Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1484428
Description of problem: After upgrading top IPA Server 4.5, running ipa-server-upgrade fails with; 2017-08-22T15:37:42Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-XX -L -n Server-Cert -a -f /etc/dirsrv/slapd-XX/pwdfile.txt 2017-08-22T15:37:42Z DEBUG Process finished, return code=255 2017-08-22T15:37:42Z DEBUG stdout= 2017-08-22T15:37:42Z DEBUG stderr=certutil: Could not find cert: Server-Cert Here's a dump of what's in the certificates: certutil -L -d /etc/dirsrv/slapd-XX Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI XX IPA CA CT,C,C digicertRoot CT,, digicert CT,, CN=XX,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US,postalCode=27601,STREET=100 East Davie St.,serialNumber=XX,incorp orationState=Delaware,incorporationCountry=US,businessCategory=Private Organization u,u,u The last certificate is the Server-Cert with a different name. Renaming it makes dirsrv@.service fail on start. kinit works. Logging in from the web does not. Version-Release number of selected component (if applicable): How reproducible: I'm only done an upgrade once. Not sure. Steps to Reproduce: yum update on a server running 7.3 with ipa-server which has a signed cert from a 3rd party CA. Actual results: Expected results: Upgrade succeeds. Additional info:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1484428
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1045
Metadata Update from @pvoborni: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.5.4 (was: 0.0 NEEDS_TRIAGE) - Issue tagged with: regression
Related issue for dealing with the case when HTTP/DS service cert is issued by an IPA lightweight CA: https://pagure.io/freeipa/issue/7160
master:
ipa-4-5:
ipa-4-6:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.