Bug 1378275
| Summary: | two-step externally-signed CA installation fails due to missing AuthorityID | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> | |
| Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
| Priority: | urgent | |||
| Version: | 7.3 | CC: | arubin, ekeck, ftweedal, gkapoor, mharmsen, nkinder | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | 7.3 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
Certificate System does not start a Lightweight CA key replication during installation
Previously, Certificate System incorrectly started a Lightweight CA key replication during a two-step installation. As a consequence, the installation failed and an error was displayed. With this update, the two-step installation does not start the Lightweight CA key replication and the installation completes successfully.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1390321 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 22:46:01 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1390321 | |||
Moving from rhel-7.3.0 ==> rhel-7.4.0. Bug has been marked as RHEL 7.3 ZStream candidate. *** Bug 1378517 has been marked as a duplicate of this bug. *** On September 23, 2016, ftweedal checked-in the following: * master (3ea93c9b4bc03f3d79550d8bdfd1447ffa25238d) * DOGTAG_10_3_BRANCH (fca5fd053434d112998c814bc6d9424b6a5bac98) Hi Fraser,Do you think this much testing is sufficient or I need to cover some other test case too..
Thanks
ExternalCA:
Using Another pki instance:
---------------------------
1. Csr is generated using step1 installation.
-- Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
2. Sign the request using RootCA(pki).
Test steps:
-----------
2.1. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr
2.2. Approve it from CA Agent page.
2.3. Signed certificate Extensions: AKI for Externally signed certificate == SKI of Signing CA
SKI for Externally signed CA should be new and unique.
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
88:4D:23:18
Identifier: Subject Key Identifier - 2.5.29.14
Critical: no
Key Identifier:
3B:EB:A1:26:93:ED:D6:81:16:68:BB:AC:15:15:88:9A:
97:EA:B4:87
Identifier: Basic Constraints - 2.5.29.19
Critical: yes
Is CA: yes
Path Length Constraint: UNLIMITED
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key CertSign
Crl Sign
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp
2.4. Signing CA certificate Extensions: Since this is RootCA it's SKI == AKI
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
88:4D:23:18
Identifier: Basic Constraints - 2.5.29.19
Critical: yes
Is CA: yes
Path Length Constraint: UNLIMITED
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key CertSign
Crl Sign
Identifier: Subject Key Identifier - 2.5.29.14
Critical: no
Key Identifier:
0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC:
88:4D:23:18
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp
3. Perform the last step where we need to do External CA installation.
pkispawn -f ca_2.cfg -s CA -vvv
This should give a successful installation.
4. Stop the ExternalCA process.Change the cipher and restart.
5. Make sure you are able to sign the certificate.
==========================================================================================================================================
ExternalCA with nssdb::
SECret.123
SECret.456
1. Self signed ExternalCA certificate of nssdb(external.crt) with no SKI:
Usage of SKI is optional in case of self signed certificate.
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage:
Certificate Sign
2. Ca signing certificate signed by the External.crt
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://pki1.example.com:8080/ca/ocsp
X509v3 Subject Key Identifier:
9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:43:F3:12:8F
X509v3 Authority Key Identifier:
0.
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
3. Proceed with step 2 installation.
User Signed certificate extension
Extensions:
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:
43:F3:12:8F
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27080/ca/ocsp
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Non Repudiation
Key Encipherment
Identifier: Extended Key Usage: - 2.5.29.37
Critical: no
Extended Key Usage:
1.3.6.1.5.5.7.3.2
1.3.6.1.5.5.7.3.4
==================================================================================================================================
Any two-step externally-signed CA installation is sufficient to trigger the bug, so the above is sufficient. Moving bug to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |
Description of problem: During two-step installation of externally-signed CA, installation can fail because host authority's private key cannot be located (a temporary condition), causing LWCA key replication codepaths to fire, which throw a NullPointerException? because the host authority has not yet been assigned an AuthorityID. Version-Release number of selected component (if applicable): How reproducible: Always? Steps to Reproduce: 1. install CA using two-step externally-signed process Actual results: Installation fails with following output: ====================== Log file: /var/log/pki/pki-ca-spawn.20160921163609.log Loading deployment configuration from external-step2.cfg. Installing CA into /var/lib/pki/pki-tomcat. Installation failed: <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.36 - Error report</title><style type="text/css">H1 {font-famil y:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans- serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;ba ckground-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:whi te;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,san s-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerExceptio n</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerExcepti on</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerExcep tion org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) ... </pre><p><b>root cause</b></p><pre>java.lang.NullPointerException java.util.TreeMap.getEntry(TreeMap.java:347) java.util.TreeMap.containsKey(TreeMap.java:232) java.util.Collections$SynchronizedMap.containsKey(Collections.java:2578) com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1572) com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:525) com.netscape.cmscore.apps.CMSEngine.reinit(CMSEngine.java:1344) com.netscape.certsrv.apps.CMS.reinit(CMS.java:191) com.netscape.cms.servlet.csadmin.ConfigurationUtils.reInitSubsystem(ConfigurationUtils.java:2299) org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:181) org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:121) ... </pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.36 logs.</u>< /p><hr class="line"><h3>Apache Tomcat/8.0.36</h3></body></html> Please check the CA logs in /var/log/pki/pki-tomcat/ca. ====================== Expected results: installation succeeds Additional info: