Revocation of certificate failed after upgrading to 8.2.0 - WFLYEJB0034: Jakarta Enterprise Beans Invocation failed

[3keyroman]

Hello Community,

I am having an issue revoking some certificates after the upgrade to EJBCA 8.2.0. Trying to revoke certificate from adminweb or through the WS gives the following exception:

2024-02-06 11:35:15,939 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: Jakarta Enterprise Beans Invocation failed on component CertificateStoreSessionBean for method public abstract boolean org.cesecore.certificates.certificate.CertificateStoreSessionLocal.setRevokeStatus(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.certificate.CertificateDataWrapper,java.util.Date,java.util.Date,int) throws org.cesecore.certificates.certificate.CertificateRevokeException,org.cesecore.authorization.AuthorizationDeniedException: javax.ejb.EJBTransactionRolledbackException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect) : [org.cesecore.certificates.certificate.CertificateData#107c124d5c8ecdbee08538fb19aaf213cd1fda9c]
	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:219)
	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:392)
	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:160)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
	at [email protected]//org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:72)
	at [email protected]//org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ejb3.security.IdentityOutflowInterceptor.processInvocation(IdentityOutflowInterceptor.java:73)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
	at [email protected]//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:633)
	at [email protected]//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
	at [email protected]//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at [email protected]//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
	at [email protected]//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
	at [email protected]//org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:191)
	at [email protected]//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
	at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.certificates.certificate.CertificateStoreSessionLocal$$$view195.setRevokeStatus(Unknown Source)
	at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.certificates.certificate.NoConflictCertificateStoreSessionBean.setRevokeStatus(NoConflictCertificateStoreSessionBean.java:298)
...
Caused by: javax.persistence.OptimisticLockException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect) : [org.cesecore.certificates.certificate.CertificateData#107c124d5c8ecdbee08538fb19aaf213cd1fda9c]
	at [email protected]//org.hibernate.internal.ExceptionConverterImpl.wrapStaleStateException(ExceptionConverterImpl.java:223)
	at [email protected]//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:93)
	at [email protected]//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181)
	at [email protected]//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188)
	at [email protected]//org.hibernate.internal.SessionImpl.fireMerge(SessionImpl.java:917)
	at [email protected]//org.hibernate.internal.SessionImpl.merge(SessionImpl.java:891)
	at [email protected]//org.jboss.as.jpa.container.AbstractEntityManager.merge(AbstractEntityManager.java:568)
	at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.certificates.certificate.CertificateStoreSessionBean.setRevokeStatusNoAuth(CertificateStoreSessionBean.java:1327)
	at deployment.ejbca.ear.cesecore-ejb.jar//org.cesecore.certificates.certificate.CertificateStoreSessionBean.setRevokeStatus(CertificateStoreSessionBean.java:1232)
...
Caused by: org.hibernate.StaleObjectStateException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect) : [org.cesecore.certificates.certificate.CertificateData#107c124d5c8ecdbee08538fb19aaf213cd1fda9c]
	at [email protected]//org.hibernate.event.internal.DefaultMergeEventListener.entityIsDetached(DefaultMergeEventListener.java:356)
	at [email protected]//org.hibernate.event.internal.DefaultMergeEventListener.onMerge(DefaultMergeEventListener.java:188)
	at [email protected]//org.hibernate.event.internal.DefaultMergeEventListener.onMerge(DefaultMergeEventListener.java:72)
	at [email protected]//org.hibernate.internal.SessionImpl.fireMerge(SessionImpl.java:905)
	... 353 more

This happens on some of the certificates, not all of them. Looking into the database, there are no obvious differences between the certificates that can be revoked, and certificates that will throw an exception when trying to revoke.

Moreover, the certificate that failed to be revoked through the adminweb or WS, can be revoked without any issues through the raweb. I assume that is because they use different methods.

Does anyone have or had similar issue? Can you advise what can be an issue here?

I am running with database MariaDB Server version: 10.3.39-MariaDB-0+deb10u1 Debian 10, with OpenJDK 17, and on the Wildfly 26.1.2.Final.

I was trying to downgrade to OpenJDK 11, but the problem persists.

With best regards,
Roman

[primetomas]

We have not heard of this before.

Are you running with database.useSeparateCertificateTable=true or false (default is false)?

[3keyroman]

Default value is used, therefore database.useSeparateCertificateTable=false.

I have a simple database.properties:

database.name=mysql
database.url=jdbc:mysql://localhost:3306/ejbcadb?characterEncoding=UTF-8
database.driver=mariadb-java-client.jar
database.username=*****
database.password=*****

[primetomas]

Are any publishers used?

[primetomas]

A debug log previous to these failed revocations may reveal some interesting information.

[3keyroman]

Yes, there are couple of Publishers that are active, however, any of these Publishers are not selected for this particular Certificate Profile or Authority, so it should not trigger any Publisher when revoking certificate.

Here is the DEBUG log before the exception:

2024-02-06 11:34:58,359 DEBUG [org.ejbca.core.ejb.ServiceLocator] (default task-2) Doing lookup of 'java:/EjbcaMail'
2024-02-06 11:34:58,399 DEBUG [org.cesecore.configuration.LogRedactionConfigurationCache] (default task-2) Updated LogRedactionConfigurationCache.
2024-02-06 11:35:00,422 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-2) Using default value of 20 for new CA's ca.serialnumberoctetsize
2024-02-06 11:35:00,423 DEBUG [org.cesecore.certificates.ca.CAData] (default task-2) CAData.getProtectString gives size: 14180
2024-02-06 11:35:00,424 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-2) Using default value of 20 for new CA's ca.serialnumberoctetsize
2024-02-06 11:35:00,425 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-2) Update not needed X509CAImpl in cache. Digest was -595881853, cacheEntry digest was -595881853
2024-02-06 11:35:00,506 DEBUG [org.cesecore.configuration.LogRedactionConfigurationCache] (default task-2) Updated LogRedactionConfigurationCache.
2024-02-06 11:35:00,508 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-2) 2024-02-06 11:35:00+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=Admin,OU=Professional Services,OU=CA Administrator,O=Company,C=CZ;;;;resource0=/administrator;resource1=/ra_functionality/view_end_entity
2024-02-06 11:35:00,508 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-2) LogDevice: Log4jDevice Proc: 0
2024-02-06 11:35:00,518 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-2) LogDevice: IntegrityProtectedDevice Proc: 10
2024-02-06 11:35:04,750 DEBUG [org.ejbca.peerconnector.ra.PeerRaConnection] (EJB default - 1) processNextMessageFromSlave called with RA_MASTER_MESSAGE.
2024-02-06 11:35:04,750 DEBUG [org.ejbca.peerconnector.ra.PeerRaThrottleCounter] (EJB default - 2) All long hanging threads are currently processing requests here upstream. Re-check if we need to open more long hanging connections to peer.
2024-02-06 11:35:04,751 DEBUG [org.ejbca.peerconnector.ra.PeerRaMasterServiceBean] (EJB default - 2) Peer RA service will check the outgoing pools.
2024-02-06 11:35:08,592 DEBUG [org.cesecore.certificates.ca.internal.CaIDCacheBean] (default task-2) Loading CA ID cache from database
2024-02-06 11:35:08,653 DEBUG [org.cesecore.configuration.LogRedactionConfigurationCache] (default task-2) Updated LogRedactionConfigurationCache.
2024-02-06 11:35:08,656 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-2) Reading Configuration: CESECORE_CONFIGURATION
2024-02-06 11:35:08,664 DEBUG [org.ejbca.util.query.Query] (default task-2) hasIllegalSqlChars: false
2024-02-06 11:35:11,590 DEBUG [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl] (default task-1) TLS session authentication changed withing the HTTP Session, re-authenticating admin. Old TLS session ID: 2d58f4da792e9a8327bfec8da215d2aecc554d103f90b9b7d68045b3f597b9a0, new TLS session ID: e2193af9aab5d4079d5918d4820f78ea93dcd96165d4c230c8f5c3a1d492ed44, old cert fp: f9c9d03ce4ecc83780db6d2a03783c1e9e73145d, new cert fp: f9c9d03ce4ecc83780db6d2a03783c1e9e73145d
2024-02-06 11:35:11,590 DEBUG [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl] (default task-1) requestServerName: internal.server.local
