Cert lookup from CLI or Webui causes SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.RuntimeException: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) ... 70 more
Current versions are:
CentOS 8:
ipa-client.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-client-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-healthcheck.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-healthcheck-core.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-selinux.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
389-ds-base.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream 389-ds-base-libs.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Jim Richard System Administrator III jrichard@placeiq.com | (646) 338-8905 | www.placeiq.com
Jim Richard via FreeIPA-users wrote:
From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.RuntimeException: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) ... 70 more
Current versions are:
CentOS 8:
ipa-client.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-client-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-healthcheck.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-healthcheck-core.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-selinux.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
389-ds-base.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream 389-ds-base-libs.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
cc'ing one of the CA developers.
rob
Hi,
I have not seen this error before. Was there any customization done to the system? Could you open a Bugzilla ticket against pki-core component on RHEL 8 and provide the steps to reproduce? Also, please include the LDAP entry cn=268174648,ou=certificateRepository,ou=ca,o=ipaca. Thanks.
-- Endi S. Dewata
On Mon, Apr 26, 2021, 7:40 AM Rob Crittenden rcritten@redhat.com wrote:
Jim Richard via FreeIPA-users wrote:
From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList:
dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList:
dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation
Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast
to netscape.ldap.LDAPEntry
atcom.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
atcom.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
atcom.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
atcom.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
atcom.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
atorg.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) atorg.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) atorg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
atorg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
atorg.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
atorg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) atorg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
atorg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
atorg.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
atorg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
atorg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
atorg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
atcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
atorg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
atorg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
atorg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
atorg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
atorg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
atorg.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428)
atorg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
atorg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
atjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
atjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
atorg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to
search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
java.lang.RuntimeException: java.lang.ClassCastException:
netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry
atcom.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523)
atcom.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
atcom.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
atcom.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
atcom.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
atorg.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) atorg.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
atorg.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
atorg.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) atorg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
atorg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
atorg.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
atorg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) atorg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
atorg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
atorg.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
atorg.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
atorg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
atorg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
atorg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
atcom.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
atorg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
atorg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
atorg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
atorg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
atorg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
atorg.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428)
atorg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
atorg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
atjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
atjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
atorg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException
cannot be cast to netscape.ldap.LDAPEntry
atcom.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
... 70 moreCurrent versions are:
CentOS 8:
ipa-client.x86_64
4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-client-common.noarch
4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-common.noarch
4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-healthcheck.noarch
0.4-6.module_el8.3.0+482+9e103aab @AppStream
ipa-healthcheck-core.noarch
0.4-6.module_el8.3.0+482+9e103aab @AppStream
ipa-selinux.noarch
4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-server.x86_64
4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
ipa-server-common.noarch
4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
389-ds-base.x86_64
1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
389-ds-base-libs.x86_64
1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC
2021 x86_64 x86_64 x86_64 GNU/Linux
cc'ing one of the CA developers.
rob
Hi Endi:
We haven’t done any customizations. I’ve owned this FreeIPA deployment since way back in the CentOS 6.X days, when all the CA stuff lived in a second LDAP instance. Since then there have been numerous upgrades, cleanup of old data, some minor tweaks to things like nsslapd-idletimeout etc. but nothing major.
We have a pretty simple use case, about 800 hosts, 3 nodes, about 30 active users, we mainly use FreeIPA to enforce hosts access, via HBAC and sudo rules, user public ssh keys.
I don’t know if this is related but back in February of this year we upgraded from 4.8.4-7 to 4.8.7-14 and started to see a slow and steady apparent memory leak from ns-slapd:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/X7I3N2LZCW2CQBA5YWJ7G6LROQMH7YRP/
Did you guys want me to create the Bugzilla ticket? I’m not sure if I can as a third party. Happy to though.
Jim Richard System Administrator III jrichard@placeiq.com | (646) 338-8905 | www.placeiq.com
On Apr 26, 2021, at 9:53 AM, Endi Dewata edewata@redhat.com wrote:
Hi,
I have not seen this error before. Was there any customization done to the system? Could you open a Bugzilla ticket against pki-core component on RHEL 8 and provide the steps to reproduce? Also, please include the LDAP entry cn=268174648,ou=certificateRepository,ou=ca,o=ipaca. Thanks.
-- Endi S. Dewata
On Mon, Apr 26, 2021, 7:40 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote: Jim Richard via FreeIPA-users wrote:
From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.RuntimeException: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) ... 70 more
Current versions are:
CentOS 8:
ipa-client.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-client-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-healthcheck.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-healthcheck-core.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-selinux.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
389-ds-base.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream 389-ds-base-libs.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
cc'ing one of the CA developers.
rob
Hi Jim,
To my understanding anybody can create a Bugzilla ticket. Just let me know if it doesn't work.
