Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1512894

Summary: IPA upgrade fails after ca-cert renewal
Product: Red Hat Enterprise Linux 7 Reporter: anuja <amore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: frenaud, pvoborni, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-17 10:41:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description anuja 2017-11-14 12:08:26 UTC
Description of problem:
IPA upgrade fails for latest ipa package when upgraded from RHEL 7.4.z to 7.5 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup IPA server on RHEL 7.4.z (In my case ipa-4.5.0-22.el7_4.x86_64)
2. In my case self-signed to external-ca
3. Perform upgrade to 7.5

Actual results:

After step 2 upgrade fails

#tail /var/log/ipaupgrade.log

2017-11-14T09:07:30Z DEBUG Waiting for CA to start...
2017-11-14T09:07:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-11-14T09:07:31Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/", line 172, in execute
    return_value =
  File "/usr/lib/python2.7/site-packages/ipaserver/install/", line 48, in run
    raise admintool.ScriptError(str(e))

2017-11-14T09:07:31Z DEBUG The ipa-server-upgrade command failed, exception: ScriptError: CA did not start in 300.0s
2017-11-14T09:07:31Z ERROR CA did not start in 300.0s
2017-11-14T09:07:31Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

Expected results:
After ca-cert renewal upgrade should be successful. 

Additional info:

This similar issue is observed for IPA server upgrade from:
7.3.z to 7.5

IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start dirsrv@TESTRELM-TEST.service' returned non-zero exit status 1

Comment 2 anuja 2017-11-17 09:03:50 UTC
re-ran the test case and the issue is no more observed

Comment 4 Florence Blanc-Renaud 2017-11-17 10:41:25 UTC
The issue seen upgrading to 7.5 (with dirsrv not starting during uprade) is probably a duplicate of bz 1513467, for which an errata is already available:

*** This bug has been marked as a duplicate of bug 1513467 ***