UCC 2.1 - 3.0 upgrade failing due to missing public key for packages

Hi, I’m trying to upgrade a UCC 2.1 server to 3.0 installed on a UCS member server in prep for 4.1-8 -> 4.2.0 upgrade.

However the upgrade is failing at authenticating the packages.

Where can I manually get an updated key?

Cheers.

univention-updater.log:

==========
<<<snipped earlier output>>>>
==========
2017-06-27 11:15:57,014 INFO:univention.appcenter.actions.upgrade:Hit https://updates.software-univention.de 4.1-4-errata/amd64/ Packages
Fetched 6,290 B in 24s (255 B/s)
2017-06-27 11:15:57,049 INFO:univention.appcenter.actions.upgrade:Fetched 6,290 B in 24s (255 B/s)
Reading package lists...
2017-06-27 11:15:57,458 INFO:univention.appcenter.actions.upgrade:Reading package lists...
W: GPG error: http://appcenter.software-univention.de ucc_20160811170611/all/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5E9F163B66AA3A17
2017-06-27 11:15:57,463 WARNING:univention.appcenter.actions.upgrade:W: GPG error: http://appcenter.software-univention.de ucc_20160811170611/all/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5E9F163B66AA3A17
W: GPG error: http://appcenter.software-univention.de ucc_20160811170611/amd64/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5E9F163B66AA3A17
2017-06-27 11:15:57,464 WARNING:univention.appcenter.actions.upgrade:W: GPG error: http://appcenter.software-univention.de ucc_20160811170611/amd64/ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5E9F163B66AA3A17
Calling /usr/bin/apt-get -o APT::Status-Fd=1 -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --auto-remove install ucc-server
2017-06-27 11:15:57,729 DEBUG:univention.appcenter.actions.upgrade:Calling /usr/bin/apt-get -o APT::Status-Fd=1 -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --auto-remove install ucc-server
Reading package lists...
2017-06-27 11:15:57,742 INFO:univention.appcenter.actions.upgrade:Reading package lists...
Building dependency tree...
2017-06-27 11:15:57,787 INFO:univention.appcenter.actions.upgrade:Building dependency tree...
Reading state information...
2017-06-27 11:15:57,789 INFO:univention.appcenter.actions.upgrade:Reading state information...
The following packages will be upgraded:
2017-06-27 11:15:57,838 INFO:univention.appcenter.actions.upgrade:The following packages will be upgraded:
  ucc-server
2017-06-27 11:15:57,838 INFO:univention.appcenter.actions.upgrade:  ucc-server
1 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
2017-06-27 11:15:57,847 INFO:univention.appcenter.actions.upgrade:1 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
Need to get 3,864 B of archives.
2017-06-27 11:15:57,847 INFO:univention.appcenter.actions.upgrade:Need to get 3,864 B of archives.
After this operation, 0 B of additional disk space will be used.
2017-06-27 11:15:57,848 INFO:univention.appcenter.actions.upgrade:After this operation, 0 B of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
2017-06-27 11:15:57,848 INFO:univention.appcenter.actions.upgrade:WARNING: The following packages cannot be authenticated!
E: There are problems and -y was used without --force-yes
2017-06-27 11:15:57,849 WARNING:univention.appcenter.actions.upgrade:E: There are problems and -y was used without --force-yes
  ucc-server
2017-06-27 11:15:57,850 INFO:univention.appcenter.actions.upgrade:  ucc-server
Calling /usr/bin/apt-get -o APT::Status-Fd=1 -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --auto-remove dist-upgrade
2017-06-27 11:15:58,056 DEBUG:univention.appcenter.actions.upgrade:Calling /usr/bin/apt-get -o APT::Status-Fd=1 -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --auto-remove dist-upgrade
Reading package lists...
2017-06-27 11:15:58,072 INFO:univention.appcenter.actions.upgrade:Reading package lists...
Building dependency tree...
2017-06-27 11:15:58,120 INFO:univention.appcenter.actions.upgrade:Building dependency tree...
Reading state information...
2017-06-27 11:15:58,122 INFO:univention.appcenter.actions.upgrade:Reading state information...
The following packages will be upgraded:
2017-06-27 11:15:58,178 INFO:univention.appcenter.actions.upgrade:The following packages will be upgraded:
  python-univention-directory-manager-ucc ucc-image-toolkit
2017-06-27 11:15:58,178 INFO:univention.appcenter.actions.upgrade:  python-univention-directory-manager-ucc ucc-image-toolkit
  ucc-management-integration ucc-pxe-boot ucc-server ucc-umc-images
2017-06-27 11:15:58,178 INFO:univention.appcenter.actions.upgrade:  ucc-management-integration ucc-pxe-boot ucc-server ucc-umc-images
  ucc-umc-setup univention-corporate-client-schema
2017-06-27 11:15:58,179 INFO:univention.appcenter.actions.upgrade:  ucc-umc-setup univention-corporate-client-schema
8 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2017-06-27 11:15:58,193 INFO:univention.appcenter.actions.upgrade:8 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 499 kB of archives.
2017-06-27 11:15:58,194 INFO:univention.appcenter.actions.upgrade:Need to get 499 kB of archives.
After this operation, 17.4 kB of additional disk space will be used.
2017-06-27 11:15:58,194 INFO:univention.appcenter.actions.upgrade:After this operation, 17.4 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
2017-06-27 11:15:58,194 INFO:univention.appcenter.actions.upgrade:WARNING: The following packages cannot be authenticated!
E: There are problems and -y was used without --force-yes
2017-06-27 11:15:58,195 WARNING:univention.appcenter.actions.upgrade:E: There are problems and -y was used without --force-yes
  ucc-pxe-boot python-univention-directory-manager-ucc ucc-image-toolkit
2017-06-27 11:15:58,195 INFO:univention.appcenter.actions.upgrade:  ucc-pxe-boot python-univention-directory-manager-ucc ucc-image-toolkit
  univention-corporate-client-schema ucc-management-integration ucc-server
2017-06-27 11:15:58,197 INFO:univention.appcenter.actions.upgrade:  univention-corporate-client-schema ucc-management-integration ucc-server
  ucc-umc-images ucc-umc-setup
2017-06-27 11:15:58,197 INFO:univention.appcenter.actions.upgrade:  ucc-umc-images ucc-umc-setup
Failed to install the App
2017-06-27 11:15:58,388 WARNING:univention.appcenter.actions.upgrade:Failed to install the App
Aborting...
2017-06-27 11:15:58,389 WARNING:univention.appcenter.actions.upgrade:Aborting...
Calling start
2017-06-27 11:15:58,392 DEBUG:univention.appcenter.actions.start:Calling start
0
2017-06-27 11:15:58,393 DEBUG:univention.appcenter.actions.start.progress:0
ucc is not installed
2017-06-27 11:15:58,393 CRITICAL:univention.appcenter.actions.start:ucc is not installed
100
2017-06-27 11:15:58,393 DEBUG:univention.appcenter.actions.start.progress:100
send_information: action=upgrade app=ucc value=None status=401
2017-06-27 11:15:58,394 DEBUG:univention.appcenter.utils:send_information: action=upgrade app=ucc value=None status=401
tracking information: {'status': 401, 'uuid': '<<<snipped>>>', 'app': u'ucc', 'version': u'3.0', 'role': 'memberserver', 'action': 'upgrade', 'system-uuid': '<<<snipped>>>'}
2017-06-27 11:15:58,395 DEBUG:univention.appcenter.utils:tracking information: {'status': 401, 'uuid': '<<<snipped>>>', 'app': u'ucc', 'version': u'3.0', 'role': 'memberserver', 'action': 'upgrade', 'system-uuid': '<<<snipped>>>'}
Calling upgrade-search
2017-06-27 11:15:59,957 DEBUG:univention.appcenter.actions.upgrade-search:Calling upgrade-search
0
2017-06-27 11:15:59,958 DEBUG:univention.appcenter.actions.upgrade-search.progress:0
Checking ucc=3.0
2017-06-27 11:15:59,959 DEBUG:univention.appcenter.actions.upgrade-search:Checking ucc=3.0
100
2017-06-27 11:16:00,146 DEBUG:univention.appcenter.actions.upgrade-search.progress:100
100
2017-06-27 11:16:00,147 DEBUG:univention.appcenter.actions.upgrade.progress:100
ERROR: app upgrade failed. Please check /var/log/univention/updater.log

Checking for release updates:                           found: UCS 4.2-0

apt-get update result:

root@<<<snipped>>>:~# apt-get update
Get:1 http://appcenter.software-univention.de ucc_20160811170611/all/ Release.gpg [836 B]
Get:2 http://appcenter.software-univention.de ucc_20160811170611/amd64/ Release.gpg [836 B]
Hit http://appcenter.software-univention.de ucc_20160811170611/all/ Release
Ign http://appcenter.software-univention.de ucc_20160811170611/all/ Release
Hit http://appcenter.software-univention.de ucc_20160811170611/amd64/ Release
Ign http://appcenter.software-univention.de ucc_20160811170611/amd64/ Release
Hit https://updates.software-univention.de 4.0-0/all/ Release.gpg
Hit http://appcenter.software-univention.de ucc_20160811170611/all/ Packages
Hit https://updates.software-univention.de 4.0-0/amd64/ Release.gpg
Hit http://appcenter.software-univention.de ucc_20160811170611/amd64/ Packages
Hit https://updates.software-univention.de 4.0-1/all/ Release.gpg
Hit https://updates.software-univention.de 4.0-1/amd64/ Release.gpg
=========
<<<snipped other repos>>>>
=========
Hit https://updates.software-univention.de 4.1-4/all/ Packages
Hit https://updates.software-univention.de 4.1-4/amd64/ Packages
Hit https://updates.software-univention.de 4.1-4-errata/all/ Packages
Hit https://updates.software-univention.de 4.1-4-errata/amd64/ Packages
Fetched 1,672 B in 24s (68 B/s)
Reading package lists... Done
W: GPG error: http://appcenter.software-univention.de ucc_20160811170611/all/ Release: The following signatures couldn't be
 verified because the public key is not available: NO_PUBKEY 5E9F163B66AA3A17
W: GPG error: http://appcenter.software-univention.de ucc_20160811170611/amd64/ Release: The following signatures couldn't
be verified because the public key is not available: NO_PUBKEY 5E9F163B66AA3A17

I suspect this has also left my LDAP on the DC backup in a bad state. Was getting errors from a radius server installed on the backup and trying to restart slapd on the DC backup results in the error:

# service slapd start
Starting ldap server(s): slapd ...failed.
5951f6d6 /etc/ldap/slapd.conf: line 189: unknown attr "univentionCorporateClientCurrentBootImage" in to clause 5951f6d6 <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= bin boot dev etc home initrd.img initrd.img.install lib lib64 lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ bin boot dev etc home initrd.img initrd.img.install lib lib64 lost+found media mnt opt proc root run sbin selinux srv sys tmp usr var vmlinuz vmlinuz.install | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= [[real]self]{<level>|<priv>} <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ] dynacl: <name>=ACI <pattern>=<attrname> slapschema: bad configuration file!.

Will getting the GPG key for UCC to allow the install to finish on the member server also update the schema properly on the DC backup (and I assume the master)?

My DC master LDAP is running currently and I’m certainly concerned that any service failure will prevent it restarting, but at least it looks like the slapd.conf files on the backup and the master are different and the attributes the backup is complaining about are not in the slapd.conf on the master yet (assume packages were attempted to be installed on backup before master then?).

This should be fixed by now: We had to re-generate several Release files and used the wrong UCC key to sign them instead of the correct UCS-4.x key.

Thanks, I re-ran the univention-upgrade and it looks like the UCC packages on the member server have upgraded now.

