Re: [Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15 SOLVED
Thank you Fraser, it solved - despite the error about replacing Jettison with Jackson pki-server-upgrade Upgrading from version 10.1.99 to 10.2.0: 1. Move web application context file (Yes/No) [Y]: Y 2. Replace Jettison with Jackson (Yes/No) [Y]: Y ERROR: Failed upgrading pki-tomcat instance. Continue (Yes/No) [Y]? Y 3. Added RESTEasy client (Yes/No) [Y]: Y 4. Replace RESTEasy application class (Yes/No) [Y]: Y 5. Remove config path from web.xml (Yes/No) [Y]: Y Upgrading from version 10.2.0 to 10.2.1: 1. Add TLS Range Support (Yes/No) [Y]: Y Upgrading from version 10.2.1 to 10.2.2: 1. Add TLS Range Support (Yes/No) [Y]: Y Upgrading from version 10.2.2 to 10.2.3: 1. Move Web application deployment locations (Yes/No) [Y]: Y 2. Enabled Web application auto deploy (Yes/No) [Y]: Y 3. Remove dependency on Jackson 2 (Yes/No) [Y]: Y Upgrading from version 10.2.3 to 10.2.4: 1. Fix instance work folder ownership (Yes/No) [Y]: Y 2. Fix bindPWPrompt for internalDB (Yes/No) [Y]: Y Upgrading from version 10.2.4 to 10.2.5: 1. Add missing OCSP Get Servlet Mapping to upgraded Dogtag 9 instances (Yes/No) [Y]: Y 2. Fix nuxwdog listener class (Yes/No) [Y]: Y Upgrading from version 10.2.5 to 10.2.5: 1. Add new KRA audit events (Yes/No) [Y]: Y pki-tomcat instance: Configuration version: 10.1.99 Last completed scriptlet: 1 pki-tomcat/ca subsystem: Configuration version: 10.2.5 Upgrade incomplete. Il 05/10/16 02:20, Fraser Tweedale ha scritto: On Thu, Sep 29, 2016 at 11:13:22PM +0200, Marco Antonio Carcano wrote: Hi all, I’ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7 (7.2.1511) and I’m no more able to list certificates using the web ui when I go on “Authentication”, “Certificates” and chose “Certificates” I got the following error Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) and tomcat logs contain the following exception: Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Allocate exception for servlet Resteasy java.lang.ClassNotFoundException: com.netscape.ca.CertificateAuthorityApplication at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28 at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40 at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run
[Freeipa-users] certificate list problems using web ui after upgrading to FreeIPA 4.2.0-15
Hi all, I’ve just upgraded from FreeIPA 4.1 to FreeIPA 4.2.0-15 on a CentOS 7 (7.2.1511) and I’m no more able to list certificates using the web ui when I go on “Authentication”, “Certificates” and chose “Certificates” I got the following error Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) and tomcat logs contain the following exception: Sep 29, 2016 4:54:35 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Allocate exception for servlet Resteasy java.lang.ClassNotFoundException: com.netscape.ca.CertificateAuthorityApplication at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:28 at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:95) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:864) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:134) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:40 at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) So it complains it cannot find class com.netscape.ca.CertificateAuthorityApplication - that’s right The funny thing is that command line works like a charm pa caacl-find 1 CA ACL matched ACL name: hosts_services_caIPAserviceCert Enabled: TRUE Host category: all Service category: all Profiles: caIPAserviceCert Number of entries returned 1 —— ipa cert-show Serial number: 1 Certificate: MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtJVEM0 VS5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5 … iI2rFqRTA+AF3xpqYBtOP+WwcBaue+OZ/GEsPOiyvcV1ZX6FWcKsmBf/T t7A9 Subject: CN=Certificate Authority,O=ME.LOCAL Issuer: CN=Certificate Authority,O=ME.LOCAL Not Before: Tue Dec 02 08:05:42 2014 UTC Not After: Sat Dec 02 08:05:42 2034 UTC Fingerprint (MD5): 59:4c:bb:dc:6a:e2:ff:17:6c:34:3e:f4:7e:fa:69:2e Fingerprint (SHA1): 74:c1:b3:a1:a1:25:5c:02:e8:ef:c5:30:14:fd:f0:58:79:6d:60:33 Serial number (hex): 0x1 Serial number: 1 By the way, the weird thing is that before migrating I added a replica node (so a fresh installation of FreeIPA 4.2.0-15) and the replica works perfectly, without this problem It seems to be a problem somehow related to the upgrade process How can I manage? Any suggestion? By the way, does anybody know which JAR contains com.netscape.ca.CertificateAuthorityApplication? I suppose it was /usr/share/java/pki/pki-ca.jar, but it contains only CertificateAuthority class: jar tf