[Freeipa-users] F18 -> F19 upgrade

Ade Lee alee at redhat.com
Fri Jul 19 18:07:22 UTC 2013 

Ian, 

Sorry for the late response.  Just saw this email.

I'm surprised that you were able to update your machine to F19.  We
explicitly put in spec file logic to do a pre-trans check to see if you
had dogtag 9 system instances before updating to f19.  This was to
prevent people from getting into a situation where there installation
was broken.

The issue is that dogtag 9 instances use tomcat 6, and tomcat 6 is no
longer in fedora 19.  Dogtag 10 instances, on the other hand, use tomcat
7.  The two instance types are therefore incompatible.

The suggestion therefore would have been to create a replica of the ipa
master prior to doing the upgrade to F19.  In fact, you could have just
installed a brand new f19 machine and then created a replica (and then
shut down the old machine).

Seeing as you have somehow upgraded your machine to F19, we need to try
and get your system back up.  For that, you need to follow the
instructions in "Workaround" ie. installing tomcat6 and downgrading
tomcatjss to the version in f18.  That will hopefully get your CA up and
running.  At that point, it is highly recommended that you use ipa
utilities to create a replica and use that instead.

Ade

On Mon, 2013-07-15 at 17:47 +0200, Martin Kosek wrote:
> On 07/13/2013 05:28 AM, Ian Chapman wrote:
> > Hi,
> > 
> > I've just recently upgrade my F18 server to F19 and IPA is failing to start:
> > 
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Aborting ipactl
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting Directory Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting krb5kdc Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting kadmin Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting ipa_memcached Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting httpd Service
> > Jul 13 10:52:30 rex.homenet.lan ipactl[98002]: Starting pki-cad Service
> > Jul 13 10:52:30 rex.homenet.lan systemd[1]: ipa.service: main process exited,
> > code=exited, status=1/FAILURE
> > Jul 13 10:52:30 rex.homenet.lan systemd[1]: Failed to start Identity, Policy,
> > Audit.
> > Jul 13 10:52:30 rex.homenet.lan systemd[1]: Unit ipa.service entered failed state.
> > 
> > 
> > 
> > It seems that the pki-cad service fails to start. Is that in relation to dogtag
> > upgrade of 9 to 10 or possibly another problem?
> > 
> > There is of course this page:
> > 
> > http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10
> > 
> > but frankly I don't really understand it. Well I get that the idea is to create
> > a new pki cloned instance which would be dogtag 10 compatible and then delete
> > the old one - I'm really don't know what I'm supposed to put in the
> > configuration file. Has anybody else done this? Is there some more examples?
> > Thanks.
> > 
> > 
> > The status of pki-cad is:
> > 
> > systemctl status pki-cad at pki-ca.service
> > pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca
> >    Loaded: loaded (/usr/lib/systemd/system/pki-cad at .service; enabled)
> >    Active: failed (Result: exit-code) since Sat 2013-07-13 10:54:23 WST; 30min ago
> >   Process: 98170 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited,
> > status=1/FAILURE)
> > 
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: Starting PKI Certificate Authority
> > Server pki-ca...
> > Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: WARNING:  Symbolic link
> > '/var/lib/pki-ca/pki-ca' does NOT exist!
> > Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: INFO:  Attempting to create
> > '/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' . . .
> > Jul 13 10:54:23 rex.homenet.lan pkicontrol[98170]: ERROR:  Failed making
> > '/var/lib/pki-ca/pki-ca' -> '/usr/sbin/tomcat6-sysd' since target '/usr/sb...T
> > exist!
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: pki-cad at pki-ca.service: control
> > process exited, code=exited status=1
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: Failed to start PKI Certificate
> > Authority Server pki-ca.
> > Jul 13 10:54:23 rex.homenet.lan systemd[1]: Unit pki-cad at pki-ca.service entered
> > failed state.
> >
> 
> Adding PKI/Dogtag developers to CC to advise.
> 
> Martin

More information about the Freeipa-users mailing list