Hide Forgot
+++ This bug was initially created as a clone of Bug #1304609 +++ Description of problem: Unable to configure KRA subsystem in separate tomcat instance . Fails with error: .fc23</Version></XMLResponse> pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... executing 'certutil -R -d /opt/Example1-RootKRA1/kra/alias -s cn=PKI Administrator,e=kraadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootKRA1/kra/alias/noise -f /opt/Example1-RootKRA1/kra/password.conf -o /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin' pkispawn : INFO ....... rm -f /opt/Example1-RootKRA1/kra/alias/noise pkispawn : INFO ....... BtoA /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin.asc pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:14443/kra/rest/installer/configure pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} pkispawn : DEBUG ....... Error Type: ParseError pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err Version-Release number of selected component (if applicable): pki-ca-10.2.6-13.fc23.noarch pki-kra-10.2.6-13.fc23.noarch nss-3.21.0-1.1.fc23.x86_64 How reproducible: Install and Configure CA Install and configure KRA using below config file <snip> [DEFAULT] pki_instance_name=Example1-RootKRA1 pki_https_port=14443 pki_http_port=14080 #NSS DB Token Password pki_token_password=Secret123 #RootKRA Admin password pki_admin_password=Secret123 #Security Domain pki_hostname=pki1.example.org pki_security_domain_hostname=pki1.example.org pki_security_domain_https_port=8443 pki_security_domain_user=caadmin pki_security_domain_password=Secret123 #Client Dir pki_client_dir=/opt/Example1-RootKRA1 pki_client_pkcs12_password=Secret123 pki_client_database_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 #ldap pki_ds_hostname=pki1.example.org pki_ds_ldap_port=1901 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=Secret123 [Tomcat] pki_ajp_port=14009 pki_tomcat_server_port=14005 [KRA] pki_admin_nickname=PKI KRA Administrator for Example Org pki_import_admin_cert=False </snip> Actual results: pkispawn fails to configure KRA Expected results: pkispawn should successfully configure KRA Additional info: CA Debug logs shows this error while creating KRA Admin cert [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: Start parsePKCS10(): MIICrDCCAZQCAQAwZzEkMCIGA1UEChMbZXhhbXBsZS5vcmcgU2VjdXJpdHkgRG9t%0DYWluMSMwIQYJKoZIhvcNAQkBFhRrcmFhZG1pbkBleGFtcGxlLm9yZzEaMBgGA1UE%0DAxMRUEtJIEFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK%0DAoIBAQDGssnRrEBAwi03tz7d1cjhzPQuiyrkU8Sb8RBs65fEiJfqzGWQDQHHnQj%2F%0Do8NCP3IZXGbL%2FUIyPhZVymiCBaGNOEHa0LxkhEIzYGNNs80VJMmti0zoqvEnNh%2Fq%0DxZWNOcXmb0S3I1gep0TD%2BbUFP3WonrGgaRbwsQJbvUtsZh5aOlBAcNykE6mV2cXd%0DmUWbHXsRIQn29RRxNqWp7j5oxKdeWY2MMnw63vNNNcZO%2FN%2FveiqyoXdumU2MyPt%2B%0DE1QnDaTEvEJHdfupWtPwROVEctNEchXRP4Z3mh09vPLpDZKXEVRDZ8eZIMHcJdGs%0DHUkkmpmS98AN%2FKOZtFWlP7lFZUXfAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA%0DAtV9uFxaU5PqdXVlmQcoR7wAcTACxMD%2B6KioXixOEuYVGXs%2Fh88UNCyH0wq89ETv%0D6fW8t%2FRdTIdDKqXNIM9gU17HqQbPAWLVyoPCmZLH0OjXh3d%2B3RpwIdXduUWAMax1%0Dwry2826%2BeHHCLqglEspym2Iv0LrKi2EXZvCNm6d5ZXxbnfYuJKJHCNhADrwXrlRs%0DX6LJtu4R%2FAq8FvjCiGqiuELy6T5NiTlWphSGBsfN7HIX5Iy3cAY8cvdQkrgn745y%0DVFTtlU%2BzflRZnCUe2okn%2FyjY0vR8NCfGLn3UT9W99Sau7fAEQX4PsbmFIkFKE8XT%0DikbCEi%2FxsKYeVVwZOmfNtw%3D%3D%0D [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: signature verification enabled [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: use internal token [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 setting thread token [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big. [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 restoring thread token [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: ProfileSubmitServlet: error in processing request: Invalid Request [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: CMSServlet: curDate=Thu Feb 04 13:03:15 IST 2016 id=caProfileSubmit time=58 --- Additional comment from Nirupama Karandikar on 2016-02-04 02:33 EST --- --- Additional comment from Nirupama Karandikar on 2016-02-04 02:34 EST --- --- Additional comment from Nirupama Karandikar on 2016-02-04 02:35 EST --- --- Additional comment from Matthew Harmsen on 2016-02-04 12:20:24 EST --- These days, pki-kra is part of the pki-core SRPM. --- Additional comment from Matthew Harmsen on 2016-02-04 12:23:42 EST --- Upstream ticket: https://fedorahosted.org/pki/ticket/1803 --- Additional comment from Nirupama Karandikar on 2016-02-05 01:05:33 EST --- Hello, Configuring OCSP subsystem failed with same error Error in creating admin user: java.io.IOException: Invalid Request" <snip> # pkispawn -s OCSP -f ocsp-inst.inf -vv ... ... .. pkispawn : DEBUG ........... chown 0:0 /opt/Example1-RootOCSP/ocsp/alias pkispawn : INFO ....... executing 'certutil -N -d /opt/Example1-RootOCSP/ocsp/alias -f /opt/Example1-RootOCSP/ocsp/password.conf' pkispawn : INFO ....... executing 'systemctl daemon-reload' pkispawn : INFO ....... executing 'systemctl start pki-tomcatd' pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8590>: Failed to establish a new connection: [Errno 111] Connection refused',)) pkispawn : DEBUG ........... No connection - server may still be down pkispawn : DEBUG ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8550>: Failed to establish a new connection: [Errno 111] Connection refused',)) pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>OCSP</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse> pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... executing 'certutil -R -d /opt/Example1-RootOCSP/ocsp/alias -s cn=PKI Administrator,e=ocspadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootOCSP/ocsp/alias/noise -f /opt/Example1-RootOCSP/ocsp/password.conf -o /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin' pkispawn : INFO ....... rm -f /opt/Example1-RootOCSP/ocsp/alias/noise pkispawn : INFO ....... BtoA /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin.asc pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:18443/ocsp/rest/installer/configure pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} pkispawn : DEBUG ....... Error Type: ParseError pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err Installation failed. </snip> Hope this helps. Niru
edewata fixed in master: * baa64ee50a0d3c851cea791e01ce80de9edb040c
Unable to reproduce this issue.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html