Hide Forgot
Description of problem: During two-step installation of externally-signed CA, installation can fail because host authority's private key cannot be located (a temporary condition), causing LWCA key replication codepaths to fire, which throw a NullPointerException? because the host authority has not yet been assigned an AuthorityID. Version-Release number of selected component (if applicable): How reproducible: Always? Steps to Reproduce: 1. install CA using two-step externally-signed process Actual results: Installation fails with following output: ====================== Log file: /var/log/pki/pki-ca-spawn.20160921163609.log Loading deployment configuration from external-step2.cfg. Installing CA into /var/lib/pki/pki-tomcat. Installation failed: <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.36 - Error report</title><style type="text/css">H1 {font-famil y:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans- serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;ba ckground-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:whi te;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,san s-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerExceptio n</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerExcepti on</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerExcep tion org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) ... </pre><p><b>root cause</b></p><pre>java.lang.NullPointerException java.util.TreeMap.getEntry(TreeMap.java:347) java.util.TreeMap.containsKey(TreeMap.java:232) java.util.Collections$SynchronizedMap.containsKey(Collections.java:2578) com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1572) com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:525) com.netscape.cmscore.apps.CMSEngine.reinit(CMSEngine.java:1344) com.netscape.certsrv.apps.CMS.reinit(CMS.java:191) com.netscape.cms.servlet.csadmin.ConfigurationUtils.reInitSubsystem(ConfigurationUtils.java:2299) org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:181) org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:121) ... </pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.36 logs.</u>< /p><hr class="line"><h3>Apache Tomcat/8.0.36</h3></body></html> Please check the CA logs in /var/log/pki/pki-tomcat/ca. ====================== Expected results: installation succeeds Additional info:
Moving from rhel-7.3.0 ==> rhel-7.4.0. Bug has been marked as RHEL 7.3 ZStream candidate.
*** Bug 1378517 has been marked as a duplicate of this bug. ***
On September 23, 2016, ftweedal checked-in the following: * master (3ea93c9b4bc03f3d79550d8bdfd1447ffa25238d) * DOGTAG_10_3_BRANCH (fca5fd053434d112998c814bc6d9424b6a5bac98)
Hi Fraser,Do you think this much testing is sufficient or I need to cover some other test case too.. Thanks ExternalCA: Using Another pki instance: --------------------------- 1. Csr is generated using step1 installation. -- Attributes: Requested Extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign 2. Sign the request using RootCA(pki). Test steps: ----------- 2.1. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr 2.2. Approve it from CA Agent page. 2.3. Signed certificate Extensions: AKI for Externally signed certificate == SKI of Signing CA SKI for Externally signed CA should be new and unique. Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC: 88:4D:23:18 Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 3B:EB:A1:26:93:ED:D6:81:16:68:BB:AC:15:15:88:9A: 97:EA:B4:87 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp 2.4. Signing CA certificate Extensions: Since this is RootCA it's SKI == AKI Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC: 88:4D:23:18 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC: 88:4D:23:18 Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp 3. Perform the last step where we need to do External CA installation. pkispawn -f ca_2.cfg -s CA -vvv This should give a successful installation. 4. Stop the ExternalCA process.Change the cipher and restart. 5. Make sure you are able to sign the certificate. ========================================================================================================================================== ExternalCA with nssdb:: SECret.123 SECret.456 1. Self signed ExternalCA certificate of nssdb(external.crt) with no SKI: Usage of SKI is optional in case of self signed certificate. Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Certificate Sign 2. Ca signing certificate signed by the External.crt X509v3 extensions: Authority Information Access: OCSP - URI:http://pki1.example.com:8080/ca/ocsp X509v3 Subject Key Identifier: 9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:43:F3:12:8F X509v3 Authority Key Identifier: 0. X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign 3. Proceed with step 2 installation. User Signed certificate extension Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36: 43:F3:12:8F Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27080/ca/ocsp Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.4 ==================================================================================================================================
Any two-step externally-signed CA installation is sufficient to trigger the bug, so the above is sufficient.
Moving bug to verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110