Bug 1535313

Summary: Not able to import certificate on secure port.
Product: Red Hat Enterprise Linux 8 Reporter: Amol K <akahat>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: aakkiang, edewata, gkapoor, gswami, mharmsen
Target Milestone: rcFlags: gkapoor: needinfo-
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8020020200210191644.c7c3114f Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:45:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amol K 2018-01-17 06:16:22 UTC 
Description of problem:

client-cert-import using secure port failed.


Version-Release number of selected component (if applicable):
10.5.1-5.el7


How reproducible:
Always

Steps to Reproduce:
1. [root@pki1 ~]# pki -d /root/nssdb/ -c Secret123 -p 20443 -P https -n "PKI CA Administrator for Example.Org" -v client-cert-import --serial 0x8a15e89 testuser1
Server URI: https://pki1.example.com:20443
Client security database: /root/nssdb
Message format: null
Command: client-cert-import --serial 0x8a15e89 testuser1
Module: client
Module: cert-import
Importing certificate 0x8a15e89 from https://pki1.example.com:20443.
java.lang.Error: Certificate database not initialized.
	at com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:320)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
	at com.sun.proxy.$Proxy40.getCert(Unknown Source)
	at com.netscape.certsrv.ca.CACertClient.getCert(CACertClient.java:66)
	at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:280)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)
Caused by: org.mozilla.jss.CryptoManager$NotInitializedException
	at org.mozilla.jss.CryptoManager.getInstance(CryptoManager.java:839)
	at com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:317)
	... 17 more
[root@pki1 ~]# 

Actual results:
Throws error.

Expected results:
It should import certificate from server using secure port.

Additional info:

The client database exists.
```
[root@pki1 ~]# pki -d /root/nssdb/ -c Secret123 client-cert-find 
----------------------
4 certificate(s) found
----------------------
  Serial Number: 0x83cadee
  Nickname: CA Signing Certificate - topology-02_Foobarmaster.org
  Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org

  Serial Number: 0xd82866a
  Nickname: PKI KRA Administrator for Example.Org
  Subject DN: CN=PKI Administrator,E=kraadmin,OU=topology-02-KRA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org

  Serial Number: 0x526dc29
  Nickname: CA_AdminR
  Subject DN: UID=CA_AdminR,CN=CA_AdminR,OU=topology-02-CA,O=topology-02-CA
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org

  Serial Number: 0x836e167
  Nickname: PKI CA Administrator for Example.Org
  Subject DN: CN=PKI Administrator,E=caadmin,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
----------------------------
Number of entries returned 4
----------------------------
```
Comment 2 Matthew Harmsen 2018-01-18 19:56:04 UTC 
Per PKI Team Meeting of 20180118 moving to RHEL 7.6.
Comment 3 Matthew Harmsen 2018-07-04 00:33:36 UTC 
Moved to RHEL 7.7.
Comment 4 Endi Sukma Dewata 2020-02-10 05:38:00 UTC 
It's not clear when the issue was fixed, but it
seems to be working in PKI 10.8 (RHEL 8.2).
Comment 6 Geetika Kapoor 2020-02-15 05:32:06 UTC 
Done Endi.
Comment 9 Endi Sukma Dewata 2020-02-15 05:51:02 UTC 
Thanks Geetika!
Comment 10 Gaurav Swami 2020-02-20 09:24:28 UTC 
Tested Version:

-------------------------------
[root@pki1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.8.2
Release     : 1.module+el8.2.0+5758+57f3761f
Architecture: noarch
Install Date: Wed 19 Feb 2020 04:39:43 AM EST
Group       : Unspecified
Size        : 2641321
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Mon 17 Feb 2020 03:17:05 AM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.8.2-1.module+el8.2.0+5758+57f3761f.src.rpm
Build Date  : Mon 17 Feb 2020 01:36:04 AM EST
Build Host  : arm64-036.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/
Summary     : PKI CA Package
------------------------------------


Case 1:
==========
----------------------------------------
[root@pki1 ~]# pki-server status topology-02-CA
  Instance ID: topology-02-CA
  Active: True
  Unsecure Port: 20080
  Secure Port: 20443
  Tomcat Port: 20005

  CA Subsystem:
    Type:                Root CA (Security Domain)
    SD Registration URL: https://pki1.example.com:20443
    Enabled:             True
    Unsecure URL:        http://pki1.example.com:20080/ca/ee/ca
    Secure Agent URL:    https://pki1.example.com:20443/ca/agent/ca
    Secure EE URL:       https://pki1.example.com:20443/ca/ee/ca
    Secure Admin URL:    https://pki1.example.com:20443/ca/services
    PKI Console URL:     https://pki1.example.com:20443/ca
--------------------------------


--------------------------------
[root@pki1 ~]#  pki -v -d /tmp/testdb -c SECret.123 -P https -p 20443 client-cert-import testuser  --serial 0x31
INFO: PKI options: -v -d /tmp/testdb -c SECret.123
INFO: PKI command: https -P https -p 20443 client-cert-import testuser --serial 0x31
INFO: Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/testdb -c SECret.123 -v -P https -p 20443 client-cert-import testuser --serial 0x31
INFO: Server URL: https://pki1.example.com:20443
INFO: NSS database: /tmp/testdb
INFO: Message format: null
INFO: Command: client-cert-import testuser --serial 0x31
INFO: Module: client
INFO: Module: cert-import
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: Importing certificate 0x31 from https://pki1.example.com:20443
INFO: HTTP request: GET /ca/rest/certs/49 HTTP/1.1
INFO:   Accept: application/xml
INFO:   Host: pki1.example.com:20443
INFO:   Connection: Keep-Alive
INFO:   User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_242)
INFO: Server certificate: CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org'
Trust this certificate (y/N)? y
INFO: Importing certificate as CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org
INFO: Trusting certificate
INFO: HTTP response: HTTP/1.1 200 
INFO:   Content-Type: application/xml;charset=UTF-8
INFO:   Transfer-Encoding: chunked
INFO:   Date: Thu, 20 Feb 2020 09:19:38 GMT
Imported certificate "testuser"
[root@pki1 ~]# 
--------------------------------

----------------------------------------
[root@pki1 ~]# certutil -L -d /tmp/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI CA Administrator for Example.Org                         u,u,u
RootCA                                                       CT,C,C
testuser                                                     ,,   
[root@pki1 ~]# 
----------------------------------------

As observed in POC , it could be seen that fix is working as expected.
Hence, marking this Bugzilla as verified.
Comment 12 errata-xmlrpc 2020-04-28 15:45:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1644