Bug 1304609 - Unable to configure KRA subsystem, failed with error Error in creating admin user: java.io.IOException: Invalid Request"
Unable to configure KRA subsystem, failed with error Error in creating admin ...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: pki-core (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Matthew Harmsen
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1308752
  Show dependency treegraph
 
Reported: 2016-02-04 02:32 EST by Nirupama Karandikar
Modified: 2016-12-20 13:25 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1308752 (view as bug list)
Environment:
Last Closed: 2016-12-20 13:25:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ca-debug logs (4.17 MB, text/plain)
2016-02-04 02:32 EST, Nirupama Karandikar
no flags Details
kra INF file (857 bytes, text/plain)
2016-02-04 02:33 EST, Nirupama Karandikar
no flags Details
pkispawn logs (103.79 KB, text/plain)
2016-02-04 02:34 EST, Nirupama Karandikar
no flags Details
KRA debug logs (66.86 KB, text/plain)
2016-02-04 02:35 EST, Nirupama Karandikar
no flags Details

  None (edit)
Description Nirupama Karandikar 2016-02-04 02:32:58 EST
Created attachment 1121042 [details]
ca-debug logs

Description of problem:
Unable to configure KRA subsystem in separate tomcat instance . Fails with error:

.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootKRA1/kra/alias -s cn=PKI Administrator,e=kraadmin@example.org,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootKRA1/kra/alias/noise -f /opt/Example1-RootKRA1/kra/password.conf -o /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootKRA1/kra/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:14443/kra/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err



Version-Release number of selected component (if applicable):
pki-ca-10.2.6-13.fc23.noarch
pki-kra-10.2.6-13.fc23.noarch
nss-3.21.0-1.1.fc23.x86_64


How reproducible:

Install and Configure CA
Install and configure KRA  using below config file

<snip>
[DEFAULT]
pki_instance_name=Example1-RootKRA1
pki_https_port=14443
pki_http_port=14080

#NSS DB Token Password
pki_token_password=Secret123

#RootKRA Admin password
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki1.example.org
pki_security_domain_hostname=pki1.example.org
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

#Client Dir
pki_client_dir=/opt/Example1-RootKRA1
pki_client_pkcs12_password=Secret123
pki_client_database_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

#ldap
pki_ds_hostname=pki1.example.org
pki_ds_ldap_port=1901
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret123

[Tomcat]
pki_ajp_port=14009
pki_tomcat_server_port=14005

[KRA]
pki_admin_nickname=PKI KRA Administrator for Example Org
pki_import_admin_cert=False

</snip>


Actual results:
pkispawn fails to configure KRA

Expected results:

pkispawn should successfully configure KRA


Additional info:
CA Debug logs shows this error while creating KRA Admin cert

[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: Start parsePKCS10(): MIICrDCCAZQCAQAwZzEkMCIGA1UEChMbZXhhbXBsZS5vcmcgU2VjdXJpdHkgRG9t%0DYWluMSMwIQYJKoZIhvcNAQkBFhRrcmFhZG1pbkBleGFtcGxlLm9yZzEaMBgGA1UE%0DAxMRUEtJIEFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK%0DAoIBAQDGssnRrEBAwi03tz7d1cjhzPQuiyrkU8Sb8RBs65fEiJfqzGWQDQHHnQj%2F%0Do8NCP3IZXGbL%2FUIyPhZVymiCBaGNOEHa0LxkhEIzYGNNs80VJMmti0zoqvEnNh%2Fq%0DxZWNOcXmb0S3I1gep0TD%2BbUFP3WonrGgaRbwsQJbvUtsZh5aOlBAcNykE6mV2cXd%0DmUWbHXsRIQn29RRxNqWp7j5oxKdeWY2MMnw63vNNNcZO%2FN%2FveiqyoXdumU2MyPt%2B%0DE1QnDaTEvEJHdfupWtPwROVEctNEchXRP4Z3mh09vPLpDZKXEVRDZ8eZIMHcJdGs%0DHUkkmpmS98AN%2FKOZtFWlP7lFZUXfAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA%0DAtV9uFxaU5PqdXVlmQcoR7wAcTACxMD%2B6KioXixOEuYVGXs%2Fh88UNCyH0wq89ETv%0D6fW8t%2FRdTIdDKqXNIM9gU17HqQbPAWLVyoPCmZLH0OjXh3d%2B3RpwIdXduUWAMax1%0Dwry2826%2BeHHCLqglEspym2Iv0LrKi2EXZvCNm6d5ZXxbnfYuJKJHCNhADrwXrlRs%0DX6LJtu4R%2FAq8FvjCiGqiuELy6T5NiTlWphSGBsfN7HIX5Iy3cAY8cvdQkrgn745y%0DVFTtlU%2BzflRZnCUe2okn%2FyjY0vR8NCfGLn3UT9W99Sau7fAEQX4PsbmFIkFKE8XT%0DikbCEi%2FxsKYeVVwZOmfNtw%3D%3D%0D
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: signature verification enabled
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: use internal token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 setting thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big.
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 restoring thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: ProfileSubmitServlet: error in processing request: Invalid Request
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: CMSServlet: curDate=Thu Feb 04 13:03:15 IST 2016 id=caProfileSubmit time=58
Comment 1 Nirupama Karandikar 2016-02-04 02:33 EST
Created attachment 1121043 [details]
kra INF file
Comment 2 Nirupama Karandikar 2016-02-04 02:34 EST
Created attachment 1121044 [details]
pkispawn logs
Comment 3 Nirupama Karandikar 2016-02-04 02:35 EST
Created attachment 1121045 [details]
KRA debug logs
Comment 4 Matthew Harmsen 2016-02-04 12:20:24 EST
These days, pki-kra is part of the pki-core SRPM.
Comment 5 Matthew Harmsen 2016-02-04 12:23:42 EST
Upstream ticket:
https://fedorahosted.org/pki/ticket/1803
Comment 6 Nirupama Karandikar 2016-02-05 01:05:33 EST
Hello,

Configuring OCSP subsystem failed with same error Error in creating admin user: java.io.IOException: Invalid Request"

<snip>
# pkispawn -s OCSP -f ocsp-inst.inf -vv
...
...
..
pkispawn    : DEBUG    ........... chown 0:0 /opt/Example1-RootOCSP/ocsp/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /opt/Example1-RootOCSP/ocsp/alias -f /opt/Example1-RootOCSP/ocsp/password.conf'
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd@Example1-RootOCSP.service'
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8590>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8550>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>OCSP</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootOCSP/ocsp/alias -s cn=PKI Administrator,e=ocspadmin@example.org,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootOCSP/ocsp/alias/noise -f /opt/Example1-RootOCSP/ocsp/password.conf -o /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootOCSP/ocsp/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:18443/ocsp/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err


Installation failed.
</snip>

Hope this helps.
Niru
Comment 7 Endi Sukma Dewata 2016-02-19 09:06:07 EST
I was able to reproduce this. It's happening on subsystems installed on separate instance since it needs to generate a new admin certificate. Subsystems installed on the same instance do not have this problem since they reuse an existing admin certificate.

This error should be investigated further on the CA:

[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big.
Comment 8 Endi Sukma Dewata 2016-03-21 17:04:18 EDT
Fixed on master:
* baa64ee50a0d3c851cea791e01ce80de9edb040c
Comment 9 Mike McCune 2016-03-28 19:05:20 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 11 Fedora End Of Life 2016-11-24 10:23:13 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 12 Fedora End Of Life 2016-12-20 13:25:26 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.