Bug 1782486

Summary: client-cert-import cli fails with exception java.lang.Error: Certificate database not initialized
Product: Red Hat Enterprise Linux 8 Reporter: Geetika Kapoor <gkapoor>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: afarley, edewata, gswami, mharmsen
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8020020191211221350.c7c3114f Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:45:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geetika Kapoor 2019-12-11 17:28:46 UTC 
Description of problem:

client-import cli fails with exception java.lang.Error: Certificate database not initialized.


Version-Release number of selected component (if applicable):
8.2

How reproducible:
always

Steps to Reproduce:
1.Run: pki -v -d /opt/pki/certdb -c SECret.123 -p 20080 -n "PKI CA Administrator for Example.Org"  client-cert-import testuser21007_75619659 --serial 0x94
2.
3.

Actual results:

Failure

Expected results:

should work 
Additional info:

# pki -v -d /opt/pki/certdb -c SECret.123 -p 20080 -n "PKI CA Administrator for Example.Org"  client-cert-import testuser21007_75619659 --serial 0x94
INFO: PKI options: -v -d /opt/pki/certdb -c SECret.123
INFO: PKI command: 20080 -p 20080 -n PKI CA Administrator for Example.Org client-cert-import testuser21007_75619659 --serial 0x94
INFO: Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /opt/pki/certdb -c SECret.123 -v -p 20080 -n PKI CA Administrator for Example.Org client-cert-import testuser21007_75619659 --serial 0x94
INFO: Server URL: https://pki1.example.com:20080
INFO: NSS database: /opt/pki/certdb
INFO: Message format: null
INFO: Command: client-cert-import testuser21007_75619659 --serial 0x94
INFO: Module: client
INFO: Module: cert-import
INFO: Importing certificate 0x94 from https://pki1.example.com:20080
java.lang.Error: Certificate database not initialized.
	at com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:314)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:836)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
	at com.sun.proxy.$Proxy44.getCert(Unknown Source)
	at com.netscape.certsrv.ca.CACertClient.getCert(CACertClient.java:66)
	at com.netscape.cmstools.client.ClientCertImportCLI.execute(ClientCertImportCLI.java:277)
	at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:57)
	at org.dogtagpki.cli.CLI.execute(CLI.java:352)
	at org.dogtagpki.cli.CLI.execute(CLI.java:352)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:653)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:689)
Caused by: org.mozilla.jss.NotInitializedException
	at org.mozilla.jss.CryptoManager.getInstance(CryptoManager.java:345)
	at com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:311)
	... 19 more
ERROR: Command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /opt/pki/certdb -c SECret.123 -v -p 20080 -n PKI CA Administrator for Example.Org client-cert-import testuser21007_75619659 --serial 0x94
Comment 1 Endi Sukma Dewata 2019-12-12 18:46:06 UTC 
Fixed in master:
* https://github.com/dogtagpki/pki/commit/32f64f0a456995d20e3c6afef1853b652eb50294
Comment 4 Gaurav Swami 2020-02-07 11:10:38 UTC 
Tested Version:
----------------------
[root@pki1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.8.0
Release     : 0.5.module+el8.2.0+5469+26e16009
Architecture: noarch
Install Date: Fri 07 Feb 2020 02:13:53 AM EST
Group       : Unspecified
Size        : 2466757
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Thu 16 Jan 2020 07:32:15 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.8.0-0.5.module+el8.2.0+5469+26e16009.src.rpm
Build Date  : Thu 16 Jan 2020 05:44:55 PM EST
Build Host  : arm64-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/
Summary     : PKI CA Package
----------------------

Test Procedure:

https://bugzilla.redhat.com/show_bug.cgi?id=1782486#c0

POC:

Case 1:
=========

[root@pki1 ~]# pki -v -d /tmp/testdb -c SECret.123 -P http -p 20080 client-cert-import --pkcs12 /opt/topology-03-CA/ca_admin_cert.p12 --pkcs12-password SECret.123
INFO: PKI options: -v -d /tmp/testdb -c SECret.123
INFO: PKI command: http -P http -p 20080 client-cert-import --pkcs12 /opt/topology-03-CA/ca_admin_cert.p12 --pkcs12-password SECret.123
INFO: Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/testdb -c SECret.123 -v -P http -p 20080 client-cert-import --pkcs12 /opt/topology-03-CA/ca_admin_cert.p12 --pkcs12-password SECret.123
INFO: Server URL: http://pki1.example.com:20080
INFO: NSS database: /tmp/testdb
INFO: Message format: null
INFO: Command: client-cert-import --pkcs12 /opt/topology-03-CA/ca_admin_cert.p12 --pkcs12-password SECret.123
INFO: Module: client
INFO: Module: cert-import
INFO: Creating NSS database in /tmp/testdb
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: Importing certificates from /opt/topology-03-CA/ca_admin_cert.p12
Imported certificates from PKCS #12 file
[root@pki1 ~]# 


[root@pki1 ~]# certutil -L -d nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI CA Administrator for Example.Org                         u,u,u

[root@pki1 ~]# 


Case 2:
==========

[root@pki1 ~]# pki -v -d /tmp/testdb -c SECret.123 -P http -p 20080 client-cert-request "uid=testuser" --profile caUserCert
  Request ID: 18
  Type: enrollment
  Request Status: pending
  Operation Result: success

[root@pki1 ~]# pki -v -d /tmp/testdb -c SECret.123 -P http -p 20080 -n "PKI CA Administrator for Example.Org" ca-cert-request-approve 18
  Request ID: 18
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x12

  
[root@pki1 ~]# pki -v -d /tmp/testdb -c SECret.123 -P http -p 20080 client-cert-import testuser --serial 0x12
INFO: PKI options: -v -d /tmp/testdb -c SECret.123
INFO: PKI command: http -P http -p 20080 client-cert-import testuser --serial 0x12
INFO: Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/pki/lib/* -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/testdb -c SECret.123 -v -P http -p 20080 client-cert-import testuser --serial 0x12
INFO: Server URL: http://pki1.example.com:20080
INFO: NSS database: /tmp/testdb
INFO: Message format: null
INFO: Command: client-cert-import testuser --serial 0x12
INFO: Module: client
INFO: Module: cert-import
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: Importing certificate 0x12 from http://pki1.example.com:20080
INFO: HTTP request: GET /ca/rest/certs/18 HTTP/1.1
INFO:   Accept: application/xml
INFO:   Host: pki1.example.com:20080
INFO:   Connection: Keep-Alive
INFO:   User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_242)
INFO: HTTP response: HTTP/1.1 200 
INFO:   Content-Type: application/xml;charset=UTF-8
INFO:   Transfer-Encoding: chunked
INFO:   Date: Fri, 07 Feb 2020 11:03:29 GMT
Imported certificate "testuser"


[root@pki1 ~]# certutil -L -d /tmp/testdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

PKI CA Administrator for Example.Org                         u,u,u
RootCA                                                       CT,C,C
testuser                                                     u,u,u


As observed in POC , it could be seen that fix is working as expected.
Hence, marking this Bugzilla as verified.
Comment 6 errata-xmlrpc 2020-04-28 15:45:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1644