The exception is likely triggered by the content of the database, so if you could provide the LDAP entry that triggers the error (i.e. cn=268174648, ou=certificateRepository,ou=ca,o=ipaca) that would be helpful. Feel free to remove sensitive attribute values, but we need to know what attributes the entry has.
I'm not sure about the memory leak in ns-slapd. That would be handled by another team. You might want to open a Bugzilla ticket against 389-ds-base.
Hi Endi:
The cert in question follows here. It’s a long ago revoked_expired cert for a host that has not existed for years.
I pulled it with this command: ldapsearch -D "cn=directory manager" -w ****** -b o=ipaca "(objectclass=*)" -h localhost
The error happens with a "ipa cert-find" command as well as in the UI when you go to look at certs
And the error is in /var/log/pki/pki-tomcat/ca/debug.<data stamp>.log
ldapsearch -D "cn=directory manager" -w ******** -b o=ipaca "(objectclass=*)" -h localhost
# 268174648, certificateRepository, ca, ipaca dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca revokedOn: 20151019223449Z revokedBy: ipara revInfo: 20151019223449Z;CRLReasonExtension=4 objectClass: top objectClass: certificateRecord serialno: 09268174648 metaInfo: requestId:9962078 metaInfo: profileId:caIPAserviceCert notBefore: 20150428145742Z notAfter: 20170428145742Z duration: 1163158400000 subjectName: CN=dev-cluster-1-100.nym1.placeiq.net,O=PLACEIQ.NET publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1iRFbhP1c+jyKoqxh 6hffBFLP+SXQzY1FxtuDiTUVvnGoMotRh0WIrg6xBlm+8xKhtlw/W0OHvOgvwXz1pFwItYrZ2ymEN lkIViMwp9/8qodHrm65TsK3ati6y2g1A4mCYOfnnVk2gV5h4+G3LsZ5EvEAyk9qxWIjdXv5WDO6Us 2WgJ1RZaFZhZhUa7SeNh2k2sNDFF+/Vgqx0YCn0rY/MgQKDsr7b+ZSPfvE4oLrBU4nEbSllrMnxUe YWQWLJ48s4QoE8xjlcEF6kXpy3/6kigZimH36wAMsTc2gvSrivHuP1KD0pffXFyLP1llLQCjeEI4q MAlZtz9t9+jLWSZQIDAQAB extension: 1.3.6.1.5.5.7.1.1 extension: 2.5.29.14 extension: 2.5.29.37 extension: 2.5.29.35 extension: 2.5.29.15 userCertificate;binary:: MIIDsjCCApqgAwIBAgIED/wFODANBgkqhkiG9w0BAQsFADA2MRQwE gYDVQQKEwtQTEFDRUlRLk5FVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MD QyODE0NTc0MloXDTE3MDQyODE0NTc0MlowQzEUMBIGA1UEChMLUExBQ0VJUS5ORVQxKzApBgNVBAM TImRldi1jbHVzdGVyLTEtMTAwLm55bTEucGxhY2VpcS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDDWJEVuE/Vz6PIqirGHqF98EUs/5JdDNjUXG24OJNRW+cagyi1GHRYiuDrEGWb7 zEqG2XD9bQ4e86C/BfPWkXAi1itnbKYQ2WQhWIzCn3/yqh0eubrlOwrdq2LrLaDUDiYJg5+edWTaB XmHj4bcuxnkS8QDKT2rFYiN1e/lYM7pSzZaAnVFloVmFmFRrtJ42HaTaw0MUX79WCrHRgKfStj8yB AoOyvtv5lI9+8TigusFTicRtKWWsyfFR5hZBYsnjyzhCgTzGOVwQXqRenLf/qSKBmKYffrAAyxNza C9KuK8e4/UoPSl99cXIs/WWUtAKN4QjiowCVm3P2336MtZJlAgMBAAGjgbowgbcwHwYDVR0jBBgwF oAUmMCJ//8shNU4zC3pllBo9h6ZmG0wRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi 8vc3NvLTExMC5ueW0xLnBsYWNlaXEubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1U dJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUgS3+DHwkTagdhrhCxYy6ESVonHQw DQYJKoZIhvcNAQELBQADggEBAMbHMj3HD1ppzkVU1TeIw4klfy8TYuidk+vjQftOkOxmMG430lIAw pm3mXeoE9cfANxMmIE0FckKlTqP92vgIRBHZ4gwyhC/Iv3dRIjrBjRWhhhEiMDIhTu16pc0x2MEv7 4fszV0BTXJNne4a0KpUXn2vuX3hxAWi3uVtFRSQygCyz2gpKSLqK4Oc6/vjrD9tayPvwHHa1Ek4Y3 xehOT+EvPhiZi6ves0LOI0gS0X7FL+aX4Rp6e/KV6n4lmzMop8xFu/TSk0J3xuAy0i07y28qraq8M JnXVpw9bszGriZNdVSTkRifJ1QSxTA0PZztXxNlKLT+y/j0RKVUO9N1/YZ0= version: 2 algorithmId: 1.2.840.113549.1.1.1 signingAlgorithmId: 1.2.840.113549.1.1.11 dateOfCreate: 20150428145742Z autoRenew: ENABLED issuedBy: ipara cn: 268174648 certStatus: REVOKED_EXPIRED dateOfModify: 20170428150734Z
Jim Richard System Administrator III jrichard@placeiq.com | (646) 338-8905 | www.placeiq.com
On Apr 26, 2021, at 2:56 PM, Endi Dewata edewata@redhat.com wrote:
Hi Jim,
To my understanding anybody can create a Bugzilla ticket. Just let me know if it doesn't work.
