Bug 440079
Summary: | Importing agent cert causes Warning in Firefox | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Bob Lord <blord> | ||||||||||||
Component: | CA | Assignee: | Jack Magne <jmagne> | ||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||
Priority: | high | ||||||||||||||
Version: | unspecified | CC: | benl, kengert, rrelyea | ||||||||||||
Target Milestone: | 1.0 | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2009-07-22 23:28:01 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | |||||||||||||||
Bug Blocks: | 443788 | ||||||||||||||
Attachments: |
|
Description
Bob Lord
2008-04-01 16:53:48 UTC
Created attachment 299924 [details]
Warning message screenshot
I tried this with Firefox 2.0.0.8 and did NOT see this error message. I'll try another version or two, but this leads us in the direction that we have a Firefox 3 related issue. Yes, it's an issue that is magnified with the new security mechanisms with FF3. After further testing found the following: 1. It appears that this problem can happen when attempting to import simple user certificates. 2. I took a look into the PSM code and observed that this error is thrown when the CA's can not be verified. 3. I went into the PSM UI and for the CS's server cert, manually trusted the CA, and the message was suppressed. Will investigate further on how to fix this. We have noticed this with other versions of firefox too. Like Firefox 2.0. I don't believe this is specific to ff3. The CA already has a servlet called getCAChain that will import the CA's cert chain into the user's db, which should solve this problem. The user will be prompted with a dialog asking the user to trust the chain for various functions. Once this is done early in the CA's config wizard, the importation of the admin cert should not see the warning above. Currently I"m learning how the velocity based wizard code operates. The next step will be to actually try to call "getCAChain" from the wizard and get it working. From then, I must decide where to best place the change, in an already existing wizard panel or in a brand new panel created just for this purpose. Created attachment 302185 [details]
Example CA trust prompt
The resolution to this bug will also address another bug. #440348. Once the CA's cert chain is trusted. Firefox 3 will no longer need to restrict access to the server. Created attachment 304546 [details]
Diff for changed files.
The changes to existing files for this bug listed here.
Created attachment 304547 [details]
New wizard velocity template.
This is the wizard velocity template file implementing the importation of the
CA cert chain functionality.
The path of this file is:
pki/linux/common-ui/shared/admin/console/config/importcachainpanel.vm
Created attachment 304554 [details]
New file to implement server side of fix.
This file implements the importation of the CA's cert chain for the server
side.
file path:
/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportCAChainPanel.java
+ mharmsen attachment (id=304546) + mharmsen attachment (id=304547) + mharmsen attachment (id=304554) This looks good. Per discussions, please create a new bug marked for CS8.1 which would apply these fixes to the other 5 subsystems. NOTE: This bug is ONLY necessary for the case when a different browser than the one used to configure the CA is used. cd pki/linux/common-ui/shared/admin/console/config vn commit importcachainpanel.vm Adding importcachainpanel.vm Transmitting file data . Committed revision 36. cd pki/redhat/common-ui/shared/admin/console/config svn add importcachainpanel.vm A importcachainpanel.vm [jmagne@dhcp-128 config]$ svn commit importcachainpanel.vm Adding importcachainpanel.vm Transmitting file data . Committed revision 15202. cd pki/linux/common svn commit pki-common.spec Sending pki-common.spec Transmitting file data . Committed revision 39. cd pki/linux/ca svn commit pki-ca.spec Sending pki-ca.spec Transmitting file data . Committed revision 37. cd pki/linux/common-ui svn commit pki-common-ui.spec Sending pki-common-ui.spec Transmitting file data . Committed revision 38. cd pki/base/ca/shared/webapps/ca/WEB-INF svn commit web.xml Sending web.xml Transmitting file data . Committed revision 40. cd pki/base/common/src/com/netscape/cms/servlet/csadmin svn add ImportCAChainPanel.java A ImportCAChainPanel.java [jmagne@dhcp-128 csadmin]$ svn commit ImportCAChainPanel.java Adding ImportCAChainPanel.java Transmitting file data . Committed revision 41. Verified(with build 1-June-09).with Firefox 3.0.10. No trust error by firefox is thrown. |