fingerprint_sha256 and fingerprint_sha1 empty after upgrade for user certs in /etc/stunnel/certs/

stormi commented 2 months ago

I'm on XAPI 24.19.2, to which I applied this fix so that the new fingerprint fields are filled.

However, this wasn't enough, and after a XAPI restart I still have a certificate for which these fields are empty:

[19:25 xcpng-ci-83-a1 ~]# xe certificate-param-list uuid=fd7be45e-f6f2-8f39-cf9d-ef6c86e9fc82
uuid ( RO)                  : fd7be45e-f6f2-8f39-cf9d-ef6c86e9fc82
                  type ( RO): ca
                  name ( RO): sdn-controller-ca.pem
                  host ( RO): <not in database>
            not-before ( RO): 20210301T17:42:44Z
             not-after ( RO): 20480716T17:42:44Z
           fingerprint ( RO): 28:41:71:99:BF:C0:AD:7A:25:01:43:FE:6E:54:7F:26:77:04:28:83:B0:0C:4C:61:A6:C1:D7:CB:FF:B3:DD:E4
    fingerprint_sha256 ( RO): 
      fingerprint_sha1 ( RO):

I'm not very good at reading ocaml changesets, but it looks like https://github.com/xapi-project/xen-api/pull/5786 left aside user certificates and only fixed host certificates.

It turns out this has real consequences, as our automated tests detected. Consider the following scenario.

Pool A was regularly updated. It has one or several user certificates, whose fingerprint_sha256 field remains empty.
A new host, B1, was freshly installed and also has the same user certificates
The user wants to join B1 to Pool A.
XAPI performs sanity checks on certificates, and notably it checks that certificates are consistent: a certificate present on both pools with the same name must have the same fingerprint. But recently you started checking the fingerprint_sha256, which is empty on pool A and not empty in host B1. The check fails, and the pool join fails with : "The host joining the pool has different CA certificates from the pool coordinator while using the same name, uninstall them and try again".

The relevant code for this check is here: https://github.com/xapi-project/xen-api/blob/master/ocaml/xapi/xapi_pool.ml#L764

CCing @snwoods as the committer of PR #5786.

psafont commented 2 months ago

Thanks for reporting the issue, I've created CA-398341 to track this internally.

I've created a branch with an untested patch: https://github.com/xapi-project/xen-api/compare/master...psafont:xen-api:private/paus/fingers-crossed

I'm going on holidays tomorrow, so somebody else will need to pick up the work.

stormi commented 1 month ago

So, we released an update with this fix, and a tester found their XAPI not starting anymore.

One year ago, they had removed a certificate manually from disk without uninstalling it cleanly from XAPI. XAPI attempts to update its metadata, but fails on the missing file.

We downgraded XAPI, ran touch /etc/stunnel/certs/sdn-controller-ca.pem because xe pool-certificate-uninstall can't remove a certificate whose file is already removed, even with --force (<---- improvement suggestion here), uninstalled the cert, then updated back. System repaired.

We probably shouldn't make XAPI startup fail in this situation.

stormi commented 1 month ago

Log extract:

Sep  6 11:15:01 xcpng-alpha xapi: [debug||0 |server_init D:79e713e28a1a|startup] task [Update shared certificate's metadata]
Sep  6 11:15:01 xcpng-alpha xapi: [debug||0 |server_init D:79e713e28a1a|dummytaskhelper] task Update shared certificate's metadata D:42d37187c25d created by task D:79e713e28a1a
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] Update shared certificate's metadata D:42d37187c25d failed with exception Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] Raised Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 1/12 xapi Raised at file ocaml/libs/xapi-stdext/lib/xapi-stdext-unix/unixext.ml, line 92
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 2/12 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-unix/unixext.ml, line 177
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 3/12 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-unix/unixext.ml, line 179
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 4/12 xapi Called from file ocaml/xapi/certificates.ml, line 282
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 5/12 xapi Called from file list.ml, line 110
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 6/12 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 24
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 7/12 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 39
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 8/12 xapi Called from file ocaml/xapi/server_helpers.ml, line 72
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 9/12 xapi Called from file ocaml/xapi/server_helpers.ml, line 94
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 10/12 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 24
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 11/12 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 39
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace] 12/12 xapi Called from file ocaml/libs/log/debug.ml, line 250
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 |server_init D:79e713e28a1a|backtrace]
Sep  6 11:15:01 xcpng-alpha xapi: [ warn||0 |server_init D:79e713e28a1a|startup] task [Update shared certificate's metadata] exception: Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] server_init D:79e713e28a1a failed with exception Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] Raised Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 1/15 xapi Raised at file ocaml/libs/log/debug.ml, line 267
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 2/15 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 24
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 3/15 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 39
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 4/15 xapi Called from file ocaml/xapi/server_helpers.ml, line 186
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 5/15 xapi Called from file ocaml/xapi/startup.ml, line 95
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 6/15 xapi Called from file ocaml/xapi/startup.ml, line 103
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 7/15 xapi Called from file list.ml, line 110
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 8/15 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 24
Sep  6 11:15:01 xcpng-alpha xapi: [debug||103 /var/lib/xcp/xapi|post_root|dummytaskhelper] task dispatch:session.slave_login D:a158125dd2cf created by task D:79e713e28a1a
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 9/15 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 39
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 10/15 xapi Called from file ocaml/xapi/xapi.ml, line 1081
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 11/15 xapi Called from file ocaml/xapi/server_helpers.ml, line 72
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 12/15 xapi Called from file ocaml/xapi/server_helpers.ml, line 94
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 13/15 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 24
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 14/15 xapi Called from file ocaml/libs/xapi-stdext/lib/xapi-stdext-pervasives/pervasiveext.ml, line 39
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 15/15 xapi Called from file ocaml/libs/log/debug.ml, line 250
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace]
Sep  6 11:15:01 xcpng-alpha xapi: [ info||103 /var/lib/xcp/xapi|session.slave_login D:66eac4ae5d62|xapi_session] Session.create trackid=8c7b1adbf956cc2269755733d4544244 pool=true uname= originator=xapi is_local_superuser=true auth_user_sid= parent=trackid=9834f5af41c964e225f24279aefe4e49
Sep  6 11:15:01 xcpng-alpha xapi: [debug||0 ||xapi] xapi top-level caught Unix_error: No such file or directory, open, /etc/stunnel/certs/sdn-controller-ca.pem
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] Raised Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace] 1/1 xapi Raised at file (Thread 0 has no backtrace table. Was with_backtraces called?, line 0
Sep  6 11:15:01 xcpng-alpha xapi: [error||0 ||backtrace]

