Bug 504240

Summary: RA (nethsm) : unable to approve server cert
Product: [Retired] Dogtag Certificate System Reporter: Chandrasekar Kannan <ckannan>
Component: RAAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: urgent    
Version: unspecifiedCC: benl, cfu
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:36:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
patch to fix none

Description Chandrasekar Kannan 2009-06-04 22:32:21 UTC 
- installed today's build 06/04. system fully up2date.
- installed/configured all sub-systems to use nethsm2k
- Went to the RA EE Page. Submitted a CSR for approval
- Went to the RA Agent page. Attempt to approve shows
  CA Connection Error.

Here's the log information:

==> error_log <==
[Thu Jun 04 15:26:29 2009] [info] Connection to child 2 established (server sigma.dsdev.sjc.redhat.com:12889, client 10.14.52.236)
[Thu Jun 04 15:26:29 2009] [info] Initial (No.1) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
POST /ca/ee/ca/profileSubmit HTTP/1.0
Content-Length: 600
Content-Type: application/x-www-form-urlencoded

profileId=caRAserverCert&requestor_name=&cert_request_type=pkcs10&subject=&cert_request=MIIBYDCBygIBADAhMQ8wDQYDVQQKEwZyZWRoYXQxDjAMBgNVBAMTBXRlc3QxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7%2FXaZUDQXeu30EhdeLkvaiem6ej%2FeEDkNzO1klt3N%2BZewv52g3cEWaYtLAsU7nA4S4afdFjyv5nnDgYIlosiwcZmjJniMSwM9yQ6Ijp6yTC%2BOm8WigAfQ52vQFpWmn7hJ%2Ft%2BPzdt3ehHV1iwFvvOGD3lEeBpCVuffNeee%2F6kI4wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAYna4F4ncfzO3aaT393rVgBf7vHqQarespTr7s%2B0QJKPkV%2BJWNHMFm1fYyhHzPktocbnej%2BEW9OjecaRUfk7fUWwvVyia4JcasnDgeN6sYtu0jBdr6rpqESEjBieSnXSnXamjSjIi5ZgLgTD7NSL0DNy2xvq8ocUOSO%2FRikbDMRI&xmlOutput=true
==> ra-debug.log <==
Thu Jun  4 15:26:29 PDT 2009 - Thu Jun  4 15:26:29 PDT 2009 - URL '/agent/request/op.cgi?type=approve&id=1'
Thu Jun  4 15:26:29 PDT 2009 - Thu Jun  4 15:26:29 PDT 2009 - Param type='approve'
Thu Jun  4 15:26:29 PDT 2009 - Thu Jun  4 15:26:29 PDT 2009 - Param id='1'
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: admin has roles: administrators,agents
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: authorized groups are: administrators,agents
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: group matched
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: group matched

==> access_log <==
10.14.52.236 - - [04/Jun/2009:15:26:29 -0700] "GET /agent/request/op.cgi?type=approve&id=1 HTTP/1.1" 200 6165
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 378
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/account_loggedin.gif HTTP/1.1" 404 379
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 392
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 389
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/greybar_tr.gif HTTP/1.1" 404 373
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/greybar_br.gif HTTP/1.1" 404 373

==> error_log <==
Can't find certificate nethsm2k:subsystemCert cert-pki-ra
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.2) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.3) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.4) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.5) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.6) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.7) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css

==> ra-debug.log <==
Thu Jun  4 15:26:32 PDT 2009 - benchmark total= 3 wallclock secs ( 0.02 usr  0.03 sys +  0.02 cusr  0.05 csys =  0.12 CPU) db total= 3 wallclock secs ( 0.01 usr  0.01 sys +  0.01 cusr  0.03 csys =  0.06 CPU) template total= 0 wallclock secs ( 0.01 usr +  0.00 sys =  0.01 CPU) 

============================================================================

Notice it says "Can't find certificate nethsm2k:subsystemCert cert-pki-ra".
[root@sigma logs]# certutil -L -d /var/lib/pki-ra/alias/ -h nethsm2k

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "nethsm2k":
nethsm2k:subsystemCert cert-pki-kra                          u,u,u
nethsm2k:auditSigningCert cert-pki-ca                        u,u,u
nethsm2k:ocspSigningCert cert-pki-ca                         u,u,u
nethsm2k:transportCert cert-pki-kra                          u,u,u
nethsm2k:auditSigningCert cert-pki-tks                       u,u,u
nethsm2k:Server-Cert cert-pki-ra                             u,u,u
nethsm2k:subsystemCert cert-pki-ocsp                         u,u,u
nethsm2k:auditSigningCert cert-pki-kra                       u,u,u
nethsm2k:auditSigningCert cert-pki-tps                       u,u,u
nethsm2k:subsystemCert cert-pki-ca                           u,u,u
nethsm2k:auditSigningCert cert-pki-ocsp                      u,u,u
nethsm2k:Server-Cert cert-pki-ca                             u,u,u
nethsm2k:Server-Cert cert-pki-tps                            u,u,u
nethsm2k:subsystemCert cert-pki-tks                          u,u,u
nethsm2k:caSigningCert cert-pki-ca                           CTu,Cu,Cu
nethsm2k:subsystemCert cert-pki-tps                          u,u,u
nethsm2k:Server-Cert cert-pki-ocsp                           u,u,u
nethsm2k:Server-Cert cert-pki-tks                            u,u,u
nethsm2k:ocspSigningCert cert-pki-ocsp                       u,u,u
nethsm2k:storageCert cert-pki-kra                            u,u,u
nethsm2k:Server-Cert cert-pki-kra                            u,u,u
nethsm2k:subsystemCert cert-pki-ra                           u,u,u
[root@sigma logs]#
Comment 1 Chandrasekar Kannan 2009-06-04 22:50:10 UTC 
if RA is not on nethsm, this works fine.
Comment 2 Ade Lee 2009-06-16 06:20:11 UTC 
Created attachment 348049 [details]
patch to fix

problem was that we were attempting to retrieve the subsystem-cert using the internal password - rather than the nethsm one.

cfu, please review!
Comment 3 Christina Fu 2009-06-16 14:55:25 UTC 
https://bugzilla.redhat.com/attachment.cgi?id=348049
cfu+
Comment 4 Ade Lee 2009-06-16 15:47:56 UTC 
[builder@oliver pki]$ svn ci -m "Bugzilla Bug #504240  RA (nethsm) : unable to approve server cert" base/ra
Sending        base/ra/lib/perl/PKI/Conn/CA.pm
Transmitting file data .
Committed revision 615.
[builder@oliver pki]$ svn ci -m "Bugzilla Bug #504240  RA (nethsm) : unable to approve server cert" dogtag
Sending        dogtag/ra/pki-ra.spec
Transmitting file data .
Committed revision 616.