On ke, 20 huhti 2022, lejeczek via FreeIPA-users wrote:
Hi guys.
@devel perhaps could comment if it's Java among package updates which
breaks PKI ?
...
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='whale.mine.private', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7f9c31d7ba60>: Failed to establish a new connection: [Errno 111]
Connection refused'))
WARNING: Some of the specified [protocols] are not supported by the
SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
SEVERE: Error deploying deployment descriptor
[/etc/pki/pki-tomcat/Catalina/localhost/ca.xml]
java.lang.IllegalStateException: Error starting child
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.base/java.security.AccessController.doPrivileged(Native
Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
...
...
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
... 41 more
Caused by: java.lang.UnsupportedClassVersionError:
netscape/ldap/LDAPException has been compiled by a more recent version
of the Java Runtime (class file version 61.0), this version of the
Java Runtime only recognizes class file versions up to 55.0
at java.base/java.lang.ClassLoader.defineClass1(Native Method)
at
java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
...
SEVERE: One or more listeners failed to start. Full details will be
found in the appropriate container log file
SEVERE: Context [/acme] startup failed due to previous errors
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.catalina.loader.WebappClassLoaderBase
(file:/usr/share/java/tomcat/catalina.jar) to field
java.io.ObjectStreamClass$Caches.localDescs
WARNING: Please consider reporting this to the maintainers of
org.apache.catalina.loader.WebappClassLoaderBase
WARNING: Use --illegal-access=warn to enable warnings of further
illegal reflective access operations
...
java-11-openjdk-devel-11.0.15.0.1-0.1.ea.el9.x86_64
ipa-server-4.9.8-6.el9.x86_64
or this is some issue irrespective of java?
It looks like some inconsistency between PKI and Java packages.
I also noticed you have a previous CentOS 9 Stream compose as ipa-server
4.9.8-8.el9 is now available. Perhaps, many packages were upgraded in it
as well and you might get a better chance?
Anyway, I asked PKI developers to check what's up with these different
bytecode versions.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland