Bug#889526: [Pkg-freeipa-devel] Bug#889526: Bug#889526: Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2
Hi. I've moved to containerized freeipa deployment for easier deployment and maintenance and I'm not using Debian bundled one unfortunately. So have no testing environment currently. On Thu, 2020-01-09 at 07:33 +0200, Timo Aaltonen wrote: > On 19.2.2018 0.12, Michal Kašpar wrote: > > On 02/13/2018 07:44 PM, Timo Aaltonen wrote: > > > Huh, shouldn't be.. The Debian CI shows that at least new PKI > > > instances > > > are set up just fine. IPA server setup is busted though, but is > > > unrelated to this bug. > > > > Thats strange. I've tried today in Docker container and then in my > > physical installation on a laptop and the result of both > > installations > > is the same - the errors in a logfile about nonexistent properties > > indicating problem with jss loading. > > > > Hi, care to test the current versions? I was never able to reproduce > this bug. > -- Michal Kašpar
Bug#889526: [Pkg-freeipa-devel] Bug#889526: Bug#889526: Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2
On 19.2.2018 0.12, Michal Kašpar wrote: > On 02/13/2018 07:44 PM, Timo Aaltonen wrote: >> Huh, shouldn't be.. The Debian CI shows that at least new PKI instances >> are set up just fine. IPA server setup is busted though, but is >> unrelated to this bug. > > Thats strange. I've tried today in Docker container and then in my > physical installation on a laptop and the result of both installations > is the same - the errors in a logfile about nonexistent properties > indicating problem with jss loading. > Hi, care to test the current versions? I was never able to reproduce this bug. -- t
Bug#889526: [Pkg-freeipa-devel] Bug#889526: Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2
On 02/13/2018 07:44 PM, Timo Aaltonen wrote: Huh, shouldn't be.. The Debian CI shows that at least new PKI instances are set up just fine. IPA server setup is busted though, but is unrelated to this bug. Thats strange. I've tried today in Docker container and then in my physical installation on a laptop and the result of both installations is the same - the errors in a logfile about nonexistent properties indicating problem with jss loading. -- Michal Kašpar
Bug#889526: [Pkg-freeipa-devel] Bug#889526: Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2
Michal Kašpar kirjoitti 13.02.2018 klo 08:38: > Hallo. > Thank you for the explanation. > > On 02/05/2018 11:18 AM, Timo Aaltonen wrote: >> nss 3.35 apparently changed the default DB format to SQL.. >> certmonger, dogtag, mod_nss and freeipa all need changes to >> support/migrate to that, but that's not upstream yet. >> > > After last update of pki-server (to 10.5.5-1), the problem with jss > appears even with older verison of nss. Is it connected with this > problem or something different? Huh, shouldn't be.. The Debian CI shows that at least new PKI instances are set up just fine. IPA server setup is busted though, but is unrelated to this bug. -- t
Bug#889526: [Pkg-freeipa-devel] Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2
Hallo. Thank you for the explanation. On 02/05/2018 11:18 AM, Timo Aaltonen wrote: nss 3.35 apparently changed the default DB format to SQL.. certmonger, dogtag, mod_nss and freeipa all need changes to support/migrate to that, but that's not upstream yet. After last update of pki-server (to 10.5.5-1), the problem with jss appears even with older verison of nss. Is it connected with this problem or something different? -- Michal Kašpar
Bug#889526: [Pkg-freeipa-devel] Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2
On 04.02.2018 09:49, Michal Kaspar wrote:
> Package: pki-server
> Version: 10.5.3-4
> Severity: important
>
> Dear Maintainer,
> After upgrade of libnss3 to 2:3.35-2 pki-server (used as part of freeipa
> installation) stoped working. The Tomcat with pki-server contexts starts, but
> all the Dogtag context crash with errors:
> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable (catalina.out)
> Failed to create jss service: java.lang.SecurityException: Unable to
> initialize security library (ca/debug)
>
> I appears the Tomcat isn't able to load jss library because the previous
> error in catalina is:
> Feb 03, 2018 1:57:19 PM org.apache.catalina.util.SessionIdGeneratorBase
> createSecureRandom
> SEVERE: Exception initializing random number generator using provider
> [Mozilla-JSS]
> java.security.NoSuchProviderException: no such provider: Mozilla-JSS
>
> and catalina.out contains warnings like:
> ARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'enableOCSP' to 'false' did not find a match
> ing property.
>
> Downgrading libnss3 to 2:3.34.1-1 fixes the problem.
nss 3.35 apparently changed the default DB format to SQL..
https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3
certmonger, dogtag, mod_nss and freeipa all need changes to
support/migrate to that, but that's not upstream yet.
--
t
Bug#889526: pki-server: Dogtag stopped starting after libnss3 upgrade to 2:3.35-2
Package: pki-server
Version: 10.5.3-4
Severity: important
Dear Maintainer,
After upgrade of libnss3 to 2:3.35-2 pki-server (used as part of freeipa
installation) stoped working. The Tomcat with pki-server contexts starts, but
all the Dogtag context crash with errors:
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable (catalina.out)
Failed to create jss service: java.lang.SecurityException: Unable to initialize
security library (ca/debug)
I appears the Tomcat isn't able to load jss library because the previous error
in catalina is:
Feb 03, 2018 1:57:19 PM org.apache.catalina.util.SessionIdGeneratorBase
createSecureRandom
SEVERE: Exception initializing random number generator using provider
[Mozilla-JSS]
java.security.NoSuchProviderException: no such provider: Mozilla-JSS
and catalina.out contains warnings like:
ARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
'enableOCSP' to 'false' did not find a match
ing property.
Downgrading libnss3 to 2:3.34.1-1 fixes the problem.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (650, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages pki-server depends on:
ii adduser 3.117
ii dogtag-pki-server-theme 10.5.3-4
ii ldap-utils2.4.45+dfsg-1
ii libatk-wrapper-java 0.33.3-15
ii libcommons-collections3-java 3.2.2-1
ii libcommons-dbcp-java 1.4-5
ii libcommons-pool-java 1.6-3
ii libjackson-json-java 1.9.2-8
ii libjackson2-annotations-java 2.9.4-1
ii libjackson2-jaxrs-providers-java 2.9.4-1
ii libjboss-logging-java 3.3.1-1
ii libjs-jquery 3.2.1-1
ii libjs-underscore 1.8.3~dfsg-1
ii libnuxwdog-java 1.0.3-3+b4
ii libscannotation-java 1.0.2+svn20110812-3
ii libsymkey-java10.5.3-4
ii libtomcatjss-java 7.2.4-1
ii libxml-commons-external-java 1.4.01-2
ii libxml-commons-resolver1.1-java 1.2-9
ii pki-base 10.5.3-4
ii pki-base-java 10.5.3-4
ii pki-tools 10.5.3-4
ii python2.7.14-4
ii python-cryptography 2.1.4-1
ii python-ldap 3.0.0~b4-1.1
ii python-lxml 4.1.0-1
ii python-selinux2.7-2+b1
ii tomcat8.0-user8.0.46-1
ii velocity 1.7-5
pki-server recommends no packages.
pki-server suggests no packages.
-- no debconf information
