Hi,
I have the following Dogtag PKI packages installed (rebuild from
Fedora src rpms)
# rpm -qa 'dogtag*' '*pki*'
pki-server-10.2.6-7.el7.centos.noarch
pki-tools-10.2.6-7.el7.centos.x86_64
dogtag-pki-server-theme-10.2.6-1.el7.centos.noarch
pki-ca-10.2.6-7.el7.centos.noarch
pki-base-10.2.6-7.el7.centos.noarch
dogtag-pki-console-theme-10.2.6-1.el7.centos.noarch
I have enabled CRLDistributionPointsExtension in all profiles and
after every PKI restart I can't approve new requests. The following
error message is displayed instead of regular certificate approval
form
---
The Certificate System has encountered an unrecoverable error.
Error Message:
java.lang.ClassCastException: netscape.security.x509.Extension cannot
be cast to netscape.security.x509.CRLDistributionPointsExtension
Please contact your local administrator for assistance.
---
Full Exception from /var/log/pki/pki-tomcat/localhost.2016-01-25.log
Jan 25, 2016 7:42:08 PM org.apache.catalina.core.ApplicationContext log
INFO: caProfileReview: java.lang.ClassCastException:
netscape.security.x509.Extension cannot be cast to
netscape.security.x509.CRLDistributionPointsExtension
at
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault.getValue(CRLDistributionPointsExtDefault.java:402)
at com.netscape.cms.profile.def.EnrollDefault.getValue(EnrollDefault.java:286)
at
com.netscape.cms.servlet.profile.ProfileReviewServlet.handlePolicy(ProfileReviewServlet.java:425)
at
com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:248)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:513)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at sun.reflect.GeneratedMethodAccessor65.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.GeneratedMethodAccessor53.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:193)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
I have found bug report
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=639082.
Proposed workaround
https://bugzilla.redhat.com/show_bug.cgi?id=639082#c13 works but it is
very inconvenient to create / reject new dumb request after every PKI
restart. As I have three CA servers I need to create / reject dump
request per server.
Do you have plans to fix the issue? Or maybe it is already fixed in some commit?
Regadrs,
Aleksey