2024-02-06 11:35:11,607 DEBUG [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl] (default task-1) Verifying authorization of 'CN=Admin,OU=Professional Services,OU=CA Administrator,O=Company,C=CZ'
2024-02-06 11:35:11,624 DEBUG [org.cesecore.certificates.certificate.CertificateStoreSessionBean] (default task-1) Looking for cert with (transformed)DN: CN=PKI Client SubCA 17,OU=Professional Services,O=Company,C=CZ
2024-02-06 11:35:11,635 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2024-02-06 11:35:11+01:00;ADMINWEB_ADMINISTRATORLOGGEDIN;SUCCESS;ADMINWEB;EJBCA;CN=Admin,OU=Professional Services,OU=CA Administrator,O=Company,C=CZ;-1537224577;53D855AC9559538F;;remoteip=10.45.1.140
2024-02-06 11:35:11,636 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: Log4jDevice Proc: 1
2024-02-06 11:35:11,663 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: IntegrityProtectedDevice Proc: 27
2024-02-06 11:35:11,664 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2024-02-06 11:35:11+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=Admin,OU=Professional Services,OU=CA Administrator,O=Company,C=CZ;;;;resource0=/administrator
2024-02-06 11:35:11,665 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: Log4jDevice Proc: 1
2024-02-06 11:35:11,690 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: IntegrityProtectedDevice Proc: 25
2024-02-06 11:35:11,700 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.en.properties
2024-02-06 11:35:11,723 DEBUG [org.cesecore.keybind.InternalKeyBindingDataSessionBean] (default task-1) Object with ID -580509324 will be checked for updates.
2024-02-06 11:35:11,745 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-1) Update not needed AuthenticationKeyBinding in cache. Digest was 203308956, cacheEntry digest was 203308956
2024-02-06 11:35:11,746 DEBUG [org.cesecore.keybind.InternalKeyBindingDataSessionBean] (default task-1) Object with ID 1178362455 will be checked for updates.
2024-02-06 11:35:11,768 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-1) Update not needed AuthenticationKeyBinding in cache. Digest was 507647956, cacheEntry digest was 507647956
2024-02-06 11:35:11,769 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.bs.properties
2024-02-06 11:35:11,790 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.cs.properties
2024-02-06 11:35:11,813 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.de.properties
2024-02-06 11:35:11,846 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.fr.properties
2024-02-06 11:35:11,878 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.ja.properties
2024-02-06 11:35:11,901 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.pt.properties
2024-02-06 11:35:11,926 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.sv.properties
2024-02-06 11:35:11,949 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.uk.properties
2024-02-06 11:35:11,973 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.zh.properties
2024-02-06 11:35:11,993 DEBUG [org.ejbca.ui.web.admin.configuration.WebLanguagesImpl] (default task-1) Loading language from file: /languages/languagefile.vi.properties
2024-02-06 11:35:12,028 DEBUG [org.ejbca.ui.web.admin.rainterface.RAInterfaceBean] (default task-1) =initialize(): already initialized
2024-02-06 11:35:12,031 DEBUG [org.ejbca.ui.web.RequestHelper] (default task-1) Setting encoding to value from request: UTF-8
2024-02-06 11:35:12,052 DEBUG [org.cesecore.certificates.util.cert.SubjectDirAttrExtension] (default task-1) Search for SubjectDirectoryAttributes
2024-02-06 11:35:15,686 DEBUG [org.cesecore.certificates.certificate.CertificateStoreSessionBean] (default task-1) Found 1 cert(s) with (transformed) DN: CN=Server SubCA 17,OU=Professional Services,O=Company,C=CZ serialNumber: 5897995354248574786
2024-02-06 11:35:15,715 DEBUG [org.cesecore.authorization.AuthorizationSessionBean] (default task-1) Internal search for End Entity has the following access rules:
 allow /