However my DC backup still can’t start slapd due to the error in my second post re. the LDAP attribute ACL for univentionCorporateClientCurrentBootImage.

Any ideas on how to fix this? univention-run-join-scripts on the master says there are no pending scripts. Should this be a topic in UCS forum? My main concern is not to jeopardise the DC master as these are production machines.

I can’t seem to find “univentionCorporateClientCurrentBootImage” specified in any schema in /etc/ldap/* or /var/lib/univention-ldap/schema.conf on the DC backup or in /etc/ldap/* on the DC master.

DC Backup slapd.conf:

# egrep -n univentionCorporateClient*Boot /etc/ldap/* -R -A 6
/etc/ldap/slapd.conf:187:access to attrs="univentionCorporateClientBootVariant,univentionCorporateClientBootRepartitioning,univentionCorporateClientBootParameter,univentionCorporateClientCurrentBootImage"
/etc/ldap/slapd.conf-188-        by self read
/etc/ldap/slapd.conf-189-        by * none break
/etc/ldap/slapd.conf-190-
/etc/ldap/slapd.conf-191-
/etc/ldap/slapd.conf-192-
/etc/ldap/slapd.conf-193-

slapd.conf on DC Master:

# egrep -n univentionCorporateClient*Boot /etc/ldap/* -R -A 6
/etc/ldap/slapd.conf:225:access to attrs="univentionCorporateClientBootVariant,univentionCorporateClientBootRepartitioning,univentionCorporateClientBootParameter"
/etc/ldap/slapd.conf-226-        by self write
/etc/ldap/slapd.conf-227-        by * none break
/etc/ldap/slapd.conf-228-
/etc/ldap/slapd.conf-229-
/etc/ldap/slapd.conf-230-
/etc/ldap/slapd.conf-231-

Was the univentionCorporateClientCurrentBootImage attribute removed in UCC 3.0?

Do you think I can safely remove this from the DC backup slapd.conf to get the ldap server restarted?

I can get slapd to start on the DC backup by removing “univentionCorporateClientCurrentBootImage” from line 189 of slapd.conf ACL, however any future updates (eg with 4.1 errata 435 today) seem to try and reinstall that attribute and slapd fails on startup again during the postinstall scripts in dpkg.

Edited: Some more details:

  • /usr/share/univention-corporate-client-schema/univention-corporate-client.schema exists on the master but does not contain attribute “univentionCorporateClientCurrentBootImage”.

  • The above schema is getting replicated to the DC backup in /var/lib/univention-ldap/schema.conf but as it does not contain “univentionCorporateClientCurrentBootImage” I get the error.

  • Running dpkg --configure slapd on the DC backup attempts to re-introduce the slapd.conf containing “univentionCorporateClientCurrentBootImage”

  • /usr/share/univention-corporate-client-schema/univention-corporate-client.schema exists on the DC backup and contains the “univentionCorporateClientCurrentBootImage” attribute

  • dpkg shows that univention-corporate-client-schema is at version 3.0.1-8.91.201507141444 on the DC master and 4.0.0-6.98.201608151412 on the DC backup.

  • running univention-upgrade on all systems (master/backup/member) says nothing to do now.

So the timeline seems to be:

  1. upgrade UCC 2.1 to 3.0 on member server (it asks for passwords for DC master and backup - I assume to update LDAP and copy files?)
  2. Upgrade fails due to incorrect package signatures
  3. LDAP left in half configured state on DC backup. Is DC Master not configured at all (hence old UCC schema replicating from the master)?

I guess I could replace the /usr/share/univention-corporate-client-schema/univention-corporate-client.schema manually on the master, but I’m unsure of the state of the directory between the master and backup.

By this point should I be uninstalling and reinstalling the UCC app to ensure the LDAP schema is consistent on both DCs?

Are the removal scripts likely to encounter issues due to this inconsistent state?

Hope the signing mistake won’t happen again, this has been frustrating!

The solution in provided at mismatched-packages-on-master-and-backup-after-failed-ucc-upgrade

Mastodon