Bug 1540924
| Summary: | ExternalCA: Failures are observed when one External CA tries to sign another externalCA | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Geetika Kapoor <gkapoor> | ||||||
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Asha Akkiangady <aakkiang> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 8.3 | CC: | ascheel, edewata, evan.hisey, gkapoor, jared.szechy, jwooten, mharmsen, msauton | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2020-02-26 13:36:10 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Geetika Kapoor
2018-02-01 10:45:32 UTC
Created attachment 1389444 [details]
debug
This is same in case of non-cmc environment. Scenario: This is particularly a non cmc scenario. ================================================== RootCA --signs--> ExternalCA(00) ---signs---> ExternalCA(000) (level1) (level2) (level3) port-20080 port-31080 port-29080 Level2 Installation: ==================== 1. Run pkispawn step1 and generate csr. 2. Sign this csr by RootCA 3. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:20080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr ----------------------------- Submitted certificate request ----------------------------- Request ID: 63 Type: enrollment Request Status: pending Operation Result: success 4. Approve the csr. pki -p 20080 -d /root/nssdb_75/ -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 63 --action approve ------------------------------- Approved certificate request 63 ------------------------------- Request ID: 63 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x34e9448 5. Verify on CA agent page about the certificate 0x34e9448 6. This "0x34e9448" is a signing cert.get external certificate also. 7. Get external.crt and ca_signing.crt. 8. Change ciphers in server.xml to sslRangeCiphers="+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" 9. Run step2 pkispawn and make sure it works. Verification: ------------ 1. Submit a cert request and approve. pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 6 --action approve WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' Import CA certificate (Y/n)? Y CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080/ca ------------------------------ Approved certificate request 6 ------------------------------ Request ID: 6 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x6 Level3 Installation: ==================== 1. generate csr using setp1 installation. 2. Get the csr signed with ExternalCA on port 31080. 3. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr1 ----------------------------- Submitted certificate request ----------------------------- Request ID: 7 Type: enrollment Request Status: pending Operation Result: success 4. Approve csr. pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 7 --action approve ------------------------------ Approved certificate request 7 ------------------------------ Request ID: 7 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x7 5. Get the ca_siging.crt and external.crt which is pkcs7 chain of RootCA(level1) and ExternalCA(level2). 