New subject: UI can't list certs on fedora latest. Java bug?

Wednesday, 18 August 2021

What causes "IPA Error 4301: CertificateOperationError" / "Certificate
operation cannot be completed: Unable to communicate with CMS (500)"

on latest fedora 34 freeipa, running on two hosts, master/master?

Usually I'd expect 'ipa cert-show 1' to fail, but it works, and
'systemctl' reports everything is running, and all the UI and other
functions appear to be normal (even dnssec !).

detail:

[root@registry1 ~]# ipa cert-show 1
  Issuing CA: ipa
  Certificate:
MIIEozCCAwugAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRwwGgYDVQQKDBMxLlFVSUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjEwNjEzMTkwNjA1WhcNNDEwNjEzMTkwNjA1WjA+MRwwGgYDVQQKDBMxLlFVSUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGSq+Nim03HfChgq4uLuYh9JRZcGZQO08iUNGJRzFkBKehS1sZwbXlACSYC32SbqyHBiRXE4VlLmMuKwNzp0/HgLojgA+Cfx6/Ta+eiGq0M7qX2y2rKoZOGtrWo23uYqx02Xs/UKBzZ8EHZFc9rqDsU7muvCDcuniTH6r3Nc6aJyJs9ksa66BkSsEu3KnmTTvvu8Vfl5Wu8ZQwwaEEpLNDagNrN3dICD6zr+ysm4nr6cJlU+884ayUGdgyQRQXI28z173b14M1JhUbFeLsLpTOYIXAn0eQa5uaSrIi7YF5FUH6fczwt7PACzyPy5c7W8ayYgosKZCWKdo456ingv2kNbDh8lX5qmaK8163b3nqnk6VkO11FtwGwQQzzkMDUEkIDOxqisjqDtgNzRWx3XC/F1zojZjVKCQ6sRM2G26fY+qRHxxhPzeWrh6TD3HJLvVDBpMFAONrLSJeXXmaj+zkob4uBv7X8TYdVO8xPKVC1p+t9OqhFoE5r9pXD5SaWGUCAwEAAaOBqzCBqDAfBgNVHSMEGDAWgBRdbkmF2QnMBkVl/2zHw1FyAEtvmzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUXW5JhdkJzAZFZf9sx8NRcgBLb5swRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vaXBhLWNhLjEucXVpZXRmb3VudGFpbi5jb20vY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAq86t5DfFgXEKWTyOH0TgGIW2fVNVoeThc7emUx3P0wxkFK05grDlAW+sTbNe8aw4h8BowixIfDQ8hfwZVn7LIXqbOohNs0AMPaRc5XYOqU/ciG11YiI6jgEMhtC5fBlT3Ni4U7JQlikI7xcLlpWleSQTp+KX2sEFnASxHWkzlX0iWOwIZAr9CHpo06HH1yukfvosIsfRpdbpXPRcLaZ1pUlCUlviDEsI+HIkU/5N8Jja13BSguT5daCMywtFTwtzWgWSKtMC2AoH2y7+Dufu3/YDpR0WhdzJSS0ZztJULUJw6DGKO03EtuIvGVwoOqDSo10GYPxwF4HQHXQBNzed9tRKkpbBCNNx1L6hHbH+OutGNGDc9Dl9PWRHu3OP0ME5NdAq0rW6+Ibao+Dv5R3jxV8R0ky+08jyqMSVzzYYGz10y5DWFkyQfFO2daX6DBlWPRIf7hZJv4NW9Dd3KQZKIduZMGScvBKy1QaPu1WJVftNU5J6F67xiTUBxFXfM+hm
  Subject: CN=Certificate Authority,O=1.QUIETFOUNTAIN.COM
  Issuer: CN=Certificate Authority,O=1.QUIETFOUNTAIN.COM
  Not Before: Sun Jun 13 19:06:05 2021 UTC
  Not After: Thu Jun 13 19:06:05 2041 UTC
  Serial number: 1
  Serial number (hex): 0x1
  Revoked: False
[root@registry1 ~]# systemctl is-system-running
running
[root@registry1 ~]# 

notice /var/log/pki/pki-tomcat/ca/debug.2021-08-18.log

ends with:

2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO:
DBVirtualList: dn: cn=2000,ou=certificateRepository,ou=ca,o=ipaca
2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SEVERE:
Operation Error - class netscape.ldap.LDAPException cannot be cast to
class netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
netscape.ldap.LDAPEntry are in unnamed module of loader
java.net.URLClassLoader @5fcfe4b2)
java.lang.ClassCastException: class netscape.ldap.LDAPException cannot
be cast to class netscape.ldap.LDAPEntry (netscape.ldap.LDAPException
and netscape.ldap.LDAPEntry are in unnamed module of loader
java.net.URLClassLoader @5fcfe4b2)
        at
com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
        at
com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
        at
com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
        at
com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
        at
com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
        at
org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:474)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
        at jdk.internal.reflect.GeneratedMethodAccessor55.invoke(Unknown
Source)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221)
        at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown
Source)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
        at
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
        at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:829)

2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SEVERE: Unable
to search for certificates: java.lang.ClassCastException: class
netscape.ldap.LDAPException cannot be cast to class
netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
netscape.ldap.LDAPEntry are in unnamed module of loader
java.net.URLClassLoader @5fcfe4b2)
java.lang.RuntimeException: java.lang.ClassCastException: class
netscape.ldap.LDAPException cannot be cast to class
netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
netscape.ldap.LDAPEntry are in unnamed module of loader
java.net.URLClassLoader @5fcfe4b2)
        at
com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523)
        at
com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
        at
com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
        at
com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
        at
com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
        at
org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:474)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
        at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
        at jdk.internal.reflect.GeneratedMethodAccessor55.invoke(Unknown
Source)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221)
        at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown
Source)
        at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
        at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
        at java.base/java.security.AccessController.doPrivileged(Native
Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
        at
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
        at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707)
        at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.ClassCastException: class
netscape.ldap.LDAPException cannot be cast to class
netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
netscape.ldap.LDAPEntry are in unnamed module of loader
java.net.URLClassLoader @5fcfe4b2)
        at
com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
        ... 62 more

2024

2023

2022

2021

2020

2019

2018

2017

UI can't list certs on fedora latest. Java bug?