[Pki-users] New Release: PKI 10.7.3 is available for testing

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Wed Sep 25 18:23:46 UTC 2019 

Hello Arno,

As you might be aware, Fedora 31 hasn't reached its GA [1] yet. Fedora
31 is currently in beta and might carry some bugs. We do not support
PKI on unreleased Fedora versions.

Looking at your logs, I see an "access denied" error. This is mostly
due to bug in a different package which might be fixed before the
actual GA.

[1] https://fedoraproject.org/wiki/Releases/31/Schedule

Regards,
--Dinesh

On Mon, 2019-09-23 at 22:00 +0200, Arno Lehmann wrote:
> Hi all,
> 
> I managed to upgrade my Fedora-based PKI system to Release 31, which
> is 
> not yet ready for production (as I think I found).
> 
> Now, after the upgrade, I can enjoy server error 500 messages once
> the 
> web server middleware gets busy:
> 
> https://...de:8443/pki/ui/
> results in
> > HTTP Status 500 – Internal Server Error
> > 
> > Type Exception Report
> > 
> > Message org.apache.jasper.JasperException: Unable to compile class
> > for JSP
> > 
> > Beschreibung The server encountered an unexpected condition that
> > prevented it from fulfilling the request.
> > 
> > Exception
> > 
> > org.apache.jasper.JasperException:
> > org.apache.jasper.JasperException: Unable to compile class for JSP
> > 	org.apache.jasper.servlet.JspServletWrapper.handleJspException(
> > JspServletWrapper.java:604)
> > 	org.apache.jasper.servlet.JspServletWrapper.service(JspServletW
> > rapper.java:422)
> 
> I can, of course, provide full stacktraces and configuration details.
> 
> 
> 
> Configuration is mostly unmodified, but the whole system has been
> going 
> through some upgrades since its first setup.
> 
> 
>  From the automatically created debug log, I gather that this:
> > 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE:
> > Servlet.service() for servlet [jsp] in context with path [/pki]
> > threw exception [org.apache.jasper.JasperException: Unable to
> > compile class for JSP] with root cause
> > java.security.AccessControlException: access denied
> > ("java.util.PropertyPermission"
> > "tolerateIllegalAmbiguousVarargsInvocation" "read")
> > 	at
> > java.security.AccessControlContext.checkPermission(AccessControlCon
> > text.java:472)
> > 	at
> > java.security.AccessController.checkPermission(AccessController.jav
> > a:886)
> > 	at
> > java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> > 	at
> > java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:
> > 1294)
>  >       ...
> 
> is probably the reason for the failure.
> 
> 
> Status of the server, at a first glance, looks ok to me:
> > [root at ca2 ~]# pki-server --verbose status  CA2
> > Command: status CA2
> > INFO: Loading instance: CA2
> > INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
> > INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
> > INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf
> > INFO: Loading password config: /etc/pki/CA2/password.conf
> > INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2
> > INFO: Loading subsystem: ca
> > INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg
> > INFO: Loading subsystem: ocsp
> > INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg
> >   Instance ID: CA2
> >   Active: True
> >   Unsecure Port: 8080
> >   Secure Port: 8443
> >   Tomcat Port: 8005
> > 
> >   CA Subsystem:
> >     Type:                Root CA (Security Domain)
> >     SD Registration URL: https://ca2.<redacted>.de:8443
> >     Enabled:             True
> >     Unsecure URL:        http://ca2.<redacted>.de:8080/ca/ee/ca
> >     Secure Agent URL:    https://ca2.<redacted>.de:8443/ca/agent/ca
> >     Secure EE URL:       https://ca2.<redacted>.de:8443/ca/ee/ca
> >     Secure Admin URL:    https://ca2.<redacted>.de:8443/ca/services
> >     PKI Console URL:     https://ca2.<redacted>.de:8443/ca
> > 
> >   OCSP Subsystem:
> >     Type:                OCSP
> >     SD Registration URL: https://ca2.<redacted>.de:8443
> >     Enabled:             True
> >     Unsecure URL:        
> > http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request blob>
> >     Secure Agent URL:    
> > https://ca2.<redacted>.de:8443/ocsp/agent/ocsp
> >     Secure EE URL:       
> > https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request blob>
> >     Secure Admin URL:    
> > https://ca2.<redacted>.de:8443/ocsp/services
> >     PKI Console URL:     https://ca2.<redacted>.de:8443/ocsp
> 
> There's no other PKI instance in place, and I'm not sufficiently
> skilled 
> with dogtag to actually do much with the configuration anyway, so I
> kept 
> my fingers off if as far as I could :-)
> 
> 
> Is this a known problem, is there a reasonably simple fix, or is it
> time 
> to load my latest backup?
> 
> 
> Thanks,
> 
> Arno
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190925/cf2a9c30/attachment.sig>

More information about the Pki-users mailing list