2024-02-06 11:35:15,719 DEBUG [org.cesecore.authorization.AuthorizationCache] (default task-1) Added entry for key 'AlwaysAllowLocalAuthenticationToken;fbc45fe018830de401f0cf801177a57d0039bc72d922b8ff2c82af7af05dd32b;null'.
2024-02-06 11:35:15,721 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2024-02-06 11:35:15+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=Admin,OU=Professional Services,OU=CA Administrator,O=Company,C=CZ;;;;resource0=/endentityprofilesrules/1988631243/revoke_end_entity;resource1=/ra_functionality/revoke_end_entity
2024-02-06 11:35:15,722 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: Log4jDevice Proc: 1
2024-02-06 11:35:15,746 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: IntegrityProtectedDevice Proc: 24
2024-02-06 11:35:15,832 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-1) Using default value of 20 for new CA's ca.serialnumberoctetsize
2024-02-06 11:35:15,834 DEBUG [org.cesecore.certificates.ca.CAData] (default task-1) CAData.getProtectString gives size: 15883
2024-02-06 11:35:15,836 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-1) Using default value of 20 for new CA's ca.serialnumberoctetsize
2024-02-06 11:35:15,838 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-1) Update not needed X509CAImpl in cache. Digest was -1642840666, cacheEntry digest was -1642840666
2024-02-06 11:35:15,855 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2024-02-06 11:35:15+01:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=Admin,OU=Professional Services,OU=CA Administrator,O=Company,C=CZ;;;;resource0=/ca/1847279941
2024-02-06 11:35:15,856 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: Log4jDevice Proc: 1
2024-02-06 11:35:15,883 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: IntegrityProtectedDevice Proc: 27
2024-02-06 11:35:15,888 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-1) Using default value of 20 for new CA's ca.serialnumberoctetsize
2024-02-06 11:35:15,891 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2024-02-06 11:35:15+01:00;CERT_REVOKED;SUCCESS;CERTIFICATE;CORE;CN=Admin,OU=Professional Services,OU=CA Administrator,O=Company,C=CZ;1847279941;51D9E38698E3F742;testing_7_10_0_1;msg=Revoked certificate for username 'testing_7_10_0_1', fp=107c124d5c8ecdbee08538fb19aaf213cd1fda9c, revocationReason=0, subjectDN 'CN=testing,SN=123456,OU=Professional Services,OU=Testing,O=Company,C=CZ', issuerDN 'CN=Server SubCA 17,OU=Professional Services,O=Company,C=CZ', serialNo=51D9E38698E3F742.
2024-02-06 11:35:15,891 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: Log4jDevice Proc: 0
2024-02-06 11:35:15,919 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-1) LogDevice: IntegrityProtectedDevice Proc: 28
2024-02-06 11:35:15,939 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: Jakarta Enterprise Beans Invocation failed on component CertificateStoreSessionBean for method public abstract boolean org.cesecore.certificates.certificate.CertificateStoreSessionLocal.setRevokeStatus(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.certificate.CertificateDataWrapper,java.util.Date,java.util.Date,int) throws org.cesecore.certificates.certificate.CertificateRevokeException,org.cesecore.authorization.AuthorizationDeniedException: javax.ejb.EJBTransactionRolledbackException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect) : [org.cesecore.certificates.certificate.CertificateData#107c124d5c8ecdbee08538fb19aaf213cd1fda9c]
	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:219)
	at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:392)

[primetomas]

This was an Admin UI revocation. Did you search for end entity->view certificate->Revoke?

I did the same and I get this additional log line:
2024-02-06 17:58:19,724 DEBUG [org.ejbca.core.ejb.ra.EndEntityManagementSessionBean] (default task-1) No publishers defined for certificate with serial #7504266f72de47d6c69513175e5f071 issued by CN=Management CA
,O=PK,C=SE

[3keyroman]

Yes, it was done in the Admin UI search for end entity->view certificate->revoke, the same exception result is returned using revocation through Web Services revokeCert.

The RA Web works, when I revoke in RA Web, certificate is revoked without any issue.

Trying it now with the certificate that I am sure does not have any Publisher, I see the same line in the log:

2024-02-06 18:04:28,098 DEBUG [org.ejbca.core.ejb.ra.EndEntityManagementSessionBean] (default task-1) No publishers defined for certificate wit h serial #8cc2484e43b473c8c9ca4c84dda18823708cc85 issued by CN=Server SubCA 17,OU=Professional Services,O=Company,C=CZ

But the rest is the same, exception occurs:

2024-02-06 18:04:28,128 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: Jakarta Enterprise Beans Invocation failed on component CertificateStoreSessionBean for method public abstract boolean org.cesecore.certificates.certificate.CertificateStoreSessionLocal.setRevokeStatus(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.certificate.CertificateDataWrapper,java.util.Date,java.util.Date,int) throws org.cesecore.certificates.certificate.CertificateRevokeException,org.cesecore.authorization.AuthorizationDeniedException:
javax.ejb.EJBTransactionRolledbackException: Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect) : [org.cesecore.certificates.certificate.CertificateData#358741f10beaa2a861906b013e74125bc63dfbfd]
        at [email protected]//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:219)

What can be different when the revocation using RA Web works, but not using the Admin UI?

