[Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15

Marco Antonio Carcano mc at carcano.ch
Thu Sep 29 21:13:22 UTC 2016 

Hi all,

I’ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7 
(7.2.1511) and I’m no more able to list certificates using the web ui

when I go on “Authentication”,  “Certificates” and chose “Certificates” 
I got the following error

Certificate operation cannot be completed: Unable to communicate with 
CMS (Internal Server Error)

and tomcat logs contain the following exception:

Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Allocate exception for servlet Resteasy
java.lang.ClassNotFoundException: 
com.netscape.ca.CertificateAuthorityApplication
     at 
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
     at 
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
     at 
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28
     at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95)
     at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
     at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:606)
     at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
     at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
     at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
     at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
     at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
     at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
     at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
     at 
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864)
     at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134)
     at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
     at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
     at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
     at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
     at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40
     at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
     at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
     at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
     at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
     at java.lang.Thread.run(Thread.java:745)

So it complains it cannot find class 
com.netscape.ca.CertificateAuthorityApplication - that’s right

The funny thing is that command line works like a charm

pa caacl-find
----------------
1 CA ACL matched
----------------
   ACL name: hosts_services_caIPAserviceCert
   Enabled: TRUE
   Host category: all
   Service category: all
   Profiles: caIPAserviceCert
----------------------------
Number of entries returned 1
——————————————

ipa cert-show
Serial number: 1
   Certificate: 
MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtJVEM0
VS5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5
…
iI2rFqRTA+AF3xpqYBtOP+WwcBaue+OZ/GEsPOiyvcV1ZX6FWcKsmBf/T
t7A9
   Subject: CN=Certificate Authority,O=ME.LOCAL
   Issuer: CN=Certificate Authority,O=ME.LOCAL
   Not Before: Tue Dec 02 08:05:42 2014 UTC
   Not After: Sat Dec 02 08:05:42 2034 UTC
   Fingerprint (MD5): 59:4c:bb:dc:6a:e2:ff:17:6c:34:3e:f4:7e:fa:69:2e
   Fingerprint (SHA1): 
74:c1:b3:a1:a1:25:5c:02:e8:ef:c5:30:14:fd:f0:58:79:6d:60:33
   Serial number (hex): 0x1
   Serial number: 1

By the way, the weird thing is that before migrating I added a replica 
node (so a fresh installation of FreeIPA 4.2.0-15) and the replica works 
perfectly, without this problem

It seems to be a problem somehow related to the upgrade process

How can I manage? Any suggestion? By the way, does anybody know which 
JAR contains com.netscape.ca.CertificateAuthorityApplication? I suppose 
it was /usr/share/java/pki/pki-ca.jar, but it contains only 
CertificateAuthority class:

jar tf /usr/share/java/pki/pki-ca.jar |grep "CertificateAuthority"
com/netscape/ca/CertificateAuthority.class

Thanks

Marco

More information about the Freeipa-users mailing list