[Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15 SOLVED

Marco Antonio Carcano mc at carcano.ch
Sat Oct 8 13:00:11 UTC 2016 

Thank you Fraser,

it solved - despite the error about replacing Jettison with Jackson

pki-server-upgrade

Upgrading from version 10.1.99 to 10.2.0:
1. Move web application context file (Yes/No) [Y]: Y
2. Replace Jettison with Jackson (Yes/No) [Y]: Y
ERROR:
Failed upgrading pki-tomcat instance. Continue (Yes/No) [Y]? Y
3. Added RESTEasy client (Yes/No) [Y]: Y
4. Replace RESTEasy application class (Yes/No) [Y]: Y
5. Remove config path from web.xml (Yes/No) [Y]: Y

Upgrading from version 10.2.0 to 10.2.1:
1. Add TLS Range Support (Yes/No) [Y]: Y

Upgrading from version 10.2.1 to 10.2.2:
1. Add TLS Range Support (Yes/No) [Y]: Y

Upgrading from version 10.2.2 to 10.2.3:
1. Move Web application deployment locations (Yes/No) [Y]: Y
2. Enabled Web application auto deploy (Yes/No) [Y]: Y
3. Remove dependency on Jackson 2 (Yes/No) [Y]: Y

Upgrading from version 10.2.3 to 10.2.4:
1. Fix instance work folder ownership (Yes/No) [Y]: Y
2. Fix bindPWPrompt for internalDB (Yes/No) [Y]: Y

Upgrading from version 10.2.4 to 10.2.5:
1. Add missing OCSP Get Servlet Mapping to upgraded Dogtag 9 instances 
(Yes/No) [Y]: Y
2. Fix nuxwdog listener class (Yes/No) [Y]: Y

Upgrading from version 10.2.5 to 10.2.5:
1. Add new KRA audit events (Yes/No) [Y]: Y

pki-tomcat instance:
   Configuration version: 10.1.99
   Last completed scriptlet: 1

pki-tomcat/ca subsystem:
   Configuration version: 10.2.5

Upgrade incomplete.



Il 05/10/16 02:20, Fraser Tweedale ha scritto:
> On Thu, Sep 29, 2016 at 11:13:22PM +0200, Marco Antonio Carcano wrote:
>> Hi all,
>>
>> I’ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7
>> (7.2.1511) and I’m no more able to list certificates using the web ui
>>
>> when I go on “Authentication”,  “Certificates” and chose “Certificates” I
>> got the following error
>>
>> Certificate operation cannot be completed: Unable to communicate with CMS
>> (Internal Server Error)
>>
>> and tomcat logs contain the following exception:
>>
>> Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke
>> SEVERE: Allocate exception for servlet Resteasy
>> java.lang.ClassNotFoundException:
>> com.netscape.ca.CertificateAuthorityApplication
>>      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
>>      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
>>      at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28
>>      at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95)
>>      at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>      at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>      at java.lang.reflect.Method.invoke(Method.java:606)
>>      at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>>      at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>>      at java.security.AccessController.doPrivileged(Native Method)
>>      at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>>      at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>>      at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>>      at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>>      at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>>      at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>>      at
>> org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864)
>>      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134)
>>      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>>      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
>>      at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>>      at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>>      at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40
>>      at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
>>      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
>>      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
>>      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>      at java.lang.Thread.run(Thread.java:745)
>>
>> So it complains it cannot find class
>> com.netscape.ca.CertificateAuthorityApplication - that’s right
>>
>> The funny thing is that command line works like a charm
>>
>> pa caacl-find
>> ----------------
>> 1 CA ACL matched
>> ----------------
>>    ACL name: hosts_services_caIPAserviceCert
>>    Enabled: TRUE
>>    Host category: all
>>    Service category: all
>>    Profiles: caIPAserviceCert
>> ----------------------------
>> Number of entries returned 1
>> ——————————————
>>
>> ipa cert-show
>> Serial number: 1
>>    Certificate:
>> MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtJVEM0
>> VS5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5
>>>> iI2rFqRTA+AF3xpqYBtOP+WwcBaue+OZ/GEsPOiyvcV1ZX6FWcKsmBf/T
>> t7A9
>>    Subject: CN=Certificate Authority,O=ME.LOCAL
>>    Issuer: CN=Certificate Authority,O=ME.LOCAL
>>    Not Before: Tue Dec 02 08:05:42 2014 UTC
>>    Not After: Sat Dec 02 08:05:42 2034 UTC
>>    Fingerprint (MD5): 59:4c:bb:dc:6a:e2:ff:17:6c:34:3e:f4:7e:fa:69:2e
>>    Fingerprint (SHA1):
>> 74:c1:b3:a1:a1:25:5c:02:e8:ef:c5:30:14:fd:f0:58:79:6d:60:33
>>    Serial number (hex): 0x1
>>    Serial number: 1
>>
>> By the way, the weird thing is that before migrating I added a replica node
>> (so a fresh installation of FreeIPA 4.2.0-15) and the replica works
>> perfectly, without this problem
>>
>> It seems to be a problem somehow related to the upgrade process
>>
>> How can I manage? Any suggestion? By the way, does anybody know which JAR
>> contains com.netscape.ca.CertificateAuthorityApplication? I suppose it was
>> /usr/share/java/pki/pki-ca.jar, but it contains only CertificateAuthority
>> class:
>>
>> jar tf /usr/share/java/pki/pki-ca.jar |grep "CertificateAuthority"
>> com/netscape/ca/CertificateAuthority.class
>>
>> Thanks
>>
>> Marco
>>
> As you guess, something went awry during the uprade process -
> specifically: the follow upgrade scriptlet was not executed for some
> reason:
>
>    /usr/share/pki/server/upgrade/10.1.99/04-ReplaceRESTEasyApplicationClass
>
> Perhaps it was not the only one.
>
> Run `pki-server-upgrade' manually, as root, and see if that fixes
> it.  If not, let us spend some time off-list examining the state of
> your PKI deployment and what needs to be done to fix it up.
>
> Cheers,
> Fraser

More information about the Freeipa-users mailing list