Bug 1379928

Upstream ticket:
https://fedorahosted.org/pki/ticket/2489

Geetika,

Could you try importing the external CA certificate into the client's NSS database? It's possible the external CA certificate was already imported into the browser in a previous test.

Hello Endi,

I have tried cert export and it didn't work out.Not sure if i am missing on something.Please have a look::

1. [root@pki1 ~]# pki-server ca-cert-chain-export  -i TestExternal_master --pkcs12-file cert.p12 --pkcs12-password Secret123
---------------
Export complete
---------------
------------------------------------------------------------
Deleted certificate "subsystemCert cert-TestExternal_master"
------------------------------------------------------------


2. [root@pki1 ~]# pk12util -i cert.p12  -d /tmp/ex
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@pki1 ~]# certutil -L -d /tmp/ex

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert External CA                                    ,,   
caSigningCert cert-TestExternal_master CA                    ,,  

3. [root@pki1 ~]# pk12util -i /root/.dogtag/TestExternal_master/ca_admin_cert.p12 -d /tmp/ex
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
You have new mail in /var/spool/mail/root
[root@pki1 ~]# certutil -L -d /tmp/ex

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert External CA                                    ,,   
caadmin                                                      u,u,u
caSigningCert cert-TestExternal_master CA                    ,,   

4. [root@pki1 ~]# pki  -d /tmp/ex -c Secret123 -h pki1.example.com -p 25144 -n "caadmin" cert-request-review 8 --action=approveERROR: UNKNOWN_ISSUER encountered on 'CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE' results in a denied SSL server cert!
IOException: SocketException cannot write on socket

Geetika,

The CA certificates do not seem to be trusted yet. Could you set the trust attributes for both CA certificates to "CT,C,C"?

[root@pki1 ~]# certutil -L -d /tmp/ex

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caadmin                                                      u,u,u
caSigningCert External CA                                    CT,C,C
caSigningCert cert-TestExternal_master CA                    CT,C,C
[root@pki1 ~]# pki -v  -d /tmp/ex -c Secret123 -h pki1.example.com -p 25144 -n "caadmin" cert-request-review 8 --action=approve
PKI options: -v -d /tmp/ex -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 25144 -n caadmin cert-request-review 8 --action=approve
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/ex -c Secret123 --verbose -h pki1.example.com -p 25144 -n caadmin cert-request-review 8 --action=approve
Server URI: http://pki1.example.com:25144
Client security database: /tmp/ex
Message format: null
Command: cert-request-review 8 --action=approve
Initializing client security database
Logging into security token
Module: cert
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25144
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Thu, 01 Jan 1970 05:30:00 IST
  Location: https://pki1.example.com:25142/ca/rest/account/login
  Content-Length: 0
  Date: Tue, 04 Oct 2016 22:43:48 GMT
HTTP redirect: https://pki1.example.com:25142/ca/rest/account/login
Client certificate: caadmin
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25142
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE
java.io.IOException: SocketException cannot write on socket
	at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1099)
	at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:56)
	at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:147)
	at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:154)
	at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:278)
	at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:283)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:175)
	at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:260)
	at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
	at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
	at com.sun.proxy.$Proxy23.login(Unknown Source)
	at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:45)
	at com.netscape.cmstools.cli.ProxyCLI.execute(ProxyCLI.java:116)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)
ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/tmp/ex', '-c', 'Secret123', '--verbose', '-h', 'pki1.example.com', '-p', '25144', '-n', 'caadmin', 'cert-request-review', '8', '--action=approve']' returned non-zero exit status 255

Geetika,

I was not able to reproduce the problem. Here's what I did:

1. Install CA with externally-signed CA certificate.
2. pki -c Secret123 client-init
3. pki -c Secret123 pkcs12-import --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password Secret123
4. pki -c Secret123 -n caadmin ca-user-find

In step #4 the CLI will ask whether to import the CA certificate (including the external CA). Once the certificate chain is imported, the command works just fine.

Could you try the same steps?

Endi, I think the same issue we are seeing with 
https://bugzilla.redhat.com/show_bug.cgi?id=1381084

Basically do you think the place where we need to sign certificate using ExternalCA we saw this issue as it is not able to trust as that chain of ROOTCA cert is not there in nssdb with correct trust flags.
However, it works with the workaround.

Per discussion with alee we're going to include the certificate chain in the PKCS #12 file so it's no longer necessary to import the certificate chain separately to the client database.

This is not a blocker since the certificate chain can still be imported separately.

[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

edewata: usability improvement

Moved to RHEL 7.7.

This ticket has been moved upstream:
https://pagure.io/dogtagpki/issue/3118