6. Get certificates either from cli or from CA EE page.Both ca signing cert and pkcs7 chain certs can be found there. [02/Feb/2018:00:56:23][http-bio-29443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323) at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100) at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2785) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2609) at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:484) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Attaching ca_signing cert: ========================= -----BEGIN CERTIFICATE----- MIIELjCCAxagAwIBAgIBBzANBgkqhkiG9w0BAQ0FADB5MTMwMQYDVQQKEyppZG0u bGFiLmVuZy5yZHUucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xITAfBgNVBAsT GHBraS1FeHRlcm5hbENBLWdrYXBvb3IwMDEfMB0GA1UEAxMWQ0EgU2lnbmluZyBD ZXJ0aWZpY2F0ZTAeFw0xODAyMDIwNTQzMDRaFw0zODAxMjMwNjIwNTlaMHoxMzAx BgNVBAoTKmlkbS5sYWIuZW5nLnJkdS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFp bjEiMCAGA1UECxMZcGtpLUV4dGVybmFsQ0EtZ2thcG9vcjAwMDEfMB0GA1UEAxMW Q0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKHRwy8b4VBY/PHlkn/4UmhnRebf6lLuzGmTs5DY2yE+wMnEByUjRjGM E6Lw9PXymhSfUL/5HE5T1w3QBYfLxkR3TYTG+4pg9MeQavZc1MP2vi7yzaG6MRel CjngwKvY/Wpwc/a+h/aAQ0n5fsNfvgcnpctEPwLaQVuOaszDhz6CKBXN4E/Dj5lB 8kH5ApJa69dZxvBnMkxXDPm0S+JaiCpvJzccBC+dZL6l6GR3fljeEX030RznjXGt u46pv83rte3AR7BKVB5moSFPAsdrjEHcFnk+mtTz3uf+6MVc2c91yeiG69boAq9j V4jh60mGP7QvYANoe741YMiageuaG8cCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBSc cEl/3XQiAhUDZAQ8zn2OQ/6vgjAdBgNVHQ4EFgQUwLeDFw4n+OjcNvySsMCqmECv dYcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwWQYIKwYBBQUHAQEE TTBLMEkGCCsGAQUFBzABhj1odHRwOi8vY3NxYTQtZ3Vlc3QwNC5pZG0ubGFiLmVu Zy5yZHUucmVkaGF0LmNvbTozMTA4MC9jYS9vY3NwMA0GCSqGSIb3DQEBDQUAA4IB AQC4h4XRkpjE4qpixW83xtF0JWEIYywPO1YKbSb6tswEPMLu8IxHBSTaIyIXjoJe Cz1fRCvYF0m71YIBWuzpWgFJCseC0m8ey0WgXoBWJAYMA3ViB3L0oaHtjI6AIIsY th5c3mTw8zc2FZfOcNbToS/XTD18HqW6/pizfuCJbt892e+WwbwpEX1HPlq4XSDb AgCve/nlPZHNlACHsT6TR2jyy1UrflTLRX0jAF8s+jnqraysD2FBxykK87WchjzT B19JMsBfdKAB1EhkkTqJVw/wBrINSZ35UXYrO6IHxMb/6eGjw1QNcPhYDUVx3jQ/ alrANpALt+7z1KHObELZQPWx -----END CERTIFICATE----- External.crt pkcs7 file: ----------------------- -----BEGIN PKCS7----- MIIMYwYJKoZIhvcNAQcCoIIMVDCCDFACAQExADAPBgkqhkiG9w0BBwGgAgQAoIIM NDCCBC4wggMWoAMCAQICAQcwDQYJKoZIhvcNAQENBQAweTEzMDEGA1UEChMqaWRt LmxhYi5lbmcucmR1LnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMSEwHwYDVQQL Exhwa2ktRXh0ZXJuYWxDQS1na2Fwb29yMDAxHzAdBgNVBAMTFkNBIFNpZ25pbmcg Q2VydGlmaWNhdGUwHhcNMTgwMjAyMDU0MzA0WhcNMzgwMTIzMDYyMDU5WjB6MTMw