Bug 1308752

Summary: Unable to configure KRA subsystem, failed with error Error in creating admin user: java.io.IOException: Invalid Request"
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: alee, awnuk, cfu, dennis, edewata, extras-orphan, extras-qa, gkapoor, jmagne, kwright, mharmsen, mniranja, nkinder, nsoman
Target Milestone: rc   
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.3.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1304609 Environment:
Last Closed: 2016-11-04 05:23:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1304609    
Bug Blocks:    

Description Matthew Harmsen 2016-02-15 23:22:03 UTC 
+++ This bug was initially created as a clone of Bug #1304609 +++

Description of problem:
Unable to configure KRA subsystem in separate tomcat instance . Fails with error:

.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootKRA1/kra/alias -s cn=PKI Administrator,e=kraadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootKRA1/kra/alias/noise -f /opt/Example1-RootKRA1/kra/password.conf -o /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootKRA1/kra/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:14443/kra/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err



Version-Release number of selected component (if applicable):
pki-ca-10.2.6-13.fc23.noarch
pki-kra-10.2.6-13.fc23.noarch
nss-3.21.0-1.1.fc23.x86_64


How reproducible:

Install and Configure CA
Install and configure KRA  using below config file

<snip>
[DEFAULT]
pki_instance_name=Example1-RootKRA1
pki_https_port=14443
pki_http_port=14080

#NSS DB Token Password
pki_token_password=Secret123

#RootKRA Admin password
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki1.example.org
pki_security_domain_hostname=pki1.example.org
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

#Client Dir
pki_client_dir=/opt/Example1-RootKRA1
pki_client_pkcs12_password=Secret123
pki_client_database_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

#ldap
pki_ds_hostname=pki1.example.org
pki_ds_ldap_port=1901
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret123

[Tomcat]
pki_ajp_port=14009
pki_tomcat_server_port=14005

[KRA]
pki_admin_nickname=PKI KRA Administrator for Example Org
pki_import_admin_cert=False

</snip>


Actual results:
pkispawn fails to configure KRA

Expected results:

pkispawn should successfully configure KRA


Additional info:
CA Debug logs shows this error while creating KRA Admin cert

[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: Start parsePKCS10(): MIICrDCCAZQCAQAwZzEkMCIGA1UEChMbZXhhbXBsZS5vcmcgU2VjdXJpdHkgRG9t%0DYWluMSMwIQYJKoZIhvcNAQkBFhRrcmFhZG1pbkBleGFtcGxlLm9yZzEaMBgGA1UE%0DAxMRUEtJIEFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK%0DAoIBAQDGssnRrEBAwi03tz7d1cjhzPQuiyrkU8Sb8RBs65fEiJfqzGWQDQHHnQj%2F%0Do8NCP3IZXGbL%2FUIyPhZVymiCBaGNOEHa0LxkhEIzYGNNs80VJMmti0zoqvEnNh%2Fq%0DxZWNOcXmb0S3I1gep0TD%2BbUFP3WonrGgaRbwsQJbvUtsZh5aOlBAcNykE6mV2cXd%0DmUWbHXsRIQn29RRxNqWp7j5oxKdeWY2MMnw63vNNNcZO%2FN%2FveiqyoXdumU2MyPt%2B%0DE1QnDaTEvEJHdfupWtPwROVEctNEchXRP4Z3mh09vPLpDZKXEVRDZ8eZIMHcJdGs%0DHUkkmpmS98AN%2FKOZtFWlP7lFZUXfAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA%0DAtV9uFxaU5PqdXVlmQcoR7wAcTACxMD%2B6KioXixOEuYVGXs%2Fh88UNCyH0wq89ETv%0D6fW8t%2FRdTIdDKqXNIM9gU17HqQbPAWLVyoPCmZLH0OjXh3d%2B3RpwIdXduUWAMax1%0Dwry2826%2BeHHCLqglEspym2Iv0LrKi2EXZvCNm6d5ZXxbnfYuJKJHCNhADrwXrlRs%0DX6LJtu4R%2FAq8FvjCiGqiuELy6T5NiTlWphSGBsfN7HIX5Iy3cAY8cvdQkrgn745y%0DVFTtlU%2BzflRZnCUe2okn%2FyjY0vR8NCfGLn3UT9W99Sau7fAEQX4PsbmFIkFKE8XT%0DikbCEi%2FxsKYeVVwZOmfNtw%3D%3D%0D
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: signature verification enabled
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: use internal token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 setting thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big.
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 restoring thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: ProfileSubmitServlet: error in processing request: Invalid Request
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: CMSServlet: curDate=Thu Feb 04 13:03:15 IST 2016 id=caProfileSubmit time=58

--- Additional comment from Nirupama Karandikar on 2016-02-04 02:33 EST ---



--- Additional comment from Nirupama Karandikar on 2016-02-04 02:34 EST ---



--- Additional comment from Nirupama Karandikar on 2016-02-04 02:35 EST ---



--- Additional comment from Matthew Harmsen on 2016-02-04 12:20:24 EST ---

These days, pki-kra is part of the pki-core SRPM.

--- Additional comment from Matthew Harmsen on 2016-02-04 12:23:42 EST ---

Upstream ticket:
https://fedorahosted.org/pki/ticket/1803

--- Additional comment from Nirupama Karandikar on 2016-02-05 01:05:33 EST ---

Hello,

Configuring OCSP subsystem failed with same error Error in creating admin user: java.io.IOException: Invalid Request"

<snip>
# pkispawn -s OCSP -f ocsp-inst.inf -vv
...
...
..
pkispawn    : DEBUG    ........... chown 0:0 /opt/Example1-RootOCSP/ocsp/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /opt/Example1-RootOCSP/ocsp/alias -f /opt/Example1-RootOCSP/ocsp/password.conf'
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd'
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8590>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8550>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>OCSP</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootOCSP/ocsp/alias -s cn=PKI Administrator,e=ocspadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootOCSP/ocsp/alias/noise -f /opt/Example1-RootOCSP/ocsp/password.conf -o /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootOCSP/ocsp/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:18443/ocsp/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err


Installation failed.
</snip>

Hope this helps.
Niru
Comment 1 Matthew Harmsen 2016-04-15 21:38:59 UTC 
edewata fixed in master:
* baa64ee50a0d3c851cea791e01ce80de9edb040c
Comment 3 Geetika Kapoor 2016-08-16 13:21:38 UTC 
Unable to reproduce this issue.
Comment 5 errata-xmlrpc 2016-11-04 05:23:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html