[EN] FreeIPA 4.1 to 4.2 update problem

2 minute read

pic. from fedoramagazine.org 
On two machines with CentOS 7.2 I was using the FreeIPA 4.1.0 that should theoretically update to a newer version 4.2.0 without any problem. The new version brings a few new feature, byt they should not generate any update issues.
Steps in the documentation for version 4.2 are quite easy:

yum update freeipa-server
 The package manager executed all post-installation upgrade scripts (in current version: ipa-server-upgrade).

In the /var/log/ipaupgrade.log I did not found any interesting errors. All info looks ok:

2016-01-12T18:47:14Z INFO Upgrading the configuration of the IPA services 2016-01-12T18:47:14Z INFO [Verifying that root certificate is published] 2016-01-12T18:47:28Z INFO [Migrate CRL publish directory] 2016-01-12T18:47:28Z INFO CRL tree already moved 2016-01-12T18:47:28Z INFO [Verifying that CA proxy configuration is correct] 2016-01-12T18:47:36Z INFO [Verifying that KDC configuration is using ipa-kdb backend] 2016-01-12T18:47:37Z INFO [Fix DS schema file syntax] 2016-01-12T18:47:37Z INFO Syntax already fixed 2016-01-12T18:47:37Z INFO [Removing RA cert from DS NSS database] 2016-01-12T18:47:37Z INFO RA cert already removed 2016-01-12T18:47:38Z INFO [Enable sidgen and extdom plugins by default] 2016-01-12T18:47:40Z INFO [Updating mod_nss protocol versions] 2016-01-12T18:47:40Z INFO Protocol versions already updated 2016-01-12T18:47:40Z INFO [Fixing trust flags in /etc/httpd/alias] 2016-01-12T18:47:40Z INFO Trust flags already processed 2016-01-12T18:47:40Z INFO [Removing self-signed CA] 2016-01-12T18:47:40Z INFO [Checking for deprecated KDC configuration files] 2016-01-12T18:47:40Z INFO [Checking for deprecated backups of Samba configuration files] 2016-01-12T18:47:40Z INFO [Setting up Firefox extension] 2016-01-12T18:47:54Z INFO [Add missing CA DNS records] 2016-01-12T18:47:54Z INFO IPA CA DNS records already processed 2016-01-12T18:47:54Z INFO [Removing deprecated DNS configuration options] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Ensuring minimal number of connections] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Enabling serial autoincrement in DNS] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Updating GSSAPI configuration in DNS] 2016-01-12T18:47:54Z INFO DNS is not configured 2016-01-12T18:47:54Z INFO [Updating pid-file configuration in DNS] 2016-01-12T18:47:54Z INFO DNS is not configured

Unfortunately the IPA server did not start correctly. The service named-pkcs11 responsible for DNSSEC could not correctly started and thrown error:

named-pkcs11[1826]:ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/softhsm/tokens/
[1826]: SoftHSM.cpp(437): Could not load the object store

In RH errata you can find a few info about broken install script, etc. All this hints did not solve my   problem so I decided to run ipa-dns-install to check dns configuration. As you probably know in FreeIPA 4.2.0 the DNSSEC is enabled, so there was a tiny chance that during update the DNS re-configuration was skipped.  

Unfortunately to run ipa-dns-install script you need to bring up the LDAP and Kerberos services. Luckily ipactl correctly bring up this service with foce parameter (ipactl start -f). After that the ipa-dns-install script overwrite the current named.conf, created missing tokens and after that the named-pkcs11 started correctly. 

After a few hours digging in the logs files I realized that I'm using a custom named.conf with additional views and the upgrade script skipped named.conf file update (INFO DNS is not configured) . At the end you need to add your custom ACL and Zones sections to named.conf 

So if you have custom bind configuration you need to:
  1. Backup current named.conf
  2. Update ipa server packages yum update freeipa-server
  3. Use the force switch in ipactl start -f
  4. Run ipa-dns-install or manually reconfigure bind-pkcs11 
  5. Add your missing zones to named.conf
  6. Start ipa services.