MQYDVQQKEyppZG0ubGFiLmVuZy5yZHUucmVkaGF0LmNvbSBTZWN1cml0eSBEb21h aW4xIjAgBgNVBAsTGXBraS1FeHRlcm5hbENBLWdrYXBvb3IwMDAxHzAdBgNVBAMT FkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCh0cMvG+FQWPzx5ZJ/+FJoZ0Xm3+pS7sxpk7OQ2NshPsDJxAclI0Yx jBOi8PT18poUn1C/+RxOU9cN0AWHy8ZEd02ExvuKYPTHkGr2XNTD9r4u8s2hujEX pQo54MCr2P1qcHP2vof2gENJ+X7DX74HJ6XLRD8C2kFbjmrMw4c+gigVzeBPw4+Z QfJB+QKSWuvXWcbwZzJMVwz5tEviWogqbyc3HAQvnWS+pehkd35Y3hF9N9Ec541x rbuOqb/N67XtwEewSlQeZqEhTwLHa4xB3BZ5PprU897n/ujFXNnPdcnohuvW6AKv Y1eI4etJhj+0L2ADaHu+NWDImoHrmhvHAgMBAAGjgb8wgbwwHwYDVR0jBBgwFoAU nHBJf910IgIVA2QEPM59jkP+r4IwHQYDVR0OBBYEFMC3gxcOJ/jo3Db8krDAqphA r3WHMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMFkGCCsGAQUFBwEB BE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL2NzcWE0LWd1ZXN0MDQuaWRtLmxhYi5l bmcucmR1LnJlZGhhdC5jb206MzEwODAvY2Evb2NzcDANBgkqhkiG9w0BAQ0FAAOC AQEAuIeF0ZKYxOKqYsVvN8bRdCVhCGMsDztWCm0m+rbMBDzC7vCMRwUk2iMiF46C Xgs9X0Qr2BdJu9WCAVrs6VoBSQrHgtJvHstFoF6AViQGDAN1Ygdy9KGh7YyOgCCL GLYeXN5k8PM3NhWXznDW06Ev10w9fB6luv6Ys37giW7fPdnvlsG8KRF9Rz5auF0g 2wIAr3v55T2RzZQAh7E+k0do8stVK35Uy0V9IwBfLPo56q2srA9hQccpCvO1nIY8 0wdfSTLAX3SgAdRIZJE6iVcP8AayDUmd+VF2KzuiB8TG/+nho8NUDXD4WA1Fcd40 P2pawDaQC7fu89ShzmxC2UD1sTCCBA4wggL2oAMCAQICBANOlEgwDQYJKoZIhvcN AQENBQAwVzEaMBgGA1UECgwRRXhhbXBsZS1yaGNzOTItQ0ExGDAWBgNVBAsMD2dr YXBvb3JfUkhDU183NTEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAe Fw0xODAyMDIwNTAxNTVaFw0zODAxMjMwNjIwNTlaMHkxMzAxBgNVBAoTKmlkbS5s YWIuZW5nLnJkdS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEhMB8GA1UECxMY cGtpLUV4dGVybmFsQ0EtZ2thcG9vcjAwMR8wHQYDVQQDExZDQSBTaWduaW5nIENl cnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwn8parcQ uuODJGY2KTLoaaOMgxHtwE1P4loTLgRh94Bo+R/kwbQenLfzkCLjzlo0ZdnXvppG OaUD5Jb2F9O09zPgIsAnZszn9Vj/WMwLrr9klKHT91vPxkzGpKNXlJNcvmED+611 pe46rwDosdXlCor9aeEnxStpGjp0JC7/tua2T7fasw3W2sNz7Ri0bNUGImtdMMKj e99RQ6JNtxqv7KMLKR8NaP66eKExugl3SXsWHiDIKrNaVN6xfo3y/gMVcmSLQ28S PwNj3isiVGTQvRlg0bcGMI8LXAGMIi7tqKtofIaqUrGXx1UCVqvAKtdIR5xmQiCK dRda8ykg1SswqwIDAQABo4G/MIG8MB8GA1UdIwQYMBaAFMlus01K+zt1TdjJDJJk 1JGu216/MB0GA1UdDgQWBBSccEl/3XQiAhUDZAQ8zn2OQ/6vgjAPBgNVHRMBAf8E BTADAQH/MA4GA1UdDwEB/wQEAwIBxjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUH MAGGPWh0dHA6Ly9jc3FhNC1ndWVzdDA0LmlkbS5sYWIuZW5nLnJkdS5yZWRoYXQu Y29tOjIwMDgwL2NhL29jc3AwDQYJKoZIhvcNAQENBQADggEBAD4V3+VtPWTPqJii ndcP9KLxZPhKd7ie5ddiOdFL3+FtPHbokL+PTLlNpUbMfao6O+69PzawfyikkE1+ rxsK+NL5X0P++/VtHmHPT5KKaDsqoxqVktZJE22bSQOP//F6Jjfwz9TavryFyXll zvTUrThcM84uBl2rYzlnQxpl8bW7NmHqcIAD/6TVkzDnw8FczCzTGauYXjrCUQU6 kn1eBDwjh0oDilKowEELvIC2XrVFw8rGMIopmeJ3YJ9AGwYOZXRD3UVyAAtfAKUH tVZS52pogMrTHcmHDaUwv+ZcNZ7N4P7RxsFG5oe6LYo80JexHncAvrbzLslB5Wgr Dvj5qJcwggPsMIIC1KADAgECAgQJ+4/tMA0GCSqGSIb3DQEBDQUAMFcxGjAYBgNV BAoMEUV4YW1wbGUtcmhjczkyLUNBMRgwFgYDVQQLDA9na2Fwb29yX1JIQ1NfNzUx HzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwMTIzMDYyMDU5 WhcNMzgwMTIzMDYyMDU5WjBXMRowGAYDVQQKDBFFeGFtcGxlLXJoY3M5Mi1DQTEY MBYGA1UECwwPZ2thcG9vcl9SSENTXzc1MR8wHQYDVQQDDBZDQSBTaWduaW5nIENl cnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqC61zM1a nDUBsOPigfWreofK8+vH1vBSx9MK071dACmorAEvPUTdFrPZUrIQg/lXJoSWmdmE M+zDu7xgKcmXyf6S0uPHm+1SyRTpCot4+zadhtPEFFJ6aGvonFzdP/7c2wkRAizi x8ptYxmzHB9+xHTnTfP1Lf23rMW5DnU7mZe+quCjLlFtd+fp6ROXvBuKforFrmEe sP4p9i8fb02nVGsjXPFsq9vB7Jla/2eVJFcn8dQTUadskk1KroEg0b9Xxuluimth lfOxQigVbvhjD9bwjtxBdEnXBrsQ+qIsQGehb/4YCupRVQQjGaiWu+ereAbIGuQh Ik+b2jiazGGt+QIDAQABo4G/MIG8MB8GA1UdIwQYMBaAFMlus01K+zt1TdjJDJJk 1JGu216/MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQW BBTJbrNNSvs7dU3YyQySZNSRrttevzBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUH MAGGPWh0dHA6Ly9jc3FhNC1ndWVzdDA0LmlkbS5sYWIuZW5nLnJkdS5yZWRoYXQu Y29tOjIwMDgwL2NhL29jc3AwDQYJKoZIhvcNAQENBQADggEBAJpnxPmOcIvKtgBx VKzojsrBGrZR1r2jP59WDmPMWQxn2hR5PwV0rsXXxbR5zCNWLoCyoTGxU5vFx0or LtQjpi9SfYKwkB5STG2qZ0D8xLyyXm384ZZ2a5phwAYLg6YYgtEf34P4RSKFTOd6 IKu6wBZcl6nhDevOWHluI3quG1qnM6Q11uk4Co0P+eh8weiQRIqTY25NwKpNDTEM lLP8cQCPkxmhxIT3ig80NlnWv/5C9HGWm5ZzMjEr2La/UKCiMx0szcRs5I0jSxLR YTHX/Sycdi3SkS9S7n6bsU74olGC7lGjkDE6o9+iQNK6h4w1uKjW7gv0VbuQxqbc vtWKjGcxAA== -----END PKCS7----- I am seeing the same error using an openssl rootCA and the ca-external pki setup. This is on a clean 7.5 minimal install with PKI subsystem. RPMS: pki-kra-10.5.1-9.el7.noarch jss-4.4.0-11.el7.x86_64 nss-pem-1.0.3-4.el7.x86_64 pki-tools-10.5.1-9.el7.x86_64 pki-usgov-dod-cacerts-0.0.6-4.el7.noarch nss-util-3.34.0-2.el7.x86_64 nss-sysinit-3.34.0-4.el7.x86_64 pki-ca-10.5.1-9.el7.noarch pki-server-10.5.1-9.el7.noarch pki-base-10.5.1-9.el7.noarch nss-3.34.0-4.el7.x86_64 pki-base-java-10.5.1-9.el7.noarch pki-symkey-10.5.1-9.el7.x86_64 nss-softokn-3.34.0-2.el7.x86_64 nss-tools-3.34.0-4.el7.x86_64 nss-softokn-freebl-3.34.0-2.el7.x86_64 When running pkispawn -f /root/ca-setup/ca-external-step2.cfg -s CA I get almost through the set up and then error out as above though it claims to successfully import the rootca prior to bombing out. Per RHEL 7.5.z/7.6/8.0 Triage: 7.6 edewata: seems to be a common scenario. Hi Evan, Could you please share the procedure that you have followed and also if you could please share/check the certificates and see if there are duplicate certificate in ca_signing cert and external certificate chain(pkcs7 certificate). Thanks Geetika I too am having the same problem using an external openssl signing CA with pkispawn.
pkispawn : INFO ....... loading caSigningCert External CA certificate
pki.nssdb : DEBUG Command: certutil -L -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpFIAhfd/password.txt -n caSigningCert External CA -a
pkispawn : INFO ....... configuring PKI configuration data.
Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542)
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754)
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578)
org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483)
org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1621)
com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315)
com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542)
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754)
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578)
org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483)
org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
Hi Jared, Could you please share the procedure that you have followed and also if you could please share/check the certificates and see if there are duplicate certificate in ca_signing cert and external certificate chain(pkcs7 certificate). Trying to understand if this is same use case or any other use case for which I have created this Bugzilla. Thanks Geetika Geetika, I used the steps outlined on http://www.dogtagpki.org/wiki/Installing_CA_with_External_CA_Signing_Certificate ca-step1.cfg ========= [DEFAULT] pki_admin_email=jared pki_client_pkcs12_password=[password_here] pki_admin_password=[password_here] pki_admin_uid=caadmin pki_ds_bind_dn=cn=Directory Manager pki_ds_hostname=ca.company.com pki_ds_password=[password_here] pki_security_domain_name=Company [CA] pki_ds_base_dn=o=pki-tomcat-CA pki_ca_signing_subject_dn=cn=Company Root CA2,o=Company,c=US pki_ca_signing_csr_path=/home/jared/ca_signing.csr pki_external=True pki_external_step_two=False ca-step2.cfg ========= [DEFAULT] pki_admin_email=jared pki_client_pkcs12_password=[password_here] pki_admin_password=[password_here] pki_admin_uid=caadmin pki_ds_bind_dn=cn=Directory Manager pki_ds_hostname=ca.company.com pki_ds_password=[password_here] pki_security_domain_name=Company [CA] pki_ds_base_dn=o=pki-tomcat-CA pki_ca_signing_subject_dn=cn=Company Root CA2,o=Company,c=US pki_ca_signing_csr_path=/home/jared/ca_signing.csr pki_ca_signing_cert_path=/home/jared/ca.pem pki_cert_chain_path=/home/jared/root.pem pki_external=True pki_external_step_two=True Procedure ========= Generate the CSR using step1 config $ sudo pkispawn -f ca-step1.cfg -s CA Sign the CSR using external Root CA (OpenSSL). Complete setup process using step2 config $ sudo pkispawn -f ca-step2.cfg -s CA Step 2 of pkispawn is what fails with the previously posted exceptions. I've tried several cases when it comes to providing the certificate chain. In the above scenario the ca_signing cert is a single pem (signed cert) and the cert_chain is a single pem (self-signed root cert). I've also tried using a pkcs7 chain as the ca_signing cert, and no chain, as well as a pem ca_signing cert and a pkcs7 chain. All of the cases failed in the same way. Per RHEL 7.5.z/7.6/8.0 Triage: 7.5.z FYI, some of the issues discussed here were probably caused by invalid path in pki_ca_signing_cert_path. It will be addressed in bug #1588655 by adding input validation. debug logs from test package pki-10.5.tar.xz it is an sosreport: sosreport-nwcal-subca1.nwc.nws.noaa.gov.02085383-20180620203058.tar.xz Created attachment 1453796 [details]
sosreport-nwcal-subca1.nwc.nws.noaa.gov.02085383-20180620203058.tar.xz
Issue mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1540924#c18 happens when there are certificates not available.During HSM installation especially migrations , client machines needs to sync correctly.This can be done using : ON CS 8: ======= /opt/nfast/bin/rfs-sync --setup --no-authenticate <ip of cs9 machine> /opt/nfast/bin/rfs-setup --gang-client --write-noauth <ip of cs9 machine> /opt/nfast/bin/rfs-sync --commit on RHEL 7 (CS 9) machine do : /opt/nfast/bin/rfs-sync --update After doing this NPE which occurred at at com.netscape.cms.servlet.csadmin.ConfigurationUtils.createPKCS7(ConfigurationUtils.java:3374) should not come. |