before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo
Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti <mba...@redhat.com>: > On 28/10/14 16:10, Rob Verduijn wrote: > > Hello all, > > I've been digging into my problem of being unable to update from 3.3.5 > to 4.1 > > First I add the repo from copr > > Then I used to update it by issueing 'yum update' which resulted in an > update in which my local dns zone entries no longer resolved. > > So i tried the instructions mentioned on the site : > yum update freeipa-server > And this failed with a conflict in > > bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and > bind-utils-32:9.9.4-15.P2.fc20.x86_64 > > I noticed the new bind comes from the copr repo and the old bind utils > from fedora. > > So I first run 'yum update bind-utils -y' > Then I ran yum update freeipa-server > and see it fail with errors about softhsm > > I remembered reading about package errors with softhsm and installed the > softhsm-devel package first. > > so revert back the freeipa kvm snapshot to 3.3.5 and try again > yum update bind-utils -y ; yum install softhsm-devel -y ; yum update > freeipa-server -y > > However when restarting named-pkcs11 I can see in the system log that it > has 0 zones loaded > > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: > loaded serial 0 > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: > loaded serial 0 > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded > serial 0 > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone > 1.0.0.127.in-addr.arpa/IN: loaded serial 0 > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone > localhost.localdomain/IN: loaded serial 0 > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone > 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: > loaded serial 0 > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running > Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance > 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) > > It claims 0 zones loaded but I can see my forward and reverse zones in > ipa > > what could cause it not to load the zones that I defined in ipa ? > Rob > > > 2014-10-27 23:05 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: > >> sorry for the xml formatting didn't realize it would mess up some mail >> clients >> >> The last bit of the message again >> >> ipa-upgradeconfig gives the following : >> [Verifying that root certificate is published] >> Failed to backup CS.cfg: no magic attribute 'dogtag' >> [Migrate CRL publish directory] >> CRL tree already moved >> [Verifying that CA proxy configuration is correct] >> [Verifying that KDC configuration is using ipa-kdb backend] >> [Fixing trust flags in /etc/httpd/alias] >> Trust flags already processed >> [Fix DS schema file syntax] >> Syntax already fixed >> [Removing RA cert from DS NSS database] >> RA cert already removed >> [Removing self-signed CA] >> [Checking for deprecated KDC configuration files] >> [Checking for deprecated backups of Samba configuration files] >> [Setting up Firefox extension] >> [Add missing CA DNS records] >> IPA CA DNS records already processed >> [Removing deprecated DNS configuration options] >> [Ensuring minimal number of connections] >> [Enabling serial autoincrement in DNS] >> [Updating GSSAPI configuration in DNS] >> [Updating pid-file configuration in DNS] >> [Masking named] >> Changes to named.conf have been made, restart named >> [Verifying that CA service certificate profile is updated] >> [Update certmonger certificate renewal configuration to version 2] >> [Enable PKIX certificate path discovery and validation] >> PKIX already enabled >> The ipa-upgradeconfig command was successful >> >> Any ideas ? >> I'm rather stuck now. >> Rob >> >> 2014-10-27 22:59 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: >> >>> Hello, >>> >>> I'm rather at a loss here. >>> Everything seems to be running >>> ipactl status >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: RUNNING >>> ipa_memcached Service: RUNNING >>> httpd Service: RUNNING >>> pki-tomcatd Service: RUNNING >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> ipa: INFO: The ipactl command was successful >>> >>> but the upgrade log is flooded with this error : >>> 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... >>> 2014-10-27T21:52:11Z DEBUG request ' >>> https://freeipa.x.x:443/ca/admin/ca/getStatus' >>> 2014-10-27T21:52:11Z DEBUG request body '' >>> 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted >>> 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... >>> 2014-10-27T21:52:12Z DEBUG request ' >>> https://freeipa.x.x:443/ca/admin/ca/getStatus' >>> 2014-10-27T21:52:12Z DEBUG request body '' >>> >>> I've tried the url and it works fine. >>> https://freeipa.x.x/ca/admin/ca/getStatus >>> it gives the following xml: >>> >>> <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse> >>> <State>1</State><Type>CA</Type><Status>running</Status><Version> >>> 10.2.0-3.fc20</Version></XMLResponse> >>> >>> After I run ipa-upgradeconfig it complains about a missing magic dog tag >>> attribute >>> ipa-upgradeconfig [Verifying that root certificate is published] Failed >>> to backup CS.cfg: no magic attribute 'dogtag' [Migrate CRL publish >>> directory] CRL tree already moved [Verifying that CA proxy >>> configuration is correct] [Verifying that KDC configuration is using >>> ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags >>> already processed [Fix DS schema file syntax] Syntax already fixed [Removing >>> RA cert from DS NSS database] RA cert already removed [Removing >>> self-signed CA] [Checking for deprecated KDC configuration files] [Checking >>> for deprecated backups of Samba configuration files] [Setting up >>> Firefox extension] [Add missing CA DNS records] IPA CA DNS records >>> already processed [Removing deprecated DNS configuration options] [Ensuring >>> minimal number of connections] [Enabling serial autoincrement in DNS] >>> [Updating >>> GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] >>> [Masking >>> named] Changes to named.conf have been made, restart named [Verifying >>> that CA service certificate profile is updated] [Update certmonger >>> certificate renewal configuration to version 2] [Enable PKIX >>> certificate path discovery and validation] PKIX already enabled The >>> ipa-upgradeconfig command was successful >>> >>> But my local dns zone does no longer resolve :( >>> >>> reverting back to the 3.3 snapshot again :( >>> >>> Please help >>> Rob >>> >>> 2014-10-26 21:38 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>> >>>> Rob Verduijn wrote: >>>> > hmmmm.... >>>> > >>>> > after some more digging (monitoring the upgrade more closely.) >>>> > I saw that the upgrade kept waiting for the ca to start, which it did >>>> > not do. >>>> > and after 5 minutes the upgrade gave up with the following errors in >>>> the >>>> > ipaupgrade log : >>>> > >>>> > at 85% it says : >>>> > 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache >>>> > url=ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket >>>> > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0> >>>> > 2014-10-26T15:04:35Z DEBUG Starting external process >>>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' >>>> > '/etc/httpd/alias' '-L' >>>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 >>>> > 2014-10-26T15:04:35Z DEBUG stdout= >>>> > Certificate Nickname Trust >>>> > Attributes >>>> > >>>> > SSL,S/MIME,JAR/XPI >>>> > >>>> > Signing-Cert u,u,u >>>> > XXXX.XXXX IPA CA CT,C,C >>>> > ipaCert u,u,u >>>> > Server-Cert u,u,u >>>> > >>>> > 2014-10-26T15:04:35Z DEBUG stderr= >>>> > 2014-10-26T15:04:35Z DEBUG Starting external process >>>> > 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' >>>> > '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' >>>> > 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 >>>> > 2014-10-26T15:04:35Z DEBUG stdout=-----BEGIN CERTIFICATE----- >>>> > < certificate-removed > >>>> > -----END CERTIFICATE----- >>>> > 2014-10-26T15:04:35Z DEBUG stderr= >>>> > 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to >>>> > 'ldapi://%2fvar%2frun%2fslapd-XXXX-XXXX.socket':\ >>>> >>>> This has nothing to do with the CA, the LDAP server didn't come up. I'd >>>> start with those logs or look earlier in ipaupgrade.log >>>> >>>> The CA requires 389-ds to be running so if it isn't up, then it will >>>> fail to start too. >>>> >>>> rob >>>> >>>> >>> >> > > > Hello, > Please which version of bind-dyndb-ldap do you have installed? > > -- > Martin Basti > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
