Upgrade from v25.01.1 to v25.02 breaks installation

[prueckls]

I updated my Docker installation from version 25.01.1 to 25.02 using ~labca/labca/install, as I have successfully done many times before. Now, the Installation no longer works, no login possible.

Container labca-gui-1 is crashing:

2025/02/22 16:07:51 **** BEGIN MIGRATION: upgrade01 **** 2025/02/22 16:07:51 **** Root key file not present on the system: cannot upgrade automatically! 2025/02/22 16:07:51 **** Please do a fresh install of LabCA and import / upload the root certificate and key. 2025/02/22 16:07:51 **** ABORT MIGRATION ****

Container labca-control-1 is not crashing, but in the logs it says:

opt/labca Start serving commander script... cp: cannot stat '/opt/boulder/labca/certs/webpki/root-01-crl.pem': No such file or directory

Container labca-boulder-1 is crashing:

2025-02-22T16:13:36.742567+00:00Z boulder-publisher[366]: 3 boulder-publisher 5I_-ng0 [AUDIT] failed to load chain.: failed to load certificate "labca/certs/webpki/issuer-01-cert.pem": loading issuer certificate: open labca/certs/webpki/issuer-01-cert.pem: no such file or directory

Fortunately, I took a snapshot of the VM before the upgrade, allowing me to revert the upgrade.

[hakwerk]

I have added a warning to the release notes of v25.02 that it is no longer possible to upgrade LabCA systems that have the root CA key offline. Going forward the root CA key has to be stored in the system.

Allowing offline root keys made the GUI extra complex and was now even blocking other stuff, so I decided to remove that possibility. The keys are stored in SoftHSMv2 and I intend to investigate the possibility to use physical HSMs (Hardware Security Modules) to store them in the future.

[prueckls]

Thanks for your answer.

I've uploaded the root-ca.key file into the /home/labca/admin/data/ folder and started the upgrade again. Now the migration works, everything looks good.