After upgrading from 7.3 to 7.4 , ipa-server-upgrade script fails with the error: "certutil: Could not find cert: Server-Cert" thus slapd service is not starting up.
Issue
After upgrading from 7.3 to 7.4 , ipa-server-upgrade script fails with the error : "certutil: Could not find cert: Server-Cert" thus slapd service is not starting up.
IPA server was installed with a self-signed CA certificate.
Following errors are seen in /var/log/ipaupgrade.log
2017-08-15T13:38:54Z DEBUG stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
2017-08-15T13:38:54Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-08-15T13:38:54Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1913, in upgrade
upgrade_configuration()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1788, in upgrade_configuration
certificate_renewal_update(ca, ds, http),
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1018, in certificate_renewal_update
ds.start_tracking_certificates(serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 1046, in start_tracking_certificates
'restart_dirsrv %s' % serverid)
File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 362, in track_server_cert
cert_obj = x509.load_certificate(cert)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 119, in load_certificate
return cryptography.x509.load_der_x509_certificate(data, default_backend())
File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", line 47, in load_der_x509_certificate
return backend.load_der_x509_certificate(data)
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 350, in load_der_x509_certificate
return b.load_der_x509_certificate(data)
File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1185, in load_der_x509_certificate
raise ValueError("Unable to load certificate")
2017-08-15T13:38:54Z DEBUG The ipa-server-upgrade command failed, exception: ValueError: Unable to load certificate
2017-08-15T13:38:54Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
ValueError: Unable to load certificate
certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
EXAMPLE.COM IPA CA CT,C,C
CN=ipaserver.example.com,O=EXAMPLE.COM u,u,u
DigiCert_Assured_ID_Root_CA C,,
TERENA_SSL_CA_3 C,,
Issue : The server cert nickname is : "CN=CN=ipaserver.example.com,O=EXAMPLE.COM" and not "Server-Cert".
Environment
ipa-server-4.5.0-21.el7.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.