[primetomas]

I didn't have time to check the difference between RA and Admin UI yet. But thinking what's new on 8.2.0, is pre-produced OCSP responses used? You didn't enable the new functionality in EJBCA Enterprise to create OCSP responses on issuance/revocation?

[3keyroman]

No, there is no OCSP configured, no pre-produced OCSP responses.

I was trying to look into the code, no idea so far, what is going on.

[primetomas]

And no RA Peer connections I suppose.

I checked the code as well in RA Web, revoking in RA web and it looks very similar to Admin UI. I can't see anything.

Next step would be a trace log. Comparing revocation in Admin UI vs revocation in RA UI, it should show exact code paths that is run.

[primetomas]

Or looking at StaleException:

Thrown when a version number or timestamp check failed, indicating that the Session contained stale data (when using long transactions with versioning). Also occurs if we try delete or update a row that does not exist.
Considering that the primary key is fingerprint...how could the row not exist.

Debug logging actual SQL queries in the database might also show something.

This is really tricky.

[3keyroman]

Hi Tomas,

Here is the TRACE log.
server-trace.log

There is one RA Peer connection enabled, however, the revocation is done on the same CA, not through the RA Peer. I am trying to revoke in Admin UI and RA UI on the same instance that has the CA.

I do not see any interesting information in the database logs.
Maybe you see something in the TRACE log, but for me it looks the same, I do not see anything that may be the reason why it is throwing an exception.

[3keyroman]

Testing various scenarios it seems that I can revoke every certificate that was issued after upgrade to 8.2.0. The problem seems to be with certificates that were issued before upgrade to 8.2.0, but it is still undeterministic behaviour. I do not see any changes to the database or data that can cause it.

Do you see any reason why this can happen?

[3keyroman]

I do not see any issue in the trace, merge will fail, but the trace looks the same as with certificate that can be revoked:

I am out of ideas.

[primetomas]

That's it. It's the database protection. I can reproduce it with an old certificate with full database signing enabled.
Looks like it's due to the signing on CertificateData, because I had on AuditRecordData only and that did not trigger it. Enabling full databaseprotection gives the error. But it is also depending on some field, because revoking with onHold and reactivating, and then enabling signing and there is no error.
So figuring out which field it's related to would be the next step.

[primetomas]

These are the changes that happened to this certificate that fails with databaseprotection and succeeds without:
eevocationDate: -1 -> 1707991212544
revocationReason: -1 -> 6
rowVersion: 0 -> 1
status: 20 -> 40
updateTime: 1488348381038 -> 1707991212548
rowProtection: no change because I disabled database signing
invalidityDate: null -> -1

I suspect invalidityDate, as these is another open issue with invalidityDate and revocation.
#505

Can you move this discussion to an issue instead, as it's confirmed to be an issue. "Create issue from discussion".

[primetomas]

I confirmed it's the invalidityDate column by having an old cert where it was null, causing the error but after (I have failOnVerify=false):
update CertificateData set invalidityDate=-1 where fingerprint=LOWER('DF5D3D859744C0B53CC1E1C29AFF0147C399A417');
it works.

[primetomas]

Somewhat related, but not exactly the same as: #505

[3keyroman]

I see, and it was confirmed also on my side. Setting the invalidityDate from NULL to -1 makes the certificate revocable.

So I need to change the invalidityDate using script to -1 in all places where it is NULL for CertificateData in the database.
This should not conflict with the rowProtection version lower than 7 that was introduced in CertificateData in 7.12.0.

Export and import of the database using database CLI will have no effect I think.

Changing it in the database should be safe, it should not fail on verify before revocation or any other change.

[3keyroman]

By the way, what is the difference between revoking using Admin UI and RA UI. Because revocation in RA UI works also in case the invalidityData = NULL ?

[primetomas]

I have not been able to find that difference.