Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
.Upgrading an IdM server from RHEL 8.3 to RHEL 8.4 fails if pki-ca package version is earlier than 10.10.5
The IdM server upgrade program, `ipa-server-upgrade`, fails if the `pki-ca` package version is earlier than 10.10.5. As the required files do not exist in these versions, the IdM server upgrade does not complete successfully both at package installation and when `ipa-server-upgrade` or `ipactl` are executed.
To resolve this issue, upgrade the `pki-*` packages to version 10.10.5 or higher and run the `ipa-server-upgrade` command again.
DescriptionMohammad Rizwan
2021-05-06 12:38:46 UTC
Description of problem:
While preforming upgrade from rhel8.3 to rhel8.4, it is failing.
Version-Release number of selected component (if applicable):
before upgrade : ipa-server-4.8.7-14.module+el8.3.0+9419+8502777d
after upgrade: ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64
How reproducible:
always
Steps to Reproduce:
1. install ipa server on rhel8.3
$ ipa-server-install -a Secret123 -n testrelm.test -p Secret123 --setup-dns -r TESTRELM.TEST -N --allow-zone-overlap --no-dnssec-validation --forwarder=xx.xx.xx.xx --mkhomedir --no-host-dns --auto-reverse -U
2. add the repos for rhel8.4 and update the packages
$ dnf module install idm:DL1/dns -y
3. ipa-server-upgrade
Actual results:
[root@master ~]# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[..]
[Add default CA ACL]
Default CA ACL already added
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
[Errno 2] No such file or directory: '/etc/pki/pki-tomcat/acme/issuer.conf'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Expected results:
ipa-server-upgrade command success
Additional info:
Kaleem discovered an important point. The version of pki-ca matters. The failing test uses pki-ca-10.9.4-1.module+el8.3.0+8058+d5cd4219.noarch which lacks ACME support.
Kaleem tested with pki-ca-10.10.5-2.module+el8.4.0+10466+9830f79e.noarch which works because it is ACME-capable so ACME was deployed and the missing directory and files exist.
So the workaround if this happens is to upgrade the pki-* packages and re-run ipa-server-upgrade.
We need to bump the Requires in ipa.spec from 10.9.0-0.4 to 10.10.5 and ideally include the upstream patch as well for correctness.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2021:4230
Description of problem: While preforming upgrade from rhel8.3 to rhel8.4, it is failing. Version-Release number of selected component (if applicable): before upgrade : ipa-server-4.8.7-14.module+el8.3.0+9419+8502777d after upgrade: ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64 How reproducible: always Steps to Reproduce: 1. install ipa server on rhel8.3 $ ipa-server-install -a Secret123 -n testrelm.test -p Secret123 --setup-dns -r TESTRELM.TEST -N --allow-zone-overlap --no-dnssec-validation --forwarder=xx.xx.xx.xx --mkhomedir --no-host-dns --auto-reverse -U 2. add the repos for rhel8.4 and update the packages $ dnf module install idm:DL1/dns -y 3. ipa-server-upgrade Actual results: [root@master ~]# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [..] [Add default CA ACL] Default CA ACL already added IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/acme/issuer.conf' The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Expected results: ipa-server-upgrade command success Additional info: