On Thu, Sep 29, 2016 at 11:13:22PM +0200, Marco Antonio Carcano wrote: > Hi all, > > I’ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7 > (7.2.1511) and I’m no more able to list certificates using the web ui > > when I go on “Authentication”, “Certificates” and chose “Certificates” I > got the following error > > Certificate operation cannot be completed: Unable to communicate with CMS > (Internal Server Error) > > and tomcat logs contain the following exception: > > Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Allocate exception for servlet Resteasy > java.lang.ClassNotFoundException: > com.netscape.ca.CertificateAuthorityApplication > at > org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720) > at > org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28 > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > at > org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40 > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > So it complains it cannot find class > com.netscape.ca.CertificateAuthorityApplication - that’s right > > The funny thing is that command line works like a charm > > pa caacl-find > ---------------- > 1 CA ACL matched > ---------------- > ACL name: hosts_services_caIPAserviceCert > Enabled: TRUE > Host category: all > Service category: all > Profiles: caIPAserviceCert > ---------------------------- > Number of entries returned 1 > —————————————— > > ipa cert-show > Serial number: 1 > Certificate: > MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtJVEM0 > VS5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5 > … > iI2rFqRTA+AF3xpqYBtOP+WwcBaue+OZ/GEsPOiyvcV1ZX6FWcKsmBf/T > t7A9 > Subject: CN=Certificate Authority,O=ME.LOCAL > Issuer: CN=Certificate Authority,O=ME.LOCAL > Not Before: Tue Dec 02 08:05:42 2014 UTC > Not After: Sat Dec 02 08:05:42 2034 UTC > Fingerprint (MD5): 59:4c:bb:dc:6a:e2:ff:17:6c:34:3e:f4:7e:fa:69:2e > Fingerprint (SHA1): > 74:c1:b3:a1:a1:25:5c:02:e8:ef:c5:30:14:fd:f0:58:79:6d:60:33 > Serial number (hex): 0x1 > Serial number: 1 > > By the way, the weird thing is that before migrating I added a replica node > (so a fresh installation of FreeIPA 4.2.0-15) and the replica works > perfectly, without this problem > > It seems to be a problem somehow related to the upgrade process > > How can I manage? Any suggestion? By the way, does anybody know which JAR > contains com.netscape.ca.CertificateAuthorityApplication? I suppose it was > /usr/share/java/pki/pki-ca.jar, but it contains only CertificateAuthority > class: > > jar tf /usr/share/java/pki/pki-ca.jar |grep "CertificateAuthority" > com/netscape/ca/CertificateAuthority.class > > Thanks > > Marco > As you guess, something went awry during the uprade process - specifically: the follow upgrade scriptlet was not executed for some reason:
/usr/share/pki/server/upgrade/10.1.99/04-ReplaceRESTEasyApplicationClass Perhaps it was not the only one. Run `pki-server-upgrade' manually, as root, and see if that fixes it. If not, let us spend some time off-list examining the state of your PKI deployment and what needs to be done to fix it up. Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
