[Pki-users] New Release: PKI 10.7.3 is available for testing
Arno Lehmann
al at its-lehmann.de
Mon Sep 23 20:00:25 UTC 2019
Hi all,
I managed to upgrade my Fedora-based PKI system to Release 31, which is
not yet ready for production (as I think I found).
Now, after the upgrade, I can enjoy server error 500 messages once the
web server middleware gets busy:
https://...de:8443/pki/ui/
results in
> HTTP Status 500 – Internal Server Error
>
> Type Exception Report
>
> Message org.apache.jasper.JasperException: Unable to compile class for JSP
>
> Beschreibung The server encountered an unexpected condition that prevented it from fulfilling the request.
>
> Exception
>
> org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to compile class for JSP
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:604)
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
I can, of course, provide full stacktraces and configuration details.
Configuration is mostly unmodified, but the whole system has been going
through some upgrades since its first setup.
From the automatically created debug log, I gather that this:
> 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE: Servlet.service() for servlet [jsp] in context with path [/pki] threw exception [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause
> java.security.AccessControlException: access denied ("java.util.PropertyPermission" "tolerateIllegalAmbiguousVarargsInvocation" "read")
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at java.security.AccessController.checkPermission(AccessController.java:886)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
> ...
is probably the reason for the failure.
Status of the server, at a first glance, looks ok to me:
> [root at ca2 ~]# pki-server --verbose status CA2
> Command: status CA2
> INFO: Loading instance: CA2
> INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
> INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
> INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf
> INFO: Loading password config: /etc/pki/CA2/password.conf
> INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2
> INFO: Loading subsystem: ca
> INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg
> INFO: Loading subsystem: ocsp
> INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg
> Instance ID: CA2
> Active: True
> Unsecure Port: 8080
> Secure Port: 8443
> Tomcat Port: 8005
>
> CA Subsystem:
> Type: Root CA (Security Domain)
> SD Registration URL: https://ca2.<redacted>.de:8443
> Enabled: True
> Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca
> Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca
> Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca
> Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services
> PKI Console URL: https://ca2.<redacted>.de:8443/ca
>
> OCSP Subsystem:
> Type: OCSP
> SD Registration URL: https://ca2.<redacted>.de:8443
> Enabled: True
> Unsecure URL: http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request blob>
> Secure Agent URL: https://ca2.<redacted>.de:8443/ocsp/agent/ocsp
> Secure EE URL: https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request blob>
> Secure Admin URL: https://ca2.<redacted>.de:8443/ocsp/services
> PKI Console URL: https://ca2.<redacted>.de:8443/ocsp
There's no other PKI instance in place, and I'm not sufficiently skilled
with dogtag to actually do much with the configuration anyway, so I kept
my fingers off if as far as I could :-)
Is this a known problem, is there a reasonably simple fix, or is it time
to load my latest backup?
Thanks,
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
More information about the Pki-users
mailing list