Hello Arno, As you might be aware, Fedora 31 hasn't reached its GA [1] yet. Fedora 31 is currently in beta and might carry some bugs. We do not support PKI on unreleased Fedora versions.
Looking at your logs, I see an "access denied" error. This is mostly due to bug in a different package which might be fixed before the actual GA. [1] https://fedoraproject.org/wiki/Releases/31/Schedule Regards, --Dinesh On Mon, 2019-09-23 at 22:00 +0200, Arno Lehmann wrote: > Hi all, > > I managed to upgrade my Fedora-based PKI system to Release 31, which > is > not yet ready for production (as I think I found). > > Now, after the upgrade, I can enjoy server error 500 messages once > the > web server middleware gets busy: > > https://...de:8443/pki/ui/ > results in > > HTTP Status 500 – Internal Server Error > > > > Type Exception Report > > > > Message org.apache.jasper.JasperException: Unable to compile class > > for JSP > > > > Beschreibung The server encountered an unexpected condition that > > prevented it from fulfilling the request. > > > > Exception > > > > org.apache.jasper.JasperException: > > org.apache.jasper.JasperException: Unable to compile class for JSP > > org.apache.jasper.servlet.JspServletWrapper.handleJspException( > > JspServletWrapper.java:604) > > org.apache.jasper.servlet.JspServletWrapper.service(JspServletW > > rapper.java:422) > > I can, of course, provide full stacktraces and configuration details. > > > > Configuration is mostly unmodified, but the whole system has been > going > through some upgrades since its first setup. > > > From the automatically created debug log, I gather that this: > > 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE: > > Servlet.service() for servlet [jsp] in context with path [/pki] > > threw exception [org.apache.jasper.JasperException: Unable to > > compile class for JSP] with root cause > > java.security.AccessControlException: access denied > > ("java.util.PropertyPermission" > > "tolerateIllegalAmbiguousVarargsInvocation" "read") > > at > > java.security.AccessControlContext.checkPermission(AccessControlCon > > text.java:472) > > at > > java.security.AccessController.checkPermission(AccessController.jav > > a:886) > > at > > java.lang.SecurityManager.checkPermission(SecurityManager.java:549) > > at > > java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java: > > 1294) > > ... > > is probably the reason for the failure. > > > Status of the server, at a first glance, looks ok to me: > > [root@ca2 ~]# pki-server --verbose status CA2 > > Command: status CA2 > > INFO: Loading instance: CA2 > > INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf > > INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf > > INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf > > INFO: Loading password config: /etc/pki/CA2/password.conf > > INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2 > > INFO: Loading subsystem: ca > > INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg > > INFO: Loading subsystem: ocsp > > INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg > > Instance ID: CA2 > > Active: True > > Unsecure Port: 8080 > > Secure Port: 8443 > > Tomcat Port: 8005 > > > > CA Subsystem: > > Type: Root CA (Security Domain) > > SD Registration URL: https://ca2.<redacted>.de:8443 > > Enabled: True > > Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca > > Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca > > Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca > > Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services > > PKI Console URL: https://ca2.<redacted>.de:8443/ca > > > > OCSP Subsystem: > > Type: OCSP > > SD Registration URL: https://ca2.<redacted>.de:8443 > > Enabled: True > > Unsecure URL: > > http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request blob> > > Secure Agent URL: > > https://ca2.<redacted>.de:8443/ocsp/agent/ocsp > > Secure EE URL: > > https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request blob> > > Secure Admin URL: > > https://ca2.<redacted>.de:8443/ocsp/services > > PKI Console URL: https://ca2.<redacted>.de:8443/ocsp > > There's no other PKI instance in place, and I'm not sufficiently > skilled > with dogtag to actually do much with the configuration anyway, so I > kept > my fingers off if as far as I could :-) > > > Is this a known problem, is there a reasonably simple fix, or is it > time > to load my latest backup? > > > Thanks, > > Arno > > >
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Pki-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-users
