3 p.m.
Hi all,
I managed to upgrade my Fedora-based PKI system to Release 31, which is
not yet ready for production (as I think I found).
Now, after the upgrade, I can enjoy server error 500 messages once the
web server middleware gets busy:
https://...de:8443/pki/ui/
results in
HTTP Status 500 – Internal Server Error
Type Exception Report
Message org.apache.jasper.JasperException: Unable to compile class for JSP
Beschreibung The server encountered an unexpected condition that prevented it from
fulfilling the request.
Exception
org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to compile
class for JSP
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:604)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
I can, of course, provide full stacktraces and configuration details.
Configuration is mostly unmodified, but the whole system has been going
through some upgrades since its first setup.
From the automatically created debug log, I gather that this:
2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE:
Servlet.service() for servlet [jsp] in context with path [/pki] threw exception
[org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause
java.security.AccessControlException: access denied
("java.util.PropertyPermission"
"tolerateIllegalAmbiguousVarargsInvocation" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
...
is probably the reason for the failure.
Status of the server, at a first glance, looks ok to me:
[root@ca2 ~]# pki-server --verbose status CA2
Command: status CA2
INFO: Loading instance: CA2
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf
INFO: Loading password config: /etc/pki/CA2/password.conf
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg
INFO: Loading subsystem: ocsp
INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg
Instance ID: CA2
Active: True
Unsecure Port: 8080
Secure Port: 8443
Tomcat Port: 8005
CA Subsystem:
Type: Root CA (Security Domain)
SD Registration URL: https://ca2.<redacted>.de:8443
Enabled: True
Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca
Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca
Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca
Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services
PKI Console URL: https://ca2.<redacted>.de:8443/ca
OCSP Subsystem:
Type: OCSP
SD Registration URL: https://ca2.<redacted>.de:8443
Enabled: True
Unsecure URL: http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp
request blob>
Secure Agent URL: https://ca2.<redacted>.de:8443/ocsp/agent/ocsp
Secure EE URL: https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp
request blob>
Secure Admin URL: https://ca2.<redacted>.de:8443/ocsp/services
PKI Console URL: https://ca2.<redacted>.de:8443/ocsp
There's no other PKI instance in place, and I'm not sufficiently skilled
with dogtag to actually do much with the configuration anyway, so I kept
my fingers off if as far as I could :-)
Is this a known problem, is there a reasonably simple fix, or is it time
to load my latest backup?
Thanks,
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
1:23 p.m.
New subject: New Release: PKI 10.7.3 is available for testing
Hello Arno,
As you might be aware, Fedora 31 hasn't reached its GA [1] yet. Fedora
31 is currently in beta and might carry some bugs. We do not support
PKI on unreleased Fedora versions.
Looking at your logs, I see an "access denied" error. This is mostly
due to bug in a different package which might be fixed before the
actual GA.
[1] https://fedoraproject.org/wiki/Releases/31/Schedule
Regards,
--Dinesh
On Mon, 2019-09-23 at 22:00 +0200, Arno Lehmann wrote:
Hi all,
I managed to upgrade my Fedora-based PKI system to Release 31, which
is
not yet ready for production (as I think I found).
Now, after the upgrade, I can enjoy server error 500 messages once
the
web server middleware gets busy:
https://...de:8443/pki/ui/
results in
> HTTP Status 500 – Internal Server Error
>
> Type Exception Report
>
> Message org.apache.jasper.JasperException: Unable to compile class
> for JSP
>
> Beschreibung The server encountered an unexpected condition that
> prevented it from fulfilling the request.
>
> Exception
>
> org.apache.jasper.JasperException:
> org.apache.jasper.JasperException: Unable to compile class for JSP
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(
> JspServletWrapper.java:604)
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletW
> rapper.java:422)
I can, of course, provide full stacktraces and configuration details.
Configuration is mostly unmodified, but the whole system has been
going
through some upgrades since its first setup.
From the automatically created debug log, I gather that this:
> 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE:
> Servlet.service() for servlet [jsp] in context with path [/pki]
> threw exception [org.apache.jasper.JasperException: Unable to
> compile class for JSP] with root cause
> java.security.AccessControlException: access denied
> ("java.util.PropertyPermission"
> "tolerateIllegalAmbiguousVarargsInvocation" "read")
> at
> java.security.AccessControlContext.checkPermission(AccessControlCon
> text.java:472)
> at
> java.security.AccessController.checkPermission(AccessController.jav
> a:886)
> at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:
> 1294)
> ...
is probably the reason for the failure.
Status of the server, at a first glance, looks ok to me:
> [root@ca2 ~]# pki-server --verbose status CA2
> Command: status CA2
> INFO: Loading instance: CA2
> INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
> INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
> INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf
> INFO: Loading password config: /etc/pki/CA2/password.conf
> INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2
> INFO: Loading subsystem: ca
> INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg
> INFO: Loading subsystem: ocsp
> INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg
> Instance ID: CA2
> Active: True
> Unsecure Port: 8080
> Secure Port: 8443
> Tomcat Port: 8005
>
> CA Subsystem:
> Type: Root CA (Security Domain)
> SD Registration URL: https://ca2.<redacted>.de:8443
> Enabled: True
> Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca
> Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca
> Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca
> Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services
> PKI Console URL: https://ca2.<redacted>.de:8443/ca
>
> OCSP Subsystem:
> Type: OCSP
> SD Registration URL: https://ca2.<redacted>.de:8443
> Enabled: True
> Unsecure URL:
> http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request blob>
> Secure Agent URL:
> https://ca2.<redacted>.de:8443/ocsp/agent/ocsp
> Secure EE URL:
> https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request blob>
> Secure Admin URL:
> https://ca2.<redacted>.de:8443/ocsp/services
> PKI Console URL: https://ca2.<redacted>.de:8443/ocsp
There's no other PKI instance in place, and I'm not sufficiently
skilled
with dogtag to actually do much with the configuration anyway, so I
kept
my fingers off if as far as I could :-)
Is this a known problem, is there a reasonably simple fix, or is it
time
to load my latest backup?
Thanks,
Arno
3:34 p.m.
New subject: New Release: PKI 10.7.3 is available for testing
Hi Dinesh,
On 25.09.19 at 20:23, Dinesh Prasanth Moluguwan Krishnamoorthy wrote:
Hello Arno,
As you might be aware, Fedora 31 hasn't reached its GA [1] yet.
Indeed, and that's why I feel kind of stupid, managing to upgrade to a
beta distro without even noticing...
...
Looking at your logs, I see an "access denied" error. This
is mostly
due to bug in a different package which might be fixed before the
actual GA.
Hmm, so no clue on your side, for now. Thanks.
I'll try my backups, I guess :-)
Thanks for the information / confirmation, and also thanks for working
on something that I use nearly -- well, monthly, but still.
Cheers,
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
1914
days inactive
1916
days old
2 comments
2 participants
participants (2)
-
Arno Lehmann -
Dinesh Prasanth Moluguwan Krishnamoorthy