(self.files) or self.modified)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 911, in update
self._run_updates(all_updates)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 883, in _run_updates
self._run_update_plugin(update['plugin'])
File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 859, in _run_update_plugin
restart_ds, updates = self.api.Updater[plugin_name]()
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1470, in _call_
return self.execute(**options)
File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", line 84, in execute
ldap.update_entry(entry)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1553, in update_entry
self.conn.modify_s(str(entry.dn), modlist)
File "/usr/lib64/python2.7/contextlib.py", line 35, in _exit_
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler
raise errors.DuplicateEntry()
DuplicateEntry: This entry already exists

2017-10-02T08:28:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 228, in __upgrade
raise RuntimeError(e)
RuntimeError: This entry already exists

2017-10-02T08:28:16Z DEBUG [error] RuntimeError: This entry already exists
2017-10-02T08:28:16Z DEBUG [cleanup]: stopping directory server
2017-10-02T08:28:16Z DEBUG Destroyed connection context.ldap2_57176400
2017-10-02T08:28:16Z DEBUG Starting external process
2017-10-02T08:28:16Z DEBUG args=/bin/systemctl stop dirsrv
2017-10-02T08:29:33Z DEBUG Process finished, return code=0
2017-10-02T08:29:33Z DEBUG stdout=
2017-10-02T08:29:33Z DEBUG stderr=
2017-10-02T08:29:33Z DEBUG duration: 76 seconds
2017-10-02T08:29:33Z DEBUG [cleanup]: restoring configuration
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-02T08:29:33Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'


Version-Release number of selected component (if applicable):


How reproducible:

Always, while try to upgrade

Steps to Reproduce:
1.
2.
3.

Actual results:

based on all symtoms it seems like this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1480102#c2 but we are not able to workaround because in our case there's nothing to rename - https://access.redhat.com/solutions/3176421

Expected results:
Working upgrade - please help us to apply sollution 

Additional info:

our configuration:
[root@ipa-tst-01 dklima]# certutil -d /etc/httpd/alias -L -f /etc/httpd/alias/pwdfile.txt

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
CN=VIG Czech Republic - Root CA,DC=koop,DC=int CT,C,C
INTERNAL.SERVICES IPA CA CT,C,C
ipaCert u,u,u
Server-Cert u,u,u

[root@ipa-tst-02 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services" dn ipaCertIssuerSerial
Enter LDAP Password:
dn: cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services

dn: cn=CN\3DVIG Czech Republic - Root CA\2CDC\3Dkoop\2CDC\3Dint,cn=certificate
s,cn=ipa,cn=etc,dc=internal,dc=services
ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;5568479957
1164127595453461947360030726

dn: cn=INTERNAL.SERVICES IPA CA,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=s
ervices
ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;2096270049
017594713081755922092318651133722692

dn: cn=CN\3DCertificate Authority\2CO\3DINTERNAL.SERVICES test,cn=certificates
,cn=ipa,cn=etc,dc=internal,dc=services
ipaCertIssuerSerial: CN=VIG Czech Republic - Root CA,DC=koop,DC=int;2096270049
017594713081755922092318651133722692

Thank you for your support,

Lea Bradacova

Comment 2 Florence Blanc-Renaud 2017-10-30 15:07:57 UTC

Hi,

it looks like the entries
cn=INTERNAL.SERVICES IPA CA,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services
and 
cn=CN\3DCertificate Authority\2CO\3DINTERNAL.SERVICES test,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services

both contain the same certificate (same serial number).

The workaround (as described in BZ 1480102) would be to delete the entry cn=CN\3DCertificate Authority\2CO\3DINTERNAL.SERVICES test,cn=certificates,cn=ipa,cn=etc,dc=internal,dc=services
and re-run ipa-server-upgrade.

Please refer to BZ 
https://bugzilla.redhat.com/show_bug.cgi?id=1489817 for the errata providing the fix.

Comment 3 Lea Bradacova 2017-11-10 16:52:27 UTC

The custommer choosed to restore machines from backup before update, delete the certificate:
dn: cn=CN\3DCertificate Authority\,O\3DINTERNAL.SERVICES test,cn=certificates,
cn=ipa,cn=etc,dc=internal,dc=services
changetype: delete
and made update 

Everything was OK then.

Comment 4 Florence Blanc-Renaud 2017-11-13 06:59:19 UTC

Thank you for the update, which confirms that the issue is a duplicate of BZ #1480102.
Hence closing this bug as duplicate.

*** This bug has been marked as a duplicate of bug 1480102 ***

Note You need to log in before you can comment on or make changes to this bug.