Bug 1479663 - pki-server-upgrade fails when upgrading from RHEL 7.1
pki-server-upgrade fails when upgrading from RHEL 7.1
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Fraser Tweedale
Asha Akkiangady
Marc Muehlfeld
: ZStream
Depends On:
Blocks: 1487509
  Show dependency treegraph
Reported: 2017-08-09 01:59 EDT by Fraser Tweedale
Modified: 2018-04-10 13:01 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The "pki-server-upgrade" utility no longer fails if target files are missing A bug in the "pki-server-upgrade" utiltiy caused it to attempt to locate a non-existent file. As a consequence, the upgrade process failed to complete, and could possibly leave the PKI deployment in an invalid state. With this update, "pki-server-upgrade" has been modified to correctly handle cases where target files are missing, and PKI upgrades now work correctly.
Story Points: ---
Clone Of:
: 1487509 (view as bug list)
Last Closed: 2018-04-10 13:00:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0925 None None None 2018-04-10 13:01 EDT

  None (edit)
Description Fraser Tweedale 2017-08-09 01:59:38 EDT
Description of problem:

When upgrading from RHEL 7.1, pki-server-upgrade fails.

Log output:

[root@auto-hv-01-guest03 localhost]# cat /var/log/pki/pki-server-upgrade-10.4.1.log 
Upgrading PKI server configuration at Thu Aug  3 03:46:16 EDT 2017.
Upgrading from version 10.1.2 to 10.1.99:
1. Add TLS Range Support

Upgrading from version 10.1.99 to 10.2.0:
1. Move web application context file
2. Replace Jettison with Jackson
3. Added RESTEasy client
4. Replace RESTEasy application class
5. Remove config path from web.xml

Upgrading from version 10.2.0 to 10.2.1:
No upgrade scriptlets.
Tracker has been set to version 10.2.1.

Upgrading from version 10.2.1 to 10.2.2:
1. Add TLS Range Support

Upgrading from version 10.2.2 to 10.2.3:
1. Move Web application deployment locations
2. Enabled Web application auto deploy
3. Remove dependency on Jackson 2

Upgrading from version 10.2.3 to 10.2.4:
1. Fix instance work folder ownership
2. Fix bindPWPrompt for internalDB

Upgrading from version 10.2.4 to 10.2.5:
1. Add missing OCSP Get Servlet Mapping to upgraded Dogtag 9 instances
2. Fix nuxwdog listener class

Upgrading from version 10.2.5 to 10.2.6:
1. Add new KRA audit events

Upgrading from version 10.2.6 to 10.3.0:
1. Remove inaccessable URLs from server.xml
2. Add Phone Home URLs to TPS section of server.xml.

Upgrading from version 10.3.0 to 10.3.1:
1. Enable Tomcat ALLOW_ENCODED_SLASH parameter
2. Add authz realm constraint and default to registry

Upgrading from version 10.3.1 to 10.3.2:
No upgrade scriptlets.
Tracker has been set to version 10.3.2.

Upgrading from version 10.3.2 to 10.3.3:
No upgrade scriptlets.
Tracker has been set to version 10.3.3.

Upgrading from version 10.3.3 to 10.4.0:
1. Fix JAVA_HOME path
2. Fix server library
3. Fix deployment descriptor
ERROR: [Errno 2] No such file or directory: '/usr/share/pki/server/conf/Catalina/localhost/pki#admin.xml'
Failed upgrading pki-tomcat instance.
Upgrade failed in pki-tomcat: [Errno 2] No such file or directory: '/usr/share/pki/server/conf/Catalina/localhost/pki#admin.xml'

Version-Release number of selected component (if applicable):


How reproducible: always

Steps to Reproduce:
1. Deploy pki (e.g. as part of IPA) on RHEL 7.1
2. Upgrade to 7.4

Actual results:

Upgrade, including pki-server-upgrade, completes without error.

Expected results:

Additional info: seems to be related to an upgrade script looking for
a file that does not exist.  Possibly it existed in a version in between
7.1 and 7.4, but no longer does.  The upgrade scriptlet affected is:


It is sufficient in the `fix_webapp` function to return early if the source
file does not exist, e.g. add the fragment:

        if not os.path.exists(source_xml):
Comment 2 Fraser Tweedale 2017-08-09 02:08:14 EDT
Upstream ticket: https://pagure.io/dogtagpki/issue/2789
Comment 3 Fraser Tweedale 2017-08-11 03:59:24 EDT
Upstream gerrit review: https://review.gerrithub.io/#/c/373880/
Comment 4 Fraser Tweedale 2017-08-13 21:40:26 EDT
Upstream commit: https://github.com/dogtagpki/pki/commit/d0a861923a27672d8633c87e21fb8596080e84af
Comment 7 Roshni 2017-12-07 13:51:22 EST
[root@bkr-hv03-guest01 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.1
Release     : 4.el7
Architecture: noarch
Install Date: Thu 07 Dec 2017 01:38:56 PM EST
Group       : System Environment/Daemons
Size        : 2360514
License     : GPLv2
Signature   : RSA/SHA256, Tue 28 Nov 2017 10:33:09 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.5.1-4.el7.src.rpm
Build Date  : Tue 28 Nov 2017 09:17:20 PM EST
Build Host  : ppc-035.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Verification steps:
1. ipa-server-install on a rhel 7.1 server.
2. successfully upgraded to rhel 7.5 builds
Comment 9 errata-xmlrpc 2018-04-10 13:00:07 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.