1694596 – ipa-server-upgrade fails with ConversionError: invalid 'cn': must be Unicode text

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1694596 - ipa-server-upgrade fails with ConversionError: invalid 'cn': must be Unicode text

Summary: ipa-server-upgrade fails with ConversionError: invalid 'cn': must be Unicode ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-01 08:32 UTC by Florence Blanc-Renaud
Modified:	2019-08-06 13:09 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.6.5-3.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:09:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2241	0	None	None	None	2019-08-06 13:09:54 UTC

Description Florence Blanc-Renaud 2019-04-01 08:32:46 UTC

Description of problem:
ipa-server-upgrade fails

Version-Release number of selected component (if applicable):
ipa-server-4.6.5-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ipa-server-install --domain $DOMAIN --realm $REALM --setup-dns --auto-forwarder --auto-reverse -a Secret123 -p Secret123 -U
2. ipa-server-upgrade

Actual results:
ipa-server-upgrade fails with:
[...]
[Create systemd-user hbac service and rule]
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
ConversionError: invalid 'cn': must be Unicode text
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information


Expected results:
ipa-server-upgrade should finish successfully

Additional info:
Extract of /var/log/ipaupgrade.log:
2019-04-01T08:25:08Z INFO [Create systemd-user hbac service and rule]
2019-04-01T08:25:08Z DEBUG raw: hbacsvc_add('systemd-user', description='pam_systemd and systemd user@.service', version=u'2.230')
2019-04-01T08:25:08Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2019-04-01T08:25:08Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2033, in upgrade_configuration
    add_systemd_user_hbac()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1697, in add_systemd_user_hbac
    description='pam_systemd and systemd user@.service'
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 471, in __do_call
    params = self.convert(**params)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in convert
    (k, self.params[k].convert(v)) for (k, v) in kw.items()
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in <genexpr>
    (k, self.params[k].convert(v)) for (k, v) in kw.items()
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 852, in convert
    return convert(value)
  File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 1571, in _convert_scalar
    raise ConversionError(name=self.name, error=ugettext(self.type_error))

2019-04-01T08:25:08Z DEBUG The ipa-server-upgrade command failed, exception: ConversionError: invalid 'cn': must be Unicode text
2019-04-01T08:25:08Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
ConversionError: invalid 'cn': must be Unicode text
2019-04-01T08:25:08Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Comment 3 Florence Blanc-Renaud 2019-04-01 08:44:27 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7896

Comment 5 Christian Heimes 2019-04-01 10:36:29 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/d60122f9fba9fd9f74721763c4d5cf9f9f93986c

Comment 6 Florence Blanc-Renaud 2019-04-01 12:23:30 UTC

Fixed upstream
ipa-4-7:
https://pagure.io/freeipa/c/84197a03c764bfd66c91deb42f843662ec02582b

Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/4c4d0841161b4cc774f2e4fe69531a7f144b2b2b

Comment 8 Nikhil Dehadrai 2019-04-02 10:52:08 UTC

Tested the bug with following observations:

1. IPA upgrade FAILs when upgraded from following upgrade paths:
RHEL 75z > RHEL77
RHEL 73z > RHEL77
RHEL 72z > RHEL77
RHEL 71z > RHEL77
RHEL 70 > RHEL77

2. IPA upgrade is successful with upgrade path:
RHEL76z > RHEL77
RHEL74z > RHEL77


Console output: (75z > 77)
------------------------------
  Cleanup    : libsss_sudo-1.16.0-19.el7_5.8.x86_64                     160/162 
  Cleanup    : libipa_hbac-1.16.0-19.el7_5.8.x86_64                     161/162 
  Cleanup    : 389-ds-base-libs-1.3.7.5-28.el7_5.x86_64                 162/162
Job for ipa.service failed because the control process exited with error code. See "systemctl status ipa.service" and "journalctl -xe" for details.
warning: %posttrans(ipa-server-4.6.5-3.el7.x86_64) scriptlet failed, exit status 1
Non-fatal POSTTRANS scriptlet failure in rpm package ipa-server-4.6.5-3.el7.x86_64
  Verifying  : sssd-dbus-1.16.4-8.el7.x86_64                              1/162 
  Verifying  : python-magic-5.11-35.el7.noarch                            2/162 


Ipa upgrade log snippet:  (75z > 77)
--------------------------------------
2019-04-02T09:40:01Z DEBUG Waiting for CA to start...
2019-04-02T09:40:02Z DEBUG request POST http://sparks.nd2aprnor.pnq:8080/ca/admin/ca/getStatus
2019-04-02T09:40:02Z DEBUG request body ''
2019-04-02T09:40:02Z DEBUG response status 500
2019-04-02T09:40:02Z DEBUG response headers Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 2208
Date: Tue, 02 Apr 2019 09:40:02 GMT
Connection: close

2019-04-02T09:40:02Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>'
2019-04-02T09:40:02Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2019-04-02T09:40:02Z DEBUG Waiting for CA to start...
2019-04-02T09:40:03Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2019-04-02T09:40:03Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 56, in run
    raise admintool.ScriptError(str(e))

2019-04-02T09:40:03Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: CA did not start in 300.0s
2019-04-02T09:40:03Z ERROR CA did not start in 300.0s
2019-04-02T09:40:03Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information


Thus on above observation marking status of bug to "ASSIGNED"

Comment 10 Florence Blanc-Renaud 2019-04-02 12:15:23 UTC

The issue described in comment #c8 is different, re-setting this BZ as ON_QA.

