Hi all,
I managed to upgrade my Fedora-based PKI system to Release 31, which is
not yet ready for production (as I think I found).
Now, after the upgrade, I can enjoy server error 500 messages once the
web server middleware gets busy:
https://...de:8443/pki/ui/
results in
HTTP Status 500 – Internal Server Error
Type Exception Report
Message org.apache.jasper.JasperException: Unable to compile class for JSP
Beschreibung The server encountered an unexpected condition that prevented it
from fulfilling the request.
Exception
org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to
compile class for JSP
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:604)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
I can, of course, provide full stacktraces and configuration details.
Configuration is mostly unmodified, but the whole system has been going
through some upgrades since its first setup.
From the automatically created debug log, I gather that this:
2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE: Servlet.service() for
servlet [jsp] in context with path [/pki] threw exception
[org.apache.jasper.JasperException: Unable to compile class for JSP] with root
cause
java.security.AccessControlException: access denied ("java.util.PropertyPermission"
"tolerateIllegalAmbiguousVarargsInvocation" "read")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
> ...
is probably the reason for the failure.
Status of the server, at a first glance, looks ok to me:
[root@ca2 ~]# pki-server --verbose status CA2
Command: status CA2
INFO: Loading instance: CA2
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf
INFO: Loading password config: /etc/pki/CA2/password.conf
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg
INFO: Loading subsystem: ocsp
INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg
Instance ID: CA2
Active: True
Unsecure Port: 8080
Secure Port: 8443
Tomcat Port: 8005
CA Subsystem:
Type: Root CA (Security Domain)
SD Registration URL: https://ca2.<redacted>.de:8443
Enabled: True
Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca
Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca
Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca
Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services
PKI Console URL: https://ca2.<redacted>.de:8443/ca
OCSP Subsystem:
Type: OCSP
SD Registration URL: https://ca2.<redacted>.de:8443
Enabled: True
Unsecure URL: http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request
blob>
Secure Agent URL: https://ca2.<redacted>.de:8443/ocsp/agent/ocsp
Secure EE URL: https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request
blob>
Secure Admin URL: https://ca2.<redacted>.de:8443/ocsp/services
PKI Console URL: https://ca2.<redacted>.de:8443/ocsp
There's no other PKI instance in place, and I'm not sufficiently skilled
with dogtag to actually do much with the configuration anyway, so I kept
my fingers off if as far as I could :-)
Is this a known problem, is there a reasonably simple fix, or is it time
to load my latest backup?
Thanks,
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
