Bug 1656964

Summary: Inconsistent error messages for revoked & expired certs in discrete tomcat and shared tomcat scenarios
Product: Red Hat Enterprise Linux 8 Reporter: Pritam Singh <prisingh>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED UPSTREAM QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: ascheel, edewata
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-03 18:16:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pritam Singh 2018-12-06 18:24:41 UTC 
Description of problem:

Getting 'CERTIFICATE_UNKNOWN' error for expired certs and 'Unauthorized' error for revoked certs in RHEL8. Is these expected?
Because earlier for RHEL7.4 -> RHEL7.5 the error messages changed from "PKIException: Unauthorized" to "FATAL: SSL alert received: CERTIFICATE_EXPIRED" and "FATAL: SSL alert received: CERTIFICATE_REVOKED"

As not able to seeing appropriate error messages for Revoked and Expired certificates as below:

[root@pki1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.0 Beta (Ootpa)

[root@pki1 ~]# pki -d /opt/pki/certdb/ -P https -p 20443 -h pki1.example.com -c SECret.123 -n "CA_AdminR" ca-profile-show caAgentFoobar
PKIException: Unauthorized
[root@pki1 ~]# pki -d /opt/pki/certdb/ -P https -p 20443 -h pki1.example.com -c SECret.123 -n "CA_AdminE" ca-profile-show caAgentFoobar
FATAL: SSL alert received: CERTIFICATE_UNKNOWN
IOException: SocketException cannot write on socket
[root@pki1 ~]# ls /var/lib/pki/
topology-02-CA  topology-02-KRA


Version-Release number of selected component (if applicable):

PKI Command-Line Interface 10.6.8-1.module+el8+2277+f150bc67

How reproducible:
Always

Steps to Reproduce:

1. Go to terminal and fetch certs or profile with Revoked Cert:

[root@pki1 ~]# pki -d /opt/pki/certdb/ -P https -p 20443 -h pki1.example.com -c SECret.123 -n "CA_AdminR" ca-profile-show caUserCert
PKIException: Unauthorized

2. Go to terminal and fetch certs or profile with Expired Cert:

[root@pki1 ~]# pki -d /opt/pki/certdb/ -P https -p 20443 -h pki1.example.com -c SECret.123 -n "CA_AdminE" ca-profile-show caUserCert
FATAL: SSL alert received: CERTIFICATE_UNKNOWN
IOException: SocketException cannot write on socket

Actual results:

Getting 'CERTIFICATE_UNKNOWN' error for expired certs and 'Unauthorized' error for revoked certs in RHEL8.

Expected results:

Error messages should consistent whatever may be the topology. It should trigger 'CERTIFICATE_REVOKED' for revoked certs & 'CERTIFICATE_EXPIRED' for expired certs.

Additional info:

Pastebin: http://pastebin.test.redhat.com/680095
Comment 1 Endi Sukma Dewata 2020-03-03 18:16:59 UTC 
This issue will be addressed upstream:
https://pagure.io/dogtagpki/issue/3127