Comment 11 Nikhil Dehadrai 2019-04-02 12:26:06 UTC

IPA-Version: ipa-server-4.6.5-3.el7.x86_64

Tested the bug on the basis of following points:
1. Verified that IPA upgrade is successful for IPA server (RHEL 76z > RHEL77)

:: [ 14:33:44 ] :: [   PASS   ] :: Command 'yum -y update 'ipa*' sssd 'python*' 'kernel-*' 'selinux-policy*'' (Expected 0, got 0)
:: [ 14:33:44 ] :: [  BEGIN   ] :: Running 'tail -1 /var/log/ipaupgrade.log | grep 'The ipa-server-upgrade command was successful''
2019-04-02T09:02:14Z INFO The ipa-server-upgrade command was successful
:: [ 14:33:44 ] :: [   PASS   ] :: Command 'tail -1 /var/log/ipaupgrade.log | grep 'The ipa-server-upgrade command was successful'' (Expected 0, got 0)
:: [ 14:34:27 ] :: [  BEGIN   ] :: Running 'sleep 60'
:: [ 14:35:27 ] :: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [ 14:35:27 ] :: [  BEGIN   ] :: Running 'ipactl restart'

MARK-LWD-LOOP -- 2019-04-02 14:36:04 --
ipa: INFO: The ipactl command was successful
Stopping pki-tomcatd Service
Restarting Directory Service
    debugging enabled, suppressing output.
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
:: [ 14:37:45 ] :: [   PASS   ] :: Command 'ipactl restart' (Expected 0, got 0)
:: [ 14:37:45 ] :: [  BEGIN   ] :: Running 'ipactl status'
ipa: INFO: The ipactl command was successful
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
:: [ 14:37:53 ] :: [   PASS   ] :: Command 'ipactl status' (Expected 0, got 0)
:: [ 14:37:53 ] :: [  BEGIN   ] :: Running 'service sssd status'
Redirecting to /bin/systemctl status sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-04-02 14:32:10 IST; 5min ago
 Main PID: 25910 (sssd)
   CGroup: /system.slice/sssd.service
           ├─25910 /usr/sbin/sssd -i --logger=files
           ├─25911 /usr/libexec/sssd/sssd_be --domain ndnor2apr19.test --uid 0 --gid 0 --logger=files
           ├─25912 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           ├─25913 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
           ├─25914 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
           ├─25915 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
           ├─25916 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
           └─25917 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files

Apr 02 14:33:28 vm-idm-001.ndnor2apr19.test sssd[be[ndnor2apr19.test]][25911]: Backend is online
Apr 02 14:33:28 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 2
Apr 02 14:33:28 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 1
Apr 02 14:33:28 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 1
Apr 02 14:33:28 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 1
Apr 02 14:33:28 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 2
Apr 02 14:35:41 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 1
Apr 02 14:35:41 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 1
Apr 02 14:35:41 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 1
Apr 02 14:35:41 vm-idm-001.ndnor2apr19.test sssd_be[25911]: GSSAPI client step 2
:: [ 14:37:53 ] :: [   PASS   ] :: Command 'service sssd status' (Expected 0, got 0)
:: [ 14:37:53 ] :: [  BEGIN   ] :: Running 'service sssd restart'
Redirecting to /bin/systemctl restart sssd.service
:: [ 14:37:54 ] :: [   PASS   ] :: Command 'service sssd restart' (Expected 0, got 0)
:: [ 14:37:54 ] :: [  BEGIN   ] :: Running 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd'
ipa-server-4.6.5-3.el7.x86_64
389-ds-base-1.3.8.4-23.el7_6.x86_64
bind-9.9.4-73.el7_6.x86_64
bind-dyndb-ldap-11.1-4.el7.x86_64
pki-ca-10.5.9-13.el7_6.noarch
sssd-1.16.4-8.el7.x86_64
:: [ 14:37:54 ] :: [   PASS   ] :: Command 'rpm -q ipa-server 389-ds-base bind bind-dyndb-ldap pki-ca sssd' (Expected 0, got 0)
 
2. For the issue mentioned at above comment#8, a separate bug is Filed : 
https://bugzilla.redhat.com/show_bug.cgi?id=1695063

Thus , since the original issue mentioned in the bug is resolved and the upgrade is successful marking this bug as 'VERIFIED'.

Comment 14 errata-xmlrpc 2019-08-06 13:09:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241

Note You need to log in before you can comment on or make changes to this bug.