The exception is likely triggered by the content of the database, so if you could provide the LDAP entry that triggers the error (i.e. cn=268174648, ou=certificateRepository,ou=ca,o=ipaca) that would be helpful. Feel free to remove sensitive attribute values, but we need to know what attributes the entry has.
I'm not sure about the memory leak in ns-slapd. That would be handled by another team. You might want to open a Bugzilla ticket against 389-ds-base.
-- Endi S. Dewata
On Mon, Apr 26, 2021 at 1:39 PM Jim Richard <jrichard@placeiq.com mailto:jrichard@placeiq.com> wrote: Hi Endi:
We haven’t done any customizations. I’ve owned this FreeIPA deployment since way back in the CentOS 6.X days, when all the CA stuff lived in a second LDAP instance. Since then there have been numerous upgrades, cleanup of old data, some minor tweaks to things like nsslapd-idletimeout etc. but nothing major.
We have a pretty simple use case, about 800 hosts, 3 nodes, about 30 active users, we mainly use FreeIPA to enforce hosts access, via HBAC and sudo rules, user public ssh keys.
I don’t know if this is related but back in February of this year we upgraded from 4.8.4-7 to 4.8.7-14 and started to see a slow and steady apparent memory leak from ns-slapd:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/X7I3N2LZCW2CQBA5YWJ7G6LROQMH7YRP/
Did you guys want me to create the Bugzilla ticket? I’m not sure if I can as a third party. Happy to though.
Jim Richard System Administrator III jrichard@placeiq.com mailto:jrichard@placeiq.com | (646) 338-8905 | www.placeiq.com http://www.placeiq.com/
On Apr 26, 2021, at 9:53 AM, Endi Dewata <edewata@redhat.com mailto:edewata@redhat.com> wrote:
Hi,
I have not seen this error before. Was there any customization done to the system? Could you open a Bugzilla ticket against pki-core component on RHEL 8 and provide the steps to reproduce? Also, please include the LDAP entry cn=268174648,ou=certificateRepository,ou=ca,o=ipaca. Thanks.
-- Endi S. Dewata
On Mon, Apr 26, 2021, 7:40 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote: Jim Richard via FreeIPA-users wrote:
From /var/log/pki/pki-tomcat/ca/debug.2021-04-26.log
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174647,ou=certificateRepository,ou=ca,o=ipaca 2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] INFO: DBVirtualList: dn: cn=268174648,ou=certificateRepository,ou=ca,o=ipaca
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Operation Error - netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
2021-04-26 04:13:42 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to search for certificates: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry java.lang.RuntimeException: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610) at com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602) at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:473) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) at org.apache.tomcat.util.net http://org.apache.tomcat.util.net/.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassCastException: netscape.ldap.LDAPException cannot be cast to netscape.ldap.LDAPEntry at com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477) ... 70 more
Current versions are:
CentOS 8:
ipa-client.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-client-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-healthcheck.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-healthcheck-core.noarch 0.4-6.module_el8.3.0+482+9e103aab @AppStream ipa-selinux.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server.x86_64 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream ipa-server-common.noarch 4.8.7-14.module_el8.3.0+698+d6d67052 @appstream
389-ds-base.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream 389-ds-base-libs.x86_64 1.4.3.8-6.module_el8.3.0+604+ab7bf9cc @AppStream
Linux sso-111 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Mon Mar 1 17:16:16 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
cc'ing one of the CA developers.
rob
freeipa-users@lists.fedorahosted.org
-
Endi Dewata -
Jim Richard -
Rob Crittenden