RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1308752 - Unable to configure KRA subsystem, failed with error Error in creating admin user: java.io.IOException: Invalid Request"
Summary: Unable to configure KRA subsystem, failed with error Error in creating admin ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 7.3
Assignee: Matthew Harmsen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1304609
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-15 23:22 UTC by Matthew Harmsen
Modified: 2020-10-04 21:05 UTC (History)
14 users (show)

Fixed In Version: pki-core-10.3.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1304609
Environment:
Last Closed: 2016-11-04 05:23:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2312 0 None closed Unable to configure KRA subsystem, failed with error Error in creating admin user: java.io.IOException: Invalid Request" 2020-11-25 11:28:13 UTC
Red Hat Product Errata RHBA-2016:2396 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2016-11-03 13:55:03 UTC

Description Matthew Harmsen 2016-02-15 23:22:03 UTC 
+++ This bug was initially created as a clone of Bug #1304609 +++

Description of problem:
Unable to configure KRA subsystem in separate tomcat instance . Fails with error:

.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootKRA1/kra/alias -s cn=PKI Administrator,e=kraadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootKRA1/kra/alias/noise -f /opt/Example1-RootKRA1/kra/password.conf -o /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootKRA1/kra/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:14443/kra/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err



Version-Release number of selected component (if applicable):
pki-ca-10.2.6-13.fc23.noarch
pki-kra-10.2.6-13.fc23.noarch
nss-3.21.0-1.1.fc23.x86_64


How reproducible:

Install and Configure CA
Install and configure KRA  using below config file

<snip>
[DEFAULT]
pki_instance_name=Example1-RootKRA1
pki_https_port=14443
pki_http_port=14080

#NSS DB Token Password
pki_token_password=Secret123

#RootKRA Admin password
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki1.example.org
pki_security_domain_hostname=pki1.example.org
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

#Client Dir
pki_client_dir=/opt/Example1-RootKRA1
pki_client_pkcs12_password=Secret123
pki_client_database_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

#ldap
pki_ds_hostname=pki1.example.org
pki_ds_ldap_port=1901
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret123

[Tomcat]
pki_ajp_port=14009
pki_tomcat_server_port=14005

[KRA]
pki_admin_nickname=PKI KRA Administrator for Example Org
pki_import_admin_cert=False

</snip>


Actual results:
pkispawn fails to configure KRA

Expected results:

pkispawn should successfully configure KRA


Additional info:
CA Debug logs shows this error while creating KRA Admin cert

[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: Start parsePKCS10(): MIICrDCCAZQCAQAwZzEkMCIGA1UEChMbZXhhbXBsZS5vcmcgU2VjdXJpdHkgRG9t%0DYWluMSMwIQYJKoZIhvcNAQkBFhRrcmFhZG1pbkBleGFtcGxlLm9yZzEaMBgGA1UE%0DAxMRUEtJIEFkbWluaXN0cmF0b3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK%0DAoIBAQDGssnRrEBAwi03tz7d1cjhzPQuiyrkU8Sb8RBs65fEiJfqzGWQDQHHnQj%2F%0Do8NCP3IZXGbL%2FUIyPhZVymiCBaGNOEHa0LxkhEIzYGNNs80VJMmti0zoqvEnNh%2Fq%0DxZWNOcXmb0S3I1gep0TD%2BbUFP3WonrGgaRbwsQJbvUtsZh5aOlBAcNykE6mV2cXd%0DmUWbHXsRIQn29RRxNqWp7j5oxKdeWY2MMnw63vNNNcZO%2FN%2FveiqyoXdumU2MyPt%2B%0DE1QnDaTEvEJHdfupWtPwROVEctNEchXRP4Z3mh09vPLpDZKXEVRDZ8eZIMHcJdGs%0DHUkkmpmS98AN%2FKOZtFWlP7lFZUXfAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA%0DAtV9uFxaU5PqdXVlmQcoR7wAcTACxMD%2B6KioXixOEuYVGXs%2Fh88UNCyH0wq89ETv%0D6fW8t%2FRdTIdDKqXNIM9gU17HqQbPAWLVyoPCmZLH0OjXh3d%2B3RpwIdXduUWAMax1%0Dwry2826%2BeHHCLqglEspym2Iv0LrKi2EXZvCNm6d5ZXxbnfYuJKJHCNhADrwXrlRs%0DX6LJtu4R%2FAq8FvjCiGqiuELy6T5NiTlWphSGBsfN7HIX5Iy3cAY8cvdQkrgn745y%0DVFTtlU%2BzflRZnCUe2okn%2FyjY0vR8NCfGLn3UT9W99Sau7fAEQX4PsbmFIkFKE8XT%0DikbCEi%2FxsKYeVVwZOmfNtw%3D%3D%0D
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: signature verification enabled
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: use internal token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 setting thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big.
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 restoring thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: ProfileSubmitServlet: error in processing request: Invalid Request
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: CMSServlet: curDate=Thu Feb 04 13:03:15 IST 2016 id=caProfileSubmit time=58

