Bug 14376

Summary: не стартует pki-tomcat после обновления с IPA 4.8.10-6 до IPA 4.8.10-9
Product: [ROSA-based products] ROSA Fresh Reporter: Valeriy <user85vv>
Component: Contributed PackagesAssignee: ROSA Linux Bugs <bugs>
Status: CONFIRMED --- QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: Normal    
Version: Server   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Platform: --- ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Valeriy 2024-03-28 12:18:59 MSK 
pki-tomcatd@pki-tomcat.service: Killing process 16377 (n/a) with signal SIGKILL
pki-tomcatd@pki-tomcat.service: Killing process 16604 (Thread-17) with signal SIGKILLpki-tomcatd@pki-tomcat.service: Main process exited, code=killed, status=9/KILL

pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'.
Comment 1 Valeriy 2024-03-28 12:23:05 MSK 
Реплика вообще не обновляется, а сыпется с ошибкой. Запустил только в режиме skip-version-check. Но pki и на ней не работает. В вебке на вкладке сертификаты Ошибка CMS 503 - Не удалось завершить операцию с сертификатом: Не удалось обменяться данными с CMS (503)

2024-03-27T07:18:56Z DEBUG stderr=
2024-03-27T07:18:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2024-03-27T07:18:56Z DEBUG Starting external process
2024-03-27T07:18:56Z DEBUG args=['/usr/sbin/selinuxenabled']
2024-03-27T07:18:56Z DEBUG Process finished, return code=1
2024-03-27T07:18:56Z DEBUG stdout=
2024-03-27T07:18:56Z DEBUG stderr=
2024-03-27T07:18:56Z DEBUG Created PKCS#11 module config '/etc/pkcs11/modules/softhsm2.module'.
2024-03-27T07:18:56Z INFO [Verifying that root certificate is published]
2024-03-27T07:18:56Z DEBUG Certificate file exists
2024-03-27T07:18:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-27T07:18:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2024-03-27T07:18:56Z DEBUG Trying to find certificate subject base in sysupgrade
2024-03-27T07:18:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2024-03-27T07:18:56Z DEBUG Found certificate subject base in sysupgrade: O=INET.GSKB.RU
2024-03-27T07:18:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2024-03-27T07:18:56Z DEBUG Saving StateFile to '/var/lib/ipa/sysupgrade/sysupgrade.state'
2024-03-27T07:18:56Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-27T07:18:56Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2024-03-27T07:18:56Z DEBUG request POST http://ifipa1-dmi.inet.gskb.ru:8080/ca/admin/ca/getStatus
2024-03-27T07:18:56Z DEBUG request body ''
2024-03-27T07:19:26Z DEBUG httplib request failed:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/ipapython/dogtag.py", line 230, in _httplib_request
    conn.request(method, path, body=request_body, headers=headers)
  File "/usr/lib64/python3.8/http/client.py", line 1256, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.8/http/client.py", line 1302, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.8/http/client.py", line 1251, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.8/http/client.py", line 1011, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.8/http/client.py", line 951, in send
    self.connect()
  File "/usr/lib64/python3.8/http/client.py", line 922, in connect
    self.sock = self._create_connection(
  File "/usr/lib64/python3.8/socket.py", line 808, in create_connection
    raise err
  File "/usr/lib64/python3.8/socket.py", line 796, in create_connection
    sock.connect(sa)
socket.timeout: timed out
2024-03-27T07:19:26Z DEBUG Failed to check CA status: cannot connect to 'http://ifipa1-dmi.inet.gskb.ru:8080/ca/admin/ca/getStatus': timed out
2024-03-27T07:19:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2024-03-27T07:19:26Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2024-03-27T07:19:26Z DEBUG Ensuring that service pki-tomcatd@pki-tomcat is not running while the next set of commands is being executed.
2024-03-27T07:19:26Z DEBUG Starting external process
2024-03-27T07:19:26Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service']
2024-03-27T07:19:26Z DEBUG Process finished, return code=3
2024-03-27T07:19:26Z DEBUG stdout=failed

2024-03-27T07:19:26Z DEBUG stderr=
2024-03-27T07:19:26Z DEBUG Service pki-tomcatd@pki-tomcat is not running, continue.
2024-03-27T07:19:26Z DEBUG Starting external process
2024-03-27T07:19:26Z DEBUG args=['/bin/systemctl', 'is-active', 'pki-tomcatd@pki-tomcat.service']
2024-03-27T07:19:26Z DEBUG Process finished, return code=3
2024-03-27T07:19:26Z DEBUG stdout=failed

2024-03-27T07:19:26Z DEBUG stderr=
2024-03-27T07:19:26Z INFO [Migrate CRL publish directory]
2024-03-27T07:19:26Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
2024-03-27T07:19:26Z INFO CRL tree already moved
2024-03-27T07:19:26Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2024-03-27T07:19:26Z DEBUG   File "/usr/lib/python3.8/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.8/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run
    server.upgrade()
  File "/usr/lib/python3.8/site-packages/ipaserver/install/server/upgrade.py", line 1844, in upgrade
    upgrade_configuration()
  File "/usr/lib/python3.8/site-packages/ipaserver/install/server/upgrade.py", line 1552, in upgrade_configuration
    ca.secure_ajp_connector()
  File "/usr/lib/python3.8/site-packages/ipaserver/install/dogtaginstance.py", line 307, in secure_ajp_connector
    server_xml = lxml.etree.parse(paths.PKI_TOMCAT_SERVER_XML)
  File "src/lxml/etree.pyx", line 3536, in lxml.etree.parse
  File "src/lxml/parser.pxi", line 1876, in lxml.etree._parseDocument
  File "src/lxml/parser.pxi", line 1902, in lxml.etree._parseDocumentFromURL
  File "src/lxml/parser.pxi", line 1805, in lxml.etree._parseDocFromFile
  File "src/lxml/parser.pxi", line 1177, in lxml.etree._BaseParser._parseDocFromFile
  File "src/lxml/parser.pxi", line 615, in lxml.etree._ParserContext._handleParseResultDoc
  File "src/lxml/parser.pxi", line 725, in lxml.etree._handleParseResult
  File "src/lxml/parser.pxi", line 654, in lxml.etree._raiseParseError

2024-03-27T07:19:26Z DEBUG The ipa-server-upgrade command failed, exception: XMLSyntaxError: Unescaped '<' not allowed in attributes values, line 130, column 5 (server.xml, line 130)
2024-03-27T07:19:26Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
XMLSyntaxError: Unescaped '<' not allowed in attributes values, line 130, column 5 (server.xml, line 130)
2024-03-27T07:19:26Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information