ejbca-ce icon indicating copy to clipboard operation
ejbca-ce copied to clipboard
verified publisher icon Keyfactor

Caused by: javax.ejb.EJBException: org.ejbca.core.model.ca.publisher.PublisherException: LDAP ERROR: Error storing CRL: Message: Connect Error.

Open hsynff opened this issue 3 years ago • 1 comments

I face such an error when I try to Create CRL through the EJBCA Administration dashboard. CA Functions -> CA Structure & CRL's -> "Create CRL". When I click this button it waits nearly 10-15 minutes and throws an exception:

Error while getting certficate chain from CA.
javax.ejb.EJBException: javax.ejb.EJBException: Error creating CRL.
	at org.cesecore.core.ejb.ca.crl.CrlCreateSessionBean.run(CrlCreateSessionBean.java:519)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
...
Caused by: javax.ejb.EJBException: org.ejbca.core.model.ca.publisher.PublisherException: LDAP ERROR: Error storing CRL (certificateRevocationList;binary) in LDAP (top;applicationProcess;certificationAuthority-V2) for DN (CN=<VALUES>,o=<VALUES>,c=az). Message: Connect Error.
	at org.jboss.ejb3.tx.TxInterceptor$NotSupported.invoke(TxInterceptor.java:104)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
...

As the error suggests that there is a Connection error to the LDAP Server but I can reach the LDAP Server IP and Port from the machine that EJBCA runs (both ping and telnet are ok)

hsynff avatar Jun 24 '22 13:06 hsynff

There may be more information further down (or up) in the message in server.log. It could be credentials, it could be TLS certificates, or something else. What LDAP setting you use can also be helpful. LDAP Publishers also have a "Test connection" button, which is very useful when you create a publisher. Easier to test with that than wit for an actual CRL generation.

primetomas avatar Jun 27 '22 07:06 primetomas