Bug 1479663 - pki-server-upgrade fails when upgrading from RHEL 7.1
Summary: pki-server-upgrade fails when upgrading from RHEL 7.1
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On:
Blocks: 1487509
TreeView+ depends on / blocked
Reported: 2017-08-09 05:59 UTC by Fraser Tweedale
Modified: 2020-10-04 21:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The "pki-server-upgrade" utility no longer fails if target files are missing A bug in the "pki-server-upgrade" utiltiy caused it to attempt to locate a non-existent file. As a consequence, the upgrade process failed to complete, and could possibly leave the PKI deployment in an invalid state. With this update, "pki-server-upgrade" has been modified to correctly handle cases where target files are missing, and PKI upgrades now work correctly.
Clone Of:
: 1487509 (view as bug list)
Last Closed: 2018-04-10 17:00:07 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2909 0 None None None 2020-10-04 21:35:20 UTC
Red Hat Product Errata RHBA-2018:0925 0 None None None 2018-04-10 17:01:04 UTC

Description Fraser Tweedale 2017-08-09 05:59:38 UTC
Description of problem:

When upgrading from RHEL 7.1, pki-server-upgrade fails.

Log output:

[root@auto-hv-01-guest03 localhost]# cat /var/log/pki/pki-server-upgrade-10.4.1.log 
Upgrading PKI server configuration at Thu Aug  3 03:46:16 EDT 2017.
Upgrading from version 10.1.2 to 10.1.99:
1. Add TLS Range Support

Upgrading from version 10.1.99 to 10.2.0:
1. Move web application context file
2. Replace Jettison with Jackson
3. Added RESTEasy client
4. Replace RESTEasy application class
5. Remove config path from web.xml

Upgrading from version 10.2.0 to 10.2.1:
No upgrade scriptlets.
Tracker has been set to version 10.2.1.

Upgrading from version 10.2.1 to 10.2.2:
1. Add TLS Range Support

Upgrading from version 10.2.2 to 10.2.3:
1. Move Web application deployment locations
2. Enabled Web application auto deploy
3. Remove dependency on Jackson 2

Upgrading from version 10.2.3 to 10.2.4:
1. Fix instance work folder ownership
2. Fix bindPWPrompt for internalDB

Upgrading from version 10.2.4 to 10.2.5:
1. Add missing OCSP Get Servlet Mapping to upgraded Dogtag 9 instances
2. Fix nuxwdog listener class

Upgrading from version 10.2.5 to 10.2.6:
1. Add new KRA audit events

Upgrading from version 10.2.6 to 10.3.0:
1. Remove inaccessable URLs from server.xml
2. Add Phone Home URLs to TPS section of server.xml.

Upgrading from version 10.3.0 to 10.3.1:
1. Enable Tomcat ALLOW_ENCODED_SLASH parameter
2. Add authz realm constraint and default to registry

Upgrading from version 10.3.1 to 10.3.2:
No upgrade scriptlets.
Tracker has been set to version 10.3.2.

Upgrading from version 10.3.2 to 10.3.3:
No upgrade scriptlets.
Tracker has been set to version 10.3.3.

Upgrading from version 10.3.3 to 10.4.0:
1. Fix JAVA_HOME path
2. Fix server library
3. Fix deployment descriptor
ERROR: [Errno 2] No such file or directory: '/usr/share/pki/server/conf/Catalina/localhost/pki#admin.xml'
Failed upgrading pki-tomcat instance.
Upgrade failed in pki-tomcat: [Errno 2] No such file or directory: '/usr/share/pki/server/conf/Catalina/localhost/pki#admin.xml'

Version-Release number of selected component (if applicable):


How reproducible: always

Steps to Reproduce:
1. Deploy pki (e.g. as part of IPA) on RHEL 7.1
2. Upgrade to 7.4

Actual results:

Upgrade, including pki-server-upgrade, completes without error.

Expected results:

Additional info: seems to be related to an upgrade script looking for
a file that does not exist.  Possibly it existed in a version in between
7.1 and 7.4, but no longer does.  The upgrade scriptlet affected is:


It is sufficient in the `fix_webapp` function to return early if the source
file does not exist, e.g. add the fragment:

        if not os.path.exists(source_xml):

Comment 2 Fraser Tweedale 2017-08-09 06:08:14 UTC
Upstream ticket: https://pagure.io/dogtagpki/issue/2789

Comment 3 Fraser Tweedale 2017-08-11 07:59:24 UTC
Upstream gerrit review: https://review.gerrithub.io/#/c/373880/

Comment 4 Fraser Tweedale 2017-08-14 01:40:26 UTC
Upstream commit: https://github.com/dogtagpki/pki/commit/d0a861923a27672d8633c87e21fb8596080e84af

Comment 7 Roshni 2017-12-07 18:51:22 UTC
[root@bkr-hv03-guest01 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.1
Release     : 4.el7
Architecture: noarch
Install Date: Thu 07 Dec 2017 01:38:56 PM EST
Group       : System Environment/Daemons
Size        : 2360514
License     : GPLv2
Signature   : RSA/SHA256, Tue 28 Nov 2017 10:33:09 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.5.1-4.el7.src.rpm
Build Date  : Tue 28 Nov 2017 09:17:20 PM EST
Build Host  : ppc-035.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Verification steps:
1. ipa-server-install on a rhel 7.1 server.
2. successfully upgraded to rhel 7.5 builds

Comment 9 errata-xmlrpc 2018-04-10 17:00:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.