Bug 643449

Summary: Retrieving cert chain on unsecure port fails
Product: [Retired] Dogtag Certificate System Reporter: Rob Crittenden <rcritten>
Component: CAAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED EOL QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: 1.3CC: dpal, jgalipea, nkinder, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 20:12:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 541012    
Attachments:
Description Flags
IPA install log none

Description Rob Crittenden 2010-10-15 16:09:47 UTC 
Description of problem:

Tested on Fedora 14.

Trying to retrieve the CA chain on the unsecure CA port fails with:

The server encountered an unexpected condition which prevented it from fulfilling the request.
Please consult your local administrator for further assistance. The Certificate System logs may provide further information.

The debug log holds no information on the failure:

[15/Oct/2010:12:07:33][http-9180-Processor24]: CMSServlet:service() uri = /ca/ee/ca/getCertChain
[15/Oct/2010:12:07:33][http-9180-Processor24]: CMSServlet: caGetCertChain start to service.

The system log has this:

11746.main - [15/Oct/2010:11:38:12 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
11746.main - [15/Oct/2010:11:38:13 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value
11746.http-9445-Processor19 - [15/Oct/2010:11:41:12 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
11746.http-9445-Processor21 - [15/Oct/2010:11:44:19 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException

Version-Release number of selected component (if applicable):

pki-ca-1.3.6-1.fc14.noarch

Steps to Reproduce:
1. /usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca
2. Install 389-ds instance
3. Go to URL per pkicreate output and set up an instance
4. curl http://localhost:9180/ca/ee/ca/getCertChain
Comment 3 Rob Crittenden 2010-10-22 14:03:45 UTC 
The curl request returns a 500 error with a generic response:

document.write('The server encountered an unexpected condition which prevented it from fulfilling the request.<br>');
document.write('Please consult your local administrator for further assistance. The Certificate System logs may provide further information.');
document.write('</font></b><br></td>');
Comment 4 Rob Crittenden 2010-10-22 14:11:08 UTC 
Created attachment 455081 [details]
IPA install log
Comment 5 Rob Crittenden 2010-11-29 19:42:50 UTC 
Jan Zeleny determined that it is due to a missing jar file. This fixes it:

ln -s /usr/share/java/xalan-j2-serializer.jar /usr/share/tomcat5/common/lib/xalan-j2-serializer.jar
Comment 6 Rob Crittenden 2010-11-29 19:45:15 UTC 
IPA ticket https://fedorahosted.org/freeipa/ticket/320
Comment 7 John Dennis 2010-12-03 22:34:41 UTC 
I have tested this against the new tomcat 6 port on the current tip and there isn't a problem, this appears to be a tomcat 5 only issue. Reassigning this to Matt because he has a fix for tomcat 5 in the legacy area.
Comment 8 Matthew Harmsen 2010-12-14 23:48:20 UTC 
For tomcat 5, two fixes had been previously applied to the 'pki/dogtag/common/pki-common.spec' file used by the legacy build system (on the TIP):

    dogtag/common/pki-common.spec:Requires:       %{_javadir}/xalan-j2-serializer.jar

    dogtag/common/pki-common.spec:ln -s %{_javadir}/xalan-j2-serializer.jar xalan-j2-serializer.jar


NOTE:  No new "official" respins of Dogtag 1.3 which utilized tomcat 5 are
       currently planned for any Fedora platform!


For tomcat 6, the following (potentially un-necessary fix) had been previously applied to the 'pki/specs/pki-core.spec' file used by the cmake build system (on the TIP):

    specs/pki-core.spec:Requires:         %{_javadir}/xalan-j2-serializer.jar

NOTE:  This change will be "officially" provided once Dogtag 9.0 which utilizes
       tomcat 6 is released to the general public (planned for Fedora 14+).
Comment 9 Nathan Kinder 2010-12-15 01:19:37 UTC 
(In reply to comment #8)
> NOTE:  This change will be "officially" provided once Dogtag 9.0 which utilizes
>        tomcat 6 is released to the general public (planned for Fedora 14+).

What is the timeframe for this?   This breaks the installer for FreeIPA.