1304609 – Unable to configure KRA subsystem, failed with error Error in creating admin user: java.io.IOException: Invalid Request"

Bug 1304609 - Unable to configure KRA subsystem, failed with error Error in creating admin user: java.io.IOException: Invalid Request"

Summary: Unable to configure KRA subsystem, failed with error Error in creating admin ...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pki-core
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthew Harmsen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1308752
TreeView+	depends on / blocked

Reported:	2016-02-04 07:32 UTC by Nirupama Karandikar
Modified:	2020-10-04 21:05 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Clones:	1308752 (view as bug list)
Environment:
Last Closed:	2016-12-20 18:25:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
ca-debug logs (4.17 MB, text/plain) 2016-02-04 07:32 UTC, Nirupama Karandikar	no flags	Details
kra INF file (857 bytes, text/plain) 2016-02-04 07:33 UTC, Nirupama Karandikar	no flags	Details
pkispawn logs (103.79 KB, text/plain) 2016-02-04 07:34 UTC, Nirupama Karandikar	no flags	Details
KRA debug logs (66.86 KB, text/plain) 2016-02-04 07:35 UTC, Nirupama Karandikar	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2312	0	None	None	None	2020-10-04 21:05:20 UTC

Description Nirupama Karandikar 2016-02-04 07:32:58 UTC

Created attachment 1121042 [details]
ca-debug logs

Description of problem:
Unable to configure KRA subsystem in separate tomcat instance . Fails with error:

.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootKRA1/kra/alias -s cn=PKI Administrator,e=kraadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootKRA1/kra/alias/noise -f /opt/Example1-RootKRA1/kra/password.conf -o /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootKRA1/kra/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:14443/kra/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err



Version-Release number of selected component (if applicable):
pki-ca-10.2.6-13.fc23.noarch
pki-kra-10.2.6-13.fc23.noarch
nss-3.21.0-1.1.fc23.x86_64


How reproducible:

Install and Configure CA
Install and configure KRA  using below config file

<snip>
[DEFAULT]
pki_instance_name=Example1-RootKRA1
pki_https_port=14443
pki_http_port=14080

#NSS DB Token Password
pki_token_password=Secret123

#RootKRA Admin password
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki1.example.org
pki_security_domain_hostname=pki1.example.org
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

#Client Dir
pki_client_dir=/opt/Example1-RootKRA1
pki_client_pkcs12_password=Secret123
pki_client_database_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

#ldap
pki_ds_hostname=pki1.example.org
pki_ds_ldap_port=1901
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret123

[Tomcat]
pki_ajp_port=14009
pki_tomcat_server_port=14005

[KRA]
pki_admin_nickname=PKI KRA Administrator for Example Org
pki_import_admin_cert=False

</snip>


Actual results:
pkispawn fails to configure KRA

Expected results:

