[BUG] Cannot set ignoreNextUpdate/maxDownloadSize parameters when creating CRL downloader service via CLI #994
Description
Describe the Bug
The bug described here appears to still be active. I can't seem to find a previous issue for this (was suggested in the SF thread) so opening this one.
When attempting to create a CRL download service to populate an OCSP database using the CLI utility, the ignoreNextUpdate and maxDownloadSize parameters cannot be set as they are expected by the worker class.
To Reproduce
First, I created a CRL downloader service via the web UI as the documentation instructs. The resulting XML configuration blob, truncated for brevity, from the database is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<java version="17.0.12" class="java.beans.XMLDecoder">
<object class="org.cesecore.util.Base64PutHashMap">
<void method="put">
<string>version</string>
<float>7.0</float>
</void>
<void method="put">
<string>ACTIVE</string>
<boolean>true</boolean>
</void>
---- SNIP ----
<void method="put">
<string>WORKERCLASSPATH</string>
<string>org.ejbca.core.model.services.workers.CRLDownloadWorker</string>
</void>
<void method="put">
<string>WORKERPROPERTIES</string>
<object class="java.util.Properties">
<void method="put">
<string>maxDownloadSize</string>
<string>1048576</string>
</void>
<void method="put">
<string>worker.caidstocheck</string>
<string>1</string>
</void>
<void method="put">
<string>ignoreNextUpdate</string>
<string>true</string>
</void>
</object>
</void>
---- SNIP ----
The equivalent service creation command using the CLI utility is rejected:
bash-5.1$ bin/ejbca.sh service create CRLDownloadService "workerClassPath=org.ejbca.core.model.services.workers.CRLDownloadWorker worker.caidstocheck=1 maxDownloadSize=1048576 ignoreNextUpdate=true intervalClassPath=org.ejbca.core.model.services.intervals.PeriodicalInterval interval.periodical.unit=MINUTES interval.periodical.value=3 actionClassPath=org.ejbca.core.model.services.actions.NoAction active=true"
2025-12-14 05:58:13,183+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 05:58:13,186+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Current value of workerClassPath is ''.
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Updated field: workerClassPath
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) workerClassPath returned value 'org.ejbca.core.model.services.workers.CRLDownloadWorker'.
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) New field value: org.ejbca.core.model.services.workers.CRLDownloadWorker
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Updated worker property: worker.caidstocheck
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) New worker property value: 1
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Field 'maxDownloadSize' does not exist. Did you use correct case for every character of the field?
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 05:58:13,187+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Field 'ignoreNextUpdate' does not exist. Did you use correct case for every character of the field?
---- SNIP ----
2025-12-14 05:58:13,188+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main)
2025-12-14 05:58:13,188+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) ERROR: One or more names didn't exist either as a field or property:
2025-12-14 05:58:13,188+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main)
2025-12-14 05:58:13,188+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) maxDownloadSize
2025-12-14 05:58:13,189+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) ignoreNextUpdate
2025-12-14 05:58:13,189+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main)
2025-12-14 05:58:13,189+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Changes were NOT saved!
The CLI utility will only accept these properties if the worker property prefix is given, in which case the CRL download worker ignores the properties as they are not defined as expected.
bash-5.1$ bin/ejbca.sh service create CRLDownloadService "workerClassPath=org.ejbca.core.model.services.workers.CRLDownloadWorker worker.caidstocheck=1 worker.maxDownloadSize=1048576 worker.ignoreNextUpdate=true intervalClassPath=org.ejbca.core.model.services.intervals.PeriodicalInterval interval.periodical.unit=MINUTES interval.periodical.value=3 actionClassPath=org.ejbca.core.model.services.actions.NoAction active=true"
2025-12-14 07:07:12,037+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Current value of workerClassPath is ''.
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Updated field: workerClassPath
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) workerClassPath returned value 'org.ejbca.core.model.services.workers.CRLDownloadWorker'.
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) New field value: org.ejbca.core.model.services.workers.CRLDownloadWorker
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Updated worker property: worker.caidstocheck
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) New worker property value: 1
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Updated worker property: worker.maxDownloadSize
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) New worker property value: 1048576
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Modifying 'org.ejbca.core.model.services.ServiceConfiguration'...
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Updated worker property: worker.ignoreNextUpdate
2025-12-14 07:07:12,041+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) New worker property value: true
---- SNIP ----
2025-12-14 07:07:12,083+0000 INFO [org.ejbca.ui.cli.service.ServiceCreateCommand] (main) Service created.
Expected Behavior
The CRL download worker should instead define PROP_IGNORE_NEXT_UPDATE and PROP_MAX_DOWNLOAD_SIZE to include the worker property prefix:
public class CRLDownloadWorker extends BaseWorker {
private static final Logger log = Logger.getLogger(CRLDownloadWorker.class);
public static final String PROP_IGNORE_NEXT_UPDATE = "worker.ignoreNextUpdate";
public static final String PROP_MAX_DOWNLOAD_SIZE = "worker.maxDownloadSize";
public static final int DEFAULT_MAX_DOWNLOAD_SIZE = 1 * 1024 * 1024;
Product Deployment
- Deployment format: Docker container
- Version: 9.1.1
Additional Context
I encountered this issue attempting to automate the deployment of the EJBCA-CE docker container as a standalone VA, using the Ansible docker compose exec module to invoke the CLI utility to perform this service configuration.
For anyone else who finds themselves in snowe's footsteps, the current workaround involves querying the database, manipulating the XML blob, and updating the cell as follows:
# Workaround for EJBCA CRL download service worker limitations
- name: Get MariaDB container facts
community.docker.docker_container_info:
name: mariadb
register: mariadb_container
- name: Query service XML config from MariaDB
community.mysql.mysql_query:
login_host: "{{ mariadb_container.container.NetworkSettings.Networks['va_application-bridge'].IPAddress }}"
login_db: ejbca
login_user: ejbca
login_password: "{{ lookup('ansible.builtin.env', 'VA_MARIADB_USER_PASSWORD') }}"
query: "SELECT data from ServiceData WHERE name='CRLDownloadService'"
register: crl_download_service_xml
- name: Set max download size in service XML config
community.general.xml:
xmlstring: "{{ crl_download_service_xml.query_result[0][0].data }}"
xpath: '/java/object/void/object/void/string[text()="worker.caidstocheck"]//parent::void//parent::object'
pretty_print: true
add_children:
- void:
method: put
_:
- string: maxDownloadSize
- string: "{{ 1048576 | string }}"
register: updated_crl_download_service_xml
- name: Set ignore next update flag in service XML config
community.general.xml:
xmlstring: "{{ updated_crl_download_service_xml.xmlstring }}"
xpath: '/java/object/void/object/void/string[text()="worker.caidstocheck"]//parent::void//parent::object'
pretty_print: true
add_children:
- void:
method: put
_:
- string: ignoreNextUpdate
- string: 'true'
register: updated_crl_download_service_xml
- name: Update service XML config in MariaDB
community.mysql.mysql_query:
login_host: "{{ mariadb_container.container.NetworkSettings.Networks['va_application-bridge'].IPAddress }}"
login_db: ejbca
login_user: ejbca
login_password: "{{ lookup('ansible.builtin.env', 'VA_MARIADB_USER_PASSWORD') }}"
query: "UPDATE ServiceData SET data='{{ updated_crl_download_service_xml.xmlstring | regex_replace(_regex, _replace) }}' WHERE name='CRLDownloadService'"
vars:
_regex: "'"
_replace: "\\'"
notify:
- Restart EJBCA docker compose service