Description of problem: Tested on Fedora 14. Trying to retrieve the CA chain on the unsecure CA port fails with: The server encountered an unexpected condition which prevented it from fulfilling the request. Please consult your local administrator for further assistance. The Certificate System logs may provide further information. The debug log holds no information on the failure: [15/Oct/2010:12:07:33][http-9180-Processor24]: CMSServlet:service() uri = /ca/ee/ca/getCertChain [15/Oct/2010:12:07:33][http-9180-Processor24]: CMSServlet: caGetCertChain start to service. The system log has this: 11746.main - [15/Oct/2010:11:38:12 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 11746.main - [15/Oct/2010:11:38:13 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value 11746.http-9445-Processor19 - [15/Oct/2010:11:41:12 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 11746.http-9445-Processor21 - [15/Oct/2010:11:44:19 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException Version-Release number of selected component (if applicable): pki-ca-1.3.6-1.fc14.noarch Steps to Reproduce: 1. /usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca 2. Install 389-ds instance 3. Go to URL per pkicreate output and set up an instance 4. curl http://localhost:9180/ca/ee/ca/getCertChain
The curl request returns a 500 error with a generic response: document.write('The server encountered an unexpected condition which prevented it from fulfilling the request.<br>'); document.write('Please consult your local administrator for further assistance. The Certificate System logs may provide further information.'); document.write('</font></b><br></td>');
Created attachment 455081 [details] IPA install log
Jan Zeleny determined that it is due to a missing jar file. This fixes it: ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar
IPA ticket https://fedorahosted.org/freeipa/ticket/320
I have tested this against the new tomcat 6 port on the current tip and there isn't a problem, this appears to be a tomcat 5 only issue. Reassigning this to Matt because he has a fix for tomcat 5 in the legacy area.
For tomcat 5, two fixes had been previously applied to the 'pki/dogtag/common/pki-common.spec' file used by the legacy build system (on the TIP): dogtag/common/pki-common.spec:Requires: %{_javadir}/xalan-j2-serializer.jar dogtag/common/pki-common.spec:ln -s %{_javadir}/xalan-j2-serializer.jar xalan-j2-serializer.jar NOTE: No new "official" respins of Dogtag 1.3 which utilized tomcat 5 are currently planned for any Fedora platform! For tomcat 6, the following (potentially un-necessary fix) had been previously applied to the 'pki/specs/pki-core.spec' file used by the cmake build system (on the TIP): specs/pki-core.spec:Requires: %{_javadir}/xalan-j2-serializer.jar NOTE: This change will be "officially" provided once Dogtag 9.0 which utilizes tomcat 6 is released to the general public (planned for Fedora 14+).
(In reply to comment #8) > NOTE: This change will be "officially" provided once Dogtag 9.0 which utilizes > tomcat 6 is released to the general public (planned for Fedora 14+). What is the timeframe for this? This breaks the installer for FreeIPA.