Hello everyone
After updating Keycloak to version 26.1.4-ucs1, I get the following error message in the system diagnostics: “SAML certificate verification failed.”
Traceback (most recent call last):
File “/usr/lib/python3.11/xml/etree/ElementTree.py”, line 1709, in feed
self.parser.Parse(data, False)
xml.parsers.expat.ExpatError: syntax error: line 1, column 49
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/management/console/modules/diagnostic/init.py”, line 278, in execute
ret = execute(umc_module, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py”, line 69, in run
run_keycloak(_umc_instance, keycloak_uri, rerun)
File “/usr/lib/python3/dist-packages/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py”, line 79, in run_keycloak
for problem in test_identity_provider_certificate_keycloak(sso_uri):
File “/usr/lib/python3/dist-packages/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py”, line 142, in test_identity_provider_certificate_keycloak
metadata_dom = fromstring(data)
^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/defusedxml/common.py”, line 126, in fromstring
parser.feed(text)
File “/usr/lib/python3.11/xml/etree/ElementTree.py”, line 1711, in feed
self._raiseerror(v)
File “/usr/lib/python3.11/xml/etree/ElementTree.py”, line 1618, in _raiseerror
raise err
xml.etree.ElementTree.ParseError: syntax error: line 1, column 49
As I discovered, the Keycloak service no longer starts on this machine.
I found this note in the update log:
Starting univention-upgrade. Current UCS version is 5.2-1 errata73
2025-04-27 12:33:32,652 CRITICAL:updater.Updater:Failed server detection: Configuration error: Temporary failure in name resolution
Traceback (most recent call last):
File “/usr/lib/python3.11/urllib/request.py”, line 1348, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File “/usr/lib/python3.11/http/client.py”, line 1282, in request
self._send_request(method, url, body, headers, encode_chunked)
File “/usr/lib/python3.11/http/client.py”, line 1328, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File “/usr/lib/python3.11/http/client.py”, line 1277, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File “/usr/lib/python3.11/http/client.py”, line 1037, in _send_output
self.send(msg)
File “/usr/lib/python3.11/http/client.py”, line 975, in send
self.connect()
File “/usr/lib/python3.11/http/client.py”, line 1447, in connect
super().connect()
File “/usr/lib/python3.11/http/client.py”, line 941, in connect
self.sock = self._create_connection(
^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/socket.py”, line 827, in create_connection
for res in getaddrinfo(host, port, 0, SOCK_STREAM):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/socket.py”, line 962, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -3] Temporary failure in name resolution
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/updater/tools.py”, line 611, in access
res = UCSHttpServer.opener.open(req, timeout=self.timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 519, in open
response = self._open(req, data)
^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 536, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 496, in _call_chain
result = func(*args)
^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 1391, in https_open
return self.do_open(http.client.HTTPSConnection, req,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3.11/urllib/request.py”, line 1351, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno -3] Temporary failure in name resolution>
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/univention/updater/tools.py”, line 1212, in _get_releases
_code, _size, data = self.server.access(None, ‘ucs-releases.json’, get=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/usr/lib/python3/dist-packages/univention/updater/tools.py”, line 679, in access
raise ConfigurationError(uri, reason)
univention.updater.errors.ConfigurationError: Configuration error: Temporary failure in name resolution
I get the following error message when I try to start the service via the console:
Restarting keycloak …
Restarting keycloak … error
ERROR: for keycloak Cannot restart container cf00b322fec915014225484514c77baca23f573946059943de8ad1ff1e38b75c: driver failed programming external connectivity on endpoint keycloak (0f1d74ab3371c86d10ef8d8c59b8dac59148deef4f1e135b37a5bb2a96cfeb1f): Bind for 0.0.0.0:8180 failed: port is already allocated
As far as I can see, the machine has a problem connecting on port 8180.
The reference to name resolution is also documented there. The name resolution of this machine, which is also the DNS server, is working.
The machine can also be reached via ping using ucs-sso and ucs-sso-ng.
The update on a second machine ran smoothly, and the service is starting.
But how do I resolve this?
Regards
Michael