pkispawn should successfully configure KRA


Additional info:
CA Debug logs shows this error while creating KRA Admin cert

[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: Start parsePKCS10(): MIICrDCCAZQCAQAwZzEkMCIGA1UEChMbZXhhbXBsZS5vcmcgU2VjdXJpdHkgRG9t%0DYWluMSMwIQYJKoZIhvcNAQkBFhRrcmFhZG1pbkBleGFtcGxlLm9yZzEaMBgGA1UE%0DAxMRUEtJIEFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK%0DAoIBAQDGssnRrEBAwi03tz7d1cjhzPQuiyrkU8Sb8RBs65fEiJfqzGWQDQHHnQj%2F%0Do8NCP3IZXGbL%2FUIyPhZVymiCBaGNOEHa0LxkhEIzYGNNs80VJMmti0zoqvEnNh%2Fq%0DxZWNOcXmb0S3I1gep0TD%2BbUFP3WonrGgaRbwsQJbvUtsZh5aOlBAcNykE6mV2cXd%0DmUWbHXsRIQn29RRxNqWp7j5oxKdeWY2MMnw63vNNNcZO%2FN%2FveiqyoXdumU2MyPt%2B%0DE1QnDaTEvEJHdfupWtPwROVEctNEchXRP4Z3mh09vPLpDZKXEVRDZ8eZIMHcJdGs%0DHUkkmpmS98AN%2FKOZtFWlP7lFZUXfAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA%0DAtV9uFxaU5PqdXVlmQcoR7wAcTACxMD%2B6KioXixOEuYVGXs%2Fh88UNCyH0wq89ETv%0D6fW8t%2FRdTIdDKqXNIM9gU17HqQbPAWLVyoPCmZLH0OjXh3d%2B3RpwIdXduUWAMax1%0Dwry2826%2BeHHCLqglEspym2Iv0LrKi2EXZvCNm6d5ZXxbnfYuJKJHCNhADrwXrlRs%0DX6LJtu4R%2FAq8FvjCiGqiuELy6T5NiTlWphSGBsfN7HIX5Iy3cAY8cvdQkrgn745y%0DVFTtlU%2BzflRZnCUe2okn%2FyjY0vR8NCfGLn3UT9W99Sau7fAEQX4PsbmFIkFKE8XT%0DikbCEi%2FxsKYeVVwZOmfNtw%3D%3D%0D
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: signature verification enabled
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: use internal token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 setting thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big.
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 restoring thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: ProfileSubmitServlet: error in processing request: Invalid Request
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: CMSServlet: curDate=Thu Feb 04 13:03:15 IST 2016 id=caProfileSubmit time=58

Comment 1 Nirupama Karandikar 2016-02-04 07:33:58 UTC

Created attachment 1121043 [details]
kra INF file

Comment 2 Nirupama Karandikar 2016-02-04 07:34:38 UTC

Created attachment 1121044 [details]
pkispawn logs

Comment 3 Nirupama Karandikar 2016-02-04 07:35:32 UTC

Created attachment 1121045 [details]
KRA debug logs

Comment 4 Matthew Harmsen 2016-02-04 17:20:24 UTC

These days, pki-kra is part of the pki-core SRPM.

Comment 5 Matthew Harmsen 2016-02-04 17:23:42 UTC

Upstream ticket:
https://fedorahosted.org/pki/ticket/1803

Comment 6 Nirupama Karandikar 2016-02-05 06:05:33 UTC

Hello,

Configuring OCSP subsystem failed with same error Error in creating admin user: java.io.IOException: Invalid Request"

<snip>
# pkispawn -s OCSP -f ocsp-inst.inf -vv
...
...
..
pkispawn    : DEBUG    ........... chown 0:0 /opt/Example1-RootOCSP/ocsp/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /opt/Example1-RootOCSP/ocsp/alias -f /opt/Example1-RootOCSP/ocsp/password.conf'
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd'
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8590>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8550>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>OCSP</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootOCSP/ocsp/alias -s cn=PKI Administrator,e=ocspadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootOCSP/ocsp/alias/noise -f /opt/Example1-RootOCSP/ocsp/password.conf -o /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootOCSP/ocsp/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:18443/ocsp/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err


Installation failed.
</snip>

Hope this helps.
Niru

Comment 7 Endi Sukma Dewata 2016-02-19 14:06:07 UTC

I was able to reproduce this. It's happening on subsystems installed on separate instance since it needs to generate a new admin certificate. Subsystems installed on the same instance do not have this problem since they reuse an existing admin certificate.

This error should be investigated further on the CA:

[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big.

Comment 8 Endi Sukma Dewata 2016-03-21 21:04:18 UTC

Fixed on master:
* baa64ee50a0d3c851cea791e01ce80de9edb040c

Comment 9 Mike McCune 2016-03-28 23:05:20 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 11 Fedora End Of Life 2016-11-24 15:23:13 UTC

This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 12 Fedora End Of Life 2016-12-20 18:25:26 UTC

Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.