Red Hat Bugzilla – Bug 584917
Can not access CA Configuration Web UI after CA installation
Last modified: 2010-07-21 16:06:02 EDT
Description of problem: After installing dogtag # yum install dogtag-pki --enablerepo=updates-testing Getting Server Error 500 trying to access the CA's Web UI for configuration. please see attached log files Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 408997 [details] pki-ca-install.log
Created attachment 409000 [details] pki-ca catalina.out file
ffffffffff.... I wrote a mile long description and added an attachment and it blew out all my comments. Here we go again. I get the error 500 in F13 as well. I just ran the following to install "yum install pki-ca" as I just want to start small. The first thing that I noticed is that /usr/bin/pkicreate is not run automatically on install as the documentation suggests. When I ran it from the command line it seemed to run clean with the exception of the hardware components which I am not interested in at this time. The log is included as an attachment already. The options I used with pkicreate are included in the log. When I fire up firefox 3.6.3 and connect to the URL included I get the "your certificate sucks" message. If I give it a temporary exception I some times get the error 500 page with the dog tag logo titled "Certificate System CA Error Page" and the following message "The server encountered an unexpected condition which prevented it from fulfilling the request. Please consult your local administrator for further assistance. The Certificate System logs may provide further information." If I do a refresh it takes me to the wizard page which is completely blank. https://localhost:9445/ca/admin/console/config/wizard I have included the catalina.out log from /var/log/pki-ca directory. There appear to be 2 errors. SEVERE: StandardWrapper.Throwable SEVERE: Allocate exception for servlet csadmin-login I don't know what to check for the first but for the second I checked for the servlet rpm and it is there. jakarta-commons-dbcp-tomcat5-1.2.1-13.7.fc12.noarch jakarta-commons-collections-tomcat5-3.2.1-3.fc12.x86_64 tomcat5-servlet-2.4-api-5.5.27-7.4.fc12.noarch tomcat5-common-lib-5.5.27-7.4.fc12.noarch jakarta-commons-pool-tomcat5-1.3-13.fc13.x86_64 tomcat5-server-lib-5.5.27-7.4.fc12.noarch tomcatjss-1.2.1-1.fc13.noarch tomcat5-jasper-5.5.27-7.4.fc12.noarch And a check of alternatives gives ls -l /etc/alternatives/servlet /etc/alternatives/servlet -> /usr/share/java/tomcat5-servlet-2.4-api.jar ls -l /etc/alternatives/servlet_2_4_api /etc/alternatives/servlet_2_4_api -> /usr/share/java/tomcat5-servlet-2.4-api.jar A locate on csadmin-login and csadmin do not show any thing. Should there be such a file? A "yum search csadmin" doesn't turn any thing up. Am I missing some thing? After I post this I will include an attachment with the output of "rpm -qa" If I can help further please let me know. Thanks
Created attachment 409003 [details] Dump of rpm -qa
Created attachment 409197 [details] patch to fix The problem here is that fc13 moved from velocity 1.4 to velocity 1.6. Velocity 1.6 had some additional dependencies that needed to be added to the class path of the java subsystems. This patch adds these jars to the classpath. mharmsen, please review
Created attachment 409228 [details] selinux changes needed mharmsen, please review
attachment (id=409197) attachment (id=409228) +mharmsen REMINDER: All "dtomcat5" files should be identical for CA, KRA, OCSP, and TKS if a 'diff' is performed.
Committed to 8.1 [builder@goofy-vm4 base]$ svn ci -m "BZ584917: Can not access CA Configuration Web UI after CA installation" ca selinux tks ocsp kra Sending ca/shared/conf/dtomcat5 Sending kra/shared/conf/dtomcat5 Sending ocsp/shared/conf/dtomcat5 Sending selinux/src/pki.if Sending selinux/src/pki.te Sending tks/shared/conf/dtomcat5 Transmitting file data ...... Committed revision 1076. Committed to tip: [builder@dhcp231-70 base]$ svn ci -m "BZ584917: Can not access CA Configuration Web UI after CA installation" ca selinux tks ocsp kra Sending ca/shared/conf/dtomcat5 Sending kra/shared/conf/dtomcat5 Sending ocsp/shared/conf/dtomcat5 Sending selinux/src/pki.if Sending selinux/src/pki.te Sending tks/shared/conf/dtomcat5 Transmitting file data ...... Committed revision 1077.
On tip: [builder@dhcp231-70 dogtag]$ svn ci -m "update release numbers for 584917 and 577949" Sending dogtag/ca/pki-ca.spec Sending dogtag/common/pki-common.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/selinux/pki-selinux.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ...... Committed revision 1081.
I grabbed pki-ca-1.3.4-2.fc13.noarch.rpm out of koji and did an upgrade with it. I did a restart on the pki-cad service and then tried connecting to the Configuration Web UI and I had the same issue. So I ran pkiremove and then ran pkicreate again and tried tried it. Now it works. Thanks for the help.
pki-ca-1.3.4-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-ca-1.3.4-2.el5
pki-kra-1.3.3-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-kra-1.3.3-1.el5
pki-ca-1.3.4-2.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pki-ca'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pki-ca-1.3.4-2.el5
pki-kra-1.3.3-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pki-kra'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pki-kra-1.3.3-1.el5
pki-ocsp-1.3.2-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-ocsp-1.3.2-2.el5
pki-selinux-1.3.5-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-selinux-1.3.5-1.el5
pki-tks-1.3.2-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-tks-1.3.2-1.el5
pki-ocsp-1.3.2-2.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pki-ocsp'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pki-ocsp-1.3.2-2.el5
pki-tks-1.3.2-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pki-tks'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pki-tks-1.3.2-1.el5
pki-selinux-1.3.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pki-selinux'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/pki-selinux-1.3.5-1.el5
Tested on F13 and it is working fine. Version: -------- pki-ca-1.3.4-2.fc13.noarch dogtag-pki-ca-ui-1.3.1-2.fc13.noarch verification steps: ------------------ 1. Install and configure the CA subsystem. Actual Results: -------------- Successfully installed and configured. Expected Results: ---------------- Should be able to install and configure.
pki-selinux-1.3.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
pki-tks-1.3.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
pki-kra-1.3.3-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
pki-ocsp-1.3.2-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.