--- Additional comment from Nirupama Karandikar on 2016-02-04 02:33 EST ---



--- Additional comment from Nirupama Karandikar on 2016-02-04 02:34 EST ---



--- Additional comment from Nirupama Karandikar on 2016-02-04 02:35 EST ---



--- Additional comment from Matthew Harmsen on 2016-02-04 12:20:24 EST ---

These days, pki-kra is part of the pki-core SRPM.

--- Additional comment from Matthew Harmsen on 2016-02-04 12:23:42 EST ---

Upstream ticket:
https://fedorahosted.org/pki/ticket/1803

--- Additional comment from Nirupama Karandikar on 2016-02-05 01:05:33 EST ---

Hello,

Configuring OCSP subsystem failed with same error Error in creating admin user: java.io.IOException: Invalid Request"

<snip>
# pkispawn -s OCSP -f ocsp-inst.inf -vv
...
...
..
pkispawn    : DEBUG    ........... chown 0:0 /opt/Example1-RootOCSP/ocsp/alias
pkispawn    : INFO     ....... executing 'certutil -N -d /opt/Example1-RootOCSP/ocsp/alias -f /opt/Example1-RootOCSP/ocsp/password.conf'
pkispawn    : INFO     ....... executing 'systemctl daemon-reload'
pkispawn    : INFO     ....... executing 'systemctl start pki-tomcatd'
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8590>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... No connection - server may still be down
pkispawn    : DEBUG    ........... No connection - exception thrown: HTTPSConnectionPool(host='pki1.example.org', port=18443): Max retries exceeded with url: /ocsp/admin/ocsp/getStatus (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0680c8550>: Failed to establish a new connection: [Errno 111] Connection refused',))
pkispawn    : DEBUG    ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>OCSP</Type><Status>running</Status><Version>10.2.6-13.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d /opt/Example1-RootOCSP/ocsp/alias -s cn=PKI Administrator,e=ocspadmin,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootOCSP/ocsp/alias/noise -f /opt/Example1-RootOCSP/ocsp/password.conf -o /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootOCSP/ocsp/alias/noise
pkispawn    : INFO     ....... BtoA /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin /opt/Example1-RootOCSP/ocsp/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:18443/ocsp/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} 
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err


Installation failed.
</snip>

Hope this helps.
Niru
Comment 1 Matthew Harmsen 2016-04-15 21:38:59 UTC 
edewata fixed in master:
* baa64ee50a0d3c851cea791e01ce80de9edb040c
Comment 3 Geetika Kapoor 2016-08-16 13:21:38 UTC 
Unable to reproduce this issue.
Comment 5 errata-xmlrpc 2016-11-04 05:23:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html
Note You need to log in before you can comment on or make changes to this bug.