Harry G. Coin via FreeIPA-users wrote: > What causes "IPA Error 4301: CertificateOperationError" / "Certificate > operation cannot be completed: Unable to communicate with CMS (500)" > > on latest fedora 34 freeipa, running on two hosts, master/master? > > Usually I'd expect 'ipa cert-show 1' to fail, but it works, and > 'systemctl' reports everything is running, and all the UI and other > functions appear to be normal (even dnssec !).
Seems like it doesn't like something about cert serial number 2000. You can see if you get the same behavior with cert-show 2000 or cert-find on the cli. rob > > > detail: > > [root@registry1 ~]# ipa cert-show 1 > Issuing CA: ipa > Certificate: > MIIEozCCAwugAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRwwGgYDVQQKDBMxLlFVSUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjEwNjEzMTkwNjA1WhcNNDEwNjEzMTkwNjA1WjA+MRwwGgYDVQQKDBMxLlFVSUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGSq+Nim03HfChgq4uLuYh9JRZcGZQO08iUNGJRzFkBKehS1sZwbXlACSYC32SbqyHBiRXE4VlLmMuKwNzp0/HgLojgA+Cfx6/Ta+eiGq0M7qX2y2rKoZOGtrWo23uYqx02Xs/UKBzZ8EHZFc9rqDsU7muvCDcuniTH6r3Nc6aJyJs9ksa66BkSsEu3KnmTTvvu8Vfl5Wu8ZQwwaEEpLNDagNrN3dICD6zr+ysm4nr6cJlU+884ayUGdgyQRQXI28z173b14M1JhUbFeLsLpTOYIXAn0eQa5uaSrIi7YF5FUH6fczwt7PACzyPy5c7W8ayYgosKZCWKdo456ingv2kNbDh8lX5qmaK8163b3nqnk6VkO11FtwGwQQzzkMDUEkIDOxqisjqDtgNzRWx3XC/F1zojZjVKCQ6sRM2G26fY+qRHxxhPzeWrh6TD3HJLvVDBpMFAONrLSJeXXmaj+zkob4uBv7X8TYdVO8xPKVC1p+t9OqhFoE5r9pXD5SaWGUCAwEAAaOBqzCBqDAfBgNVHSMEGDAWgBRdbkmF2QnMBkVl/2zHw1FyAEtvmzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUXW5JhdkJzAZFZf9sx8NRcgBLb5swRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vaXBhLWNhLjEucXVpZXRmb3VudGFpbi5jb20vY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAq86t5DfFgXEKWTyOH0TgGIW2fVNVoeThc7emUx3P0wxkFK05grDlAW+sTbNe8aw4h8BowixIfDQ8hfwZVn7LIXqbOohNs0AMPaRc5XYOqU/ciG11YiI6jgEMhtC5fBlT3Ni4U7JQlikI7xcLlpWleSQTp+KX2sEFnASxHWkzlX0iWOwIZAr9CHpo06HH1yukfvosIsfRpdbpXPRcLaZ1pUlCUlviDEsI+HIkU/5N8Jja13BSguT5daCMywtFTwtzWgWSKtMC2AoH2y7+Dufu3/YDpR0WhdzJSS0ZztJULUJw6DGKO03EtuIvGVwoOqDSo10GYPxwF4HQHXQBNzed9tRKkpbBCNNx1L6hHbH+OutGNGDc9Dl9PWRHu3OP0ME5NdAq0rW6+Ibao+Dv5R3jxV8R0ky+08jyqMSVzzYYGz10y5DWFkyQfFO2daX6DBlWPRIf7hZJv4NW9Dd3KQZKIduZMGScvBKy1QaPu1WJVftNU5J6F67xiTUBxFXfM+hm > Subject: CN=Certificate Authority,O=1.QUIETFOUNTAIN.COM > Issuer: CN=Certificate Authority,O=1.QUIETFOUNTAIN.COM > Not Before: Sun Jun 13 19:06:05 2021 UTC > Not After: Thu Jun 13 19:06:05 2041 UTC > Serial number: 1 > Serial number (hex): 0x1 > Revoked: False > [root@registry1 ~]# systemctl is-system-running > running > [root@registry1 ~]# > > > notice /var/log/pki/pki-tomcat/ca/debug.2021-08-18.log > > ends with: > > > 2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: > DBVirtualList: dn: cn=2000,ou=certificateRepository,ou=ca,o=ipaca > 2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SEVERE: > Operation Error - class netscape.ldap.LDAPException cannot be cast to > class netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and > netscape.ldap.LDAPEntry are in unnamed module of loader > java.net.URLClassLoader @5fcfe4b2) > java.lang.ClassCastException: class netscape.ldap.LDAPException cannot > be cast to class netscape.ldap.LDAPEntry (netscape.ldap.LDAPException > and netscape.ldap.LDAPEntry are in unnamed module of loader > java.net.URLClassLoader @5fcfe4b2) > at > com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) > at > com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) > at > com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) > at > com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) > at > com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) > at > org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:474) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) > at jdk.internal.reflect.GeneratedMethodAccessor55.invoke(Unknown > Source) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown > Source) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) > at > com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) > at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.base/java.lang.Thread.run(Thread.java:829) > > 2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SEVERE: Unable > to search for certificates: java.lang.ClassCastException: class > netscape.ldap.LDAPException cannot be cast to class > netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and > netscape.ldap.LDAPEntry are in unnamed module of loader > java.net.URLClassLoader @5fcfe4b2) > java.lang.RuntimeException: java.lang.ClassCastException: class > netscape.ldap.LDAPException cannot be cast to class > netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and > netscape.ldap.LDAPEntry are in unnamed module of loader > java.net.URLClassLoader @5fcfe4b2) > at > com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523) > at > com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) > at > com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) > at > com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) > at > com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) > at > org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:474) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:733) > at jdk.internal.reflect.GeneratedMethodAccessor55.invoke(Unknown > Source) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown > Source) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146) > at java.base/java.security.AccessController.doPrivileged(Native > Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) > at > com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) > at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.base/java.lang.Thread.run(Thread.java:829) > Caused by: java.lang.ClassCastException: class > netscape.ldap.LDAPException cannot be cast to class > netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and > netscape.ldap.LDAPEntry are in unnamed module of loader > java.net.URLClassLoader @5fcfe4b2) > at > com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) > ... 62 more > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
