RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1957768 - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
Summary: ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: beta
: ---
Assignee: Thomas Woerner
QA Contact: ipa-qe
lmcgarry
URL:
Whiteboard:
Depends On:
Blocks: 1959984
TreeView+ depends on / blocked
 
Reported: 2021-05-06 12:38 UTC by Mohammad Rizwan
Modified: 2021-11-09 23:58 UTC (History)
8 users (show)

Fixed In Version: ipa-4.9.5-1
Doc Type: If docs needed, set a value
Doc Text:
.Upgrading an IdM server from RHEL 8.3 to RHEL 8.4 fails if pki-ca package version is earlier than 10.10.5 The IdM server upgrade program, `ipa-server-upgrade`, fails if the `pki-ca` package version is earlier than 10.10.5. As the required files do not exist in these versions, the IdM server upgrade does not complete successfully both at package installation and when `ipa-server-upgrade` or `ipactl` are executed. To resolve this issue, upgrade the `pki-*` packages to version 10.10.5 or higher and run the `ipa-server-upgrade` command again.
Clone Of:
: 1959984 (view as bug list)
Environment:
Last Closed: 2021-11-09 18:29:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7020 0 None None None 2021-10-04 07:29:54 UTC
Red Hat Knowledge Base (Solution) 6043691 0 None None None 2021-05-14 08:38:52 UTC
Red Hat Product Errata RHBA-2021:4230 0 None None None 2021-11-09 18:29:43 UTC

Description Mohammad Rizwan 2021-05-06 12:38:46 UTC 
Description of problem:
While preforming upgrade from rhel8.3 to rhel8.4, it is failing.

Version-Release number of selected component (if applicable):
before upgrade : ipa-server-4.8.7-14.module+el8.3.0+9419+8502777d
after upgrade: ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64

How reproducible:
always

Steps to Reproduce:
1. install ipa server on rhel8.3
    $ ipa-server-install -a Secret123  -n testrelm.test -p Secret123 --setup-dns -r TESTRELM.TEST -N --allow-zone-overlap  --no-dnssec-validation --forwarder=xx.xx.xx.xx --mkhomedir --no-host-dns --auto-reverse -U

2. add the repos for rhel8.4 and update the packages 
   $ dnf module install idm:DL1/dns -y

3. ipa-server-upgrade 

Actual results:
[root@master ~]# ipa-server-upgrade 
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[..]
[Add default CA ACL]
Default CA ACL already added
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
[Errno 2] No such file or directory: '/etc/pki/pki-tomcat/acme/issuer.conf'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information


Expected results:
ipa-server-upgrade command success

Additional info:
Comment 2 Rob Crittenden 2021-05-06 13:09:25 UTC 
This is upgrading a non-ACME-capable installation to an ACME-capable one. A file existence check needs to be added.
Comment 3 Rob Crittenden 2021-05-06 17:19:38 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8832
Comment 4 Rob Crittenden 2021-05-06 18:17:17 UTC 
Upstream PR https://github.com/freeipa/freeipa/pull/5756
Comment 13 Rob Crittenden 2021-05-12 12:59:38 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/8dac8ad834164062ef0a49d20c7bfcdf1773fbe5
Comment 20 Rob Crittenden 2021-05-12 15:23:27 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/1aa3f7a7fd24c651aafde150351328148fd517be
Comment 23 Rob Crittenden 2021-05-12 17:47:13 UTC 
Kaleem discovered an important point. The version of pki-ca matters. The failing test uses pki-ca-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch which lacks ACME support.

Kaleem tested with pki-ca-10.10.5-2.module+el8.4.0+10466+9830f79e.noarch which works because it is ACME-capable so ACME was deployed and the missing directory and files exist.

So the workaround if this happens is to upgrade the pki-* packages and re-run ipa-server-upgrade.

We need to bump the Requires in ipa.spec from 10.9.0-0.4 to 10.10.5 and ideally include the upstream patch as well for correctness.
Comment 34 Sumedh Sidhaye 2021-07-02 06:25:53 UTC 
Build used for verification:

ipa-client-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64
ipa-client-common-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch
ipa-common-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch
ipa-healthcheck-0.7-6.module+el8.5.0+11410+91a33fe4.noarch
ipa-healthcheck-core-0.7-6.module+el8.5.0+11410+91a33fe4.noarch
ipa-selinux-4.9.2-4.module+el8.4.0+11156+94d209c1.noarch
ipa-server-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64
ipa-server-common-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch
ipa-server-dns-4.9.5-1.module+el8.5.0+11410+91a33fe4.noarch
ipa-server-trust-ad-4.9.5-1.module+el8.5.0+11410+91a33fe4.x86_64


Repo Used:
http://download.eng.bos.redhat.com/rhel-8/nightly/RHEL-8/latest-RHEL-8.5.0/compose/AppStream/x86_64/os/Packages/



Test Results:

2021-07-02T04:27:53 collecting ... collected 5 items

2021-07-02T04:27:53 

2021-07-02T04:37:46 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_external_ca PASSED [ 20%]

2021-07-02T04:37:47 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_logs PASSED [ 40%]

2021-07-02T04:38:42 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_services PASSED [ 60%]

2021-07-02T04:38:44 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_user_verification PASSED [ 80%]

2021-07-02T04:39:12 src/ipa_upgrade/test_upgrade.py::TestExternalCA::test_upgrade_teardown PASSED [100%]

2021-07-02T04:39:12 

2021-07-02T04:39:12 - generated xml file: /home/jenkins/workspace/trigger-test-suite-tool/test-suite/junit.xml -

2021-07-02T04:39:12 - generated html file: file:///home/jenkins/workspace/trigger-test-suite-tool/test-suite/report.html -

2021-07-02T04:39:12 ========================== 5 passed in 679.00 seconds ==========================

Attaching report.html for reference.
Comment 44 errata-xmlrpc 2021-11-09 18:29:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230
Note You need to log in before you can comment on or make changes to this bug.