stormi commented 1 month ago

Grepping on "startup]" also shows XAPI startup is looping:

Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [XAPI SERVER STARTING]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Parsing inventory file]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Setting stunnel timeout]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Initialising local database]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Loading DHCP leases]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Reading pool secret]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Logging xapi version info]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Setting signal handlers]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Initialising random number generator]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Initialise TLS verification]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Running startup check]
Sep  6 11:15:23 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Registering SMAPIv1 plugins]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Initialising SMAPIv1 state]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Starting SMAPIv1 proxies]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Starting SM service]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Starting SM xapi event service]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Killing stray sparse_dd processes]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Registering http handlers]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Registering master-only http handlers]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Listening unix socket]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [starting thread Metadata VDI liveness monitor]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Checking HA configuration]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Checking for non-HA redo-log]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Setup DB configuration]
Sep  6 11:15:26 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [starting up database engine]
Sep  6 11:15:28 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [hi-level database upgrade]
Sep  6 11:15:28 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [bringing up management interface]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [starting thread Starting periodic scheduler]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Synchronising host configuration files]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Starting Host other-config watcher]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Update database state of TLS verification]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:3539931a73f8|startup] task [Update shared certificate's metadata]
Sep  6 11:15:29 xcpng-alpha xapi: [ warn||0 |server_init D:3539931a73f8|startup] task [Update shared certificate's metadata] exception: Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [XAPI SERVER STARTING]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Parsing inventory file]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Setting stunnel timeout]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Initialising local database]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Loading DHCP leases]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Reading pool secret]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Logging xapi version info]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Setting signal handlers]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Initialising random number generator]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Initialise TLS verification]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Running startup check]
Sep  6 11:15:29 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Registering SMAPIv1 plugins]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Initialising SMAPIv1 state]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Starting SMAPIv1 proxies]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Starting SM service]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Starting SM xapi event service]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Killing stray sparse_dd processes]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Registering http handlers]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Registering master-only http handlers]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Listening unix socket]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [starting thread Metadata VDI liveness monitor]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Checking HA configuration]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Checking for non-HA redo-log]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Setup DB configuration]
Sep  6 11:15:31 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [starting up database engine]
Sep  6 11:15:33 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [hi-level database upgrade]
Sep  6 11:15:34 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [bringing up management interface]
Sep  6 11:15:34 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [starting thread Starting periodic scheduler]
Sep  6 11:15:34 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Synchronising host configuration files]
Sep  6 11:15:34 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Starting Host other-config watcher]
Sep  6 11:15:34 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Update database state of TLS verification]
Sep  6 11:15:34 xcpng-alpha xapi: [debug||0 |server_init D:2a9d9c931400|startup] task [Update shared certificate's metadata]
Sep  6 11:15:34 xcpng-alpha xapi: [ warn||0 |server_init D:2a9d9c931400|startup] task [Update shared certificate's metadata] exception: Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [XAPI SERVER STARTING]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Parsing inventory file]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Setting stunnel timeout]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Initialising local database]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Loading DHCP leases]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Reading pool secret]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Logging xapi version info]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Setting signal handlers]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Initialising random number generator]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Initialise TLS verification]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Running startup check]
Sep  6 11:15:35 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Registering SMAPIv1 plugins]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Initialising SMAPIv1 state]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Starting SMAPIv1 proxies]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Starting SM service]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Starting SM xapi event service]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Killing stray sparse_dd processes]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Registering http handlers]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Registering master-only http handlers]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Listening unix socket]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [starting thread Metadata VDI liveness monitor]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Checking HA configuration]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Checking for non-HA redo-log]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Setup DB configuration]
Sep  6 11:15:37 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [starting up database engine]
Sep  6 11:15:39 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [hi-level database upgrade]
Sep  6 11:15:39 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [bringing up management interface]
Sep  6 11:15:40 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [starting thread Starting periodic scheduler]
Sep  6 11:15:40 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Synchronising host configuration files]
Sep  6 11:15:40 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Starting Host other-config watcher]
Sep  6 11:15:40 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Update database state of TLS verification]
Sep  6 11:15:40 xcpng-alpha xapi: [debug||0 |server_init D:e4e7c3d94289|startup] task [Update shared certificate's metadata]
Sep  6 11:15:40 xcpng-alpha xapi: [ warn||0 |server_init D:e4e7c3d94289|startup] task [Update shared certificate's metadata] exception: Unix.Unix_error(Unix.ENOENT, "open", "/etc/stunnel/certs/sdn-controller-ca.pem")

snwoods commented 1 month ago

Hi, thank you for reporting this and the suggestion for using --force! I have incorporated both a fix for this issue and new --force functionality into this PR: https://github.com/xapi-project/xen-api/pull/6006

xapi-project / xen-api

fingerprint_sha256 and fingerprint_sha1 empty after upgrade for user certs in /etc/stunnel/certs/ #5955