Hi Martin, Indeed strange as another master where I did the upgrade on went fine.
It is/was a master with CA and Externally Signed CA, which was perfectly sychned to the other master. I finally uninstalled the ipa server and did a new replica install on it with dns and CA and all went smooth and fine. I also had some weird DNS error and bind didn't want to start anymore because of expecting a ; I thought this had something todo with a forwarder which wasn't. For now I'm good, but do you want extra info ? Thanks, Matt 2016-10-18 7:49 GMT+02:00 Martin Babinsky <[email protected]>: > On 10/18/2016 12:30 AM, Matt . wrote: >> >> Hi Guys, >> >> I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 >> >> I already checked some info and: >> >> ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX >> >> Gives me TU instead of MII as expected. >> >> Any suggestions further ? >> >> Thanks, >> >> Matt >> >> >> 2016-10-17T22:19:10Z DEBUG Starting external process >> 2016-10-17T22:19:10Z DEBUG args=/usr/bin/certutil -d >> /etc/dirsrv/slapd-MY-REALM -L -n Server-Cert -a >> 2016-10-17T22:19:10Z DEBUG Process finished, return code=255 >> 2016-10-17T22:19:10Z DEBUG stdout= >> 2016-10-17T22:19:10Z DEBUG stderr=certutil: Could not find cert: >> Server-Cert >> : PR_FILE_NOT_FOUND_ERROR: File not found >> >> 2016-10-17T22:19:10Z ERROR IPA server upgrade failed: Inspect >> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >> 2016-10-17T22:19:11Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, >> in execute >> return_value = self.run() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 46, in run >> server.upgrade() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1867, in upgrade >> upgrade_configuration() >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1770, in upgrade_configuration >> certificate_renewal_update(ca, ds, http), >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1027, in certificate_renewal_update >> ds.start_tracking_certificates(serverid) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >> line 996, in start_tracking_certificates >> 'restart_dirsrv %s' % serverid) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 307, in track_server_cert >> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 129, in >> load_certificate >> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >> >> >> 016-10-17T22:19:11Z DEBUG The ipa-server-upgrade command failed, >> exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) >> security library failure. >> 2016-10-17T22:19:11Z ERROR Unexpected error - see >> /var/log/ipaupgrade.log for details: >> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >> 2016-10-17T22:19:11Z ERROR The ipa-server-upgrade command failed. See >> /var/log/ipaupgrade.log for more information >> > > Hmmm strange, > > looks like your DS certificate got lost or has some strange nickname in your > directory server's NSS database. > > Is this CA-less install, externally signed CA or 'self-signed' CA? Master or > replica? > > -- > Martin^3 Babinsky > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
