[Pki-users] New Release: PKI 10.7.3 is available for testing
Dinesh Prasanth Moluguwan Krishnamoorthy
dmoluguw at redhat.com
Wed Sep 25 18:23:46 UTC 2019
Hello Arno,
As you might be aware, Fedora 31 hasn't reached its GA [1] yet. Fedora
31 is currently in beta and might carry some bugs. We do not support
PKI on unreleased Fedora versions.
Looking at your logs, I see an "access denied" error. This is mostly
due to bug in a different package which might be fixed before the
actual GA.
[1] https://fedoraproject.org/wiki/Releases/31/Schedule
Regards,
--Dinesh
On Mon, 2019-09-23 at 22:00 +0200, Arno Lehmann wrote:
> Hi all,
>
> I managed to upgrade my Fedora-based PKI system to Release 31, which
> is
> not yet ready for production (as I think I found).
>
> Now, after the upgrade, I can enjoy server error 500 messages once
> the
> web server middleware gets busy:
>
> https://...de:8443/pki/ui/
> results in
> > HTTP Status 500 – Internal Server Error
> >
> > Type Exception Report
> >
> > Message org.apache.jasper.JasperException: Unable to compile class
> > for JSP
> >
> > Beschreibung The server encountered an unexpected condition that
> > prevented it from fulfilling the request.
> >
> > Exception
> >
> > org.apache.jasper.JasperException:
> > org.apache.jasper.JasperException: Unable to compile class for JSP
> > org.apache.jasper.servlet.JspServletWrapper.handleJspException(
> > JspServletWrapper.java:604)
> > org.apache.jasper.servlet.JspServletWrapper.service(JspServletW
> > rapper.java:422)
>
> I can, of course, provide full stacktraces and configuration details.
>
>
>
> Configuration is mostly unmodified, but the whole system has been
> going
> through some upgrades since its first setup.
>
>
> From the automatically created debug log, I gather that this:
> > 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE:
> > Servlet.service() for servlet [jsp] in context with path [/pki]
> > threw exception [org.apache.jasper.JasperException: Unable to
> > compile class for JSP] with root cause
> > java.security.AccessControlException: access denied
> > ("java.util.PropertyPermission"
> > "tolerateIllegalAmbiguousVarargsInvocation" "read")
> > at
> > java.security.AccessControlContext.checkPermission(AccessControlCon
> > text.java:472)
> > at
> > java.security.AccessController.checkPermission(AccessController.jav
> > a:886)
> > at
> > java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> > at
> > java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:
> > 1294)
> > ...
>
> is probably the reason for the failure.
>
>
> Status of the server, at a first glance, looks ok to me:
> > [root at ca2 ~]# pki-server --verbose status CA2
> > Command: status CA2
> > INFO: Loading instance: CA2
> > INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
> > INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
> > INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf
> > INFO: Loading password config: /etc/pki/CA2/password.conf
> > INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2
> > INFO: Loading subsystem: ca
> > INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg
> > INFO: Loading subsystem: ocsp
> > INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg
> > Instance ID: CA2
> > Active: True
> > Unsecure Port: 8080
> > Secure Port: 8443
> > Tomcat Port: 8005
> >
> > CA Subsystem:
> > Type: Root CA (Security Domain)
> > SD Registration URL: https://ca2.<redacted>.de:8443
> > Enabled: True
> > Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca
> > Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca
> > Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca
> > Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services
> > PKI Console URL: https://ca2.<redacted>.de:8443/ca
> >
> > OCSP Subsystem:
> > Type: OCSP
> > SD Registration URL: https://ca2.<redacted>.de:8443
> > Enabled: True
> > Unsecure URL:
> > http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request blob>
> > Secure Agent URL:
> > https://ca2.<redacted>.de:8443/ocsp/agent/ocsp
> > Secure EE URL:
> > https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request blob>
> > Secure Admin URL:
> > https://ca2.<redacted>.de:8443/ocsp/services
> > PKI Console URL: https://ca2.<redacted>.de:8443/ocsp
>
> There's no other PKI instance in place, and I'm not sufficiently
> skilled
> with dogtag to actually do much with the configuration anyway, so I
> kept
> my fingers off if as far as I could :-)
>
>
> Is this a known problem, is there a reasonably simple fix, or is it
> time
> to load my latest backup?
>
>
> Thanks,
>
> Arno
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190925/cf2a9c30/attachment.sig>
More information about the Pki-users
mailing list