The following provides troubleshooting tips to help you get back on track and includes solutions or workarounds for common errors.

Debug Logging

To troubleshoot unexpected behavior in SignServer, enable more detailed (debug) logging by running the following command in the JBoss CLI:

  1. Start JBoss CLI:

    APPSRV_HOME/bin/ -c
  2. Run the following commands to enable DEBUG logging:

    /subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG)
    /subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)
    /subsystem=logging/logger=org.signserver:write-attribute(name=level, value=DEBUG)

General Issues

Transaction rolled back error

A transaction timeout can occur for requests that are taking longer time to finish than what is configured for database transactions in the application server.

Example of errors displayed in the log:

13:21:17,483 ERROR [] (http-/ JBAS014134: EJB Invocation failed on component ProcessSessionBean for method public abstract org.signserver.ejb.interfaces.ProcessSessionLocal.process(org.signserver.server.log.AdminInfo,org.signserver.common.WorkerIdentifier,,org.signserver.common.RequestContext) throws org.signserver.common.IllegalRequestException,org.signserver.common.CryptoTokenOfflineException,org.signserver.common.SignServerException: javax.ejb.EJBTransactionRolledbackException: Transaction rolled back
Caused by: javax.transaction.RollbackException: JBAS014585: Transaction 'TransactionImple < ac, BasicAction: 0:ffff7f000001:672b819:5911a12e:f8 status: ActionStatus.ABORTED >' was already rolled back
    at [jboss-as-ejb3-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
    ... 100 more

Possible reasons include large file uploads and/or downloads, and/or slow network connections, slow HSM connection or HSM, or that contacting external servers takes a long time (CRL/OCSP fetching or time-stamping etc).


  • Since database transactions are not required if the worker is not configured to access the database, disabling the key usage counter, and not using any archivers will resolve this issue. For more information, see Limiting the number of signatures and Archiving.
  • Alternatively, if the key usage counter or an Archiver must be used, reconfigure the application server with a higher value for the transaction timeout. For more information, see Limiting the number of signatures and Archiving.


When attempting to log into a Luna HSM, the HSM may require a PIN code from an external PIN pad. If you subsequently try to log in via an application, you might encounter a misleading exception.

ERROR [org.signserver.server.cryptotokens.PKCS11CryptoToken] (default task-2) Activate failed: Failed to initialize PKCS11 provider slot 'CAAUTHDEV'.: load failed: CKR_PIN_INCORRECT

A workaround we've seen could be to set ProtectedAuthenticationPathFlagStatus = 1 in the config file of the HSM

SQLFeatureNotSupportedException with PostgreSQL

When running SignServer with certain versions of PostgreSQL, an SQLFeatureNotSupportedException can occur on any database insert. By disabling the L2 and query cache you can forgo this issue. See Deploy-time Configuration.

P11NG / JackNJI11


There can be a conflict between the JNA implementation in SignServer and the one installed in the system. This can be seen as errors similar to the following:

  • java.lang.UnsatisfiedLinkError: com.sun.jna.Native.malloc(J)J
  • java.lang.UnsatisfiedLinkError: Can't obtain static newInstance method for class com.sun.jna.Structure

The solution is to remove JNA from the system (i.e. apt-get remove libjna-java) or to run Java with:



If a USER_NOT_LOGGED_IN error is encountered while using the Utimaco HSM, the solution is to enable the KeepAlive setting in the Utimaco configuration file cs_pkcs11_R2.cfg:

# Prevents expiring session after inactivity of 15 minutes
KeepAlive = true

SunPKCS11 / PKCS11CryptoToken and Java 17

The PKCS11CryptoToken does not work on Java 17 unless the Java process that runs the application server is passed the JAVA_OPTS parameter  "--add-exports=jdk.crypto.cryptoki/".

When using the PKCS11CryptoToken an error similar to the following may be logged:

19:54:50,047 ERROR [com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper] (default task-1) Method was not accessible, this may be due to a change in the underlying library.: java.lang.IllegalAccessException: class com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper cannot access class (in module jdk.crypto.cryptoki) because module jdk.crypto.cryptoki does not export to unnamed module @64dbc7bd

SunPKCS11 / PKCS11CryptoToken and certain Java 17 versions

Certain Java 17 versions/builds attempt to call C_GetInfo before the call C_Initialize, resulting in many HSM drivers responding with CKR_CRYPTOKI_NOT_INITIALIZED.The issue has been observed with OpenJDK 17 version Red_Hat- and switching to a different Java version/build is the only known solution.

 12:30:33,581 ERROR [stderr] (default task-1) sunpkcs11: Initializing PKCS#11 library /opt/ETcpsdk/lib/linux-x86_64/
12:30:33,582 ERROR [stderr] (default task-1) sunpkcs11: Multi-threaded initialization failed: CKR_CRYPTOKI_NOT_INITIALIZED
12:30:33,582 ERROR [com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper] (default task-1) Wrong arguments were passed to threw an exception for log.error(msg, e): java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(
	at java.base/java.lang.reflect.Method.invoke(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapper.<init>(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.SunP11SlotListWrapperFactory.getInstance(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getSlotListWrapper(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getProvider(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.Pkcs11SlotLabel.getP11Provider(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.<init>(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.pkcs11.P11Slot.getInstance(
	at deployment.signserver.ear//org.cesecore.keys.token.PKCS11CryptoToken.delayedInit(
	at deployment.signserver.ear//org.cesecore.keys.token.PKCS11CryptoToken.getP11slotWithDelayedInit(
	at deployment.signserver.ear//org.cesecore.keys.token.PKCS11CryptoToken.activate(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.BaseCryptoToken.autoActivate(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.BaseCryptoToken.getKeyStore(
	at deployment.signserver.ear//com.keyfactor.util.keys.token.BaseCryptoToken.getTokenStatus(
	at deployment.signserver.ear//org.signserver.server.cryptotokens.PKCS11CryptoToken.getCryptoTokenStatus(
	at deployment.signserver.ear//org.signserver.server.signers.BaseSigner.isCryptoTokenActive(
	at deployment.signserver.ear//org.signserver.server.signers.BaseSigner.getStatus(
	at deployment.signserver.ear//org.signserver.server.signers.CryptoWorker.getStatus(
	at deployment.signserver.ear.SignServer-ejb.jar//org.signserver.ejb.WorkerSessionBean.getStatus(
	at org.jboss.xnio@3.8.7.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$
	at java.base/
	at jdk.crypto.cryptoki/ Method)
	at jdk.crypto.cryptoki/$SynchronizedPKCS11.C_GetInfo(
	at jdk.crypto.cryptoki/<init>(
	at jdk.crypto.cryptoki/$SynchronizedPKCS11.<init>(
	at jdk.crypto.cryptoki/
	at jdk.crypto.cryptoki/
	... 248 more


Cannot Produce CertificateVerify Signature

When using SignClient using a PKCS 11 token (e.g. a smart-card reader) for authenticating in some cases (e.g. both server and client running on Java 11) a cipher-suit-related error can occur:

ERROR [HTTPDocumentSigner] Failed sending request: Cannot produce CertificateVerify signature

As a workaround, SignClient can be forced to fall back to using TLS version 1.2 (as shown in the commented-out sample in script bin/signclient, a similar example is also present in the Windows batch file bin/signclient.cmd)

# In some cases, running SignClient authenticating with a P11 token
# (e.g. a smartcard reader) could give cipher-suit errors,
# In these cases, a workaround is to force the use of TLS version 1.2
JAVA_OPTS="$JAVA_OPTS  -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2"