Bug 1379928 - ExternalCA: pki cli doesn't detect third party issued certs while it works with browser
Summary: ExternalCA: pki cli doesn't detect third party issued certs while it works wi...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.3
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-28 07:13 UTC by Geetika Kapoor
Modified: 2020-10-04 21:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-10 04:06:02 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure dogtagpki issue 2489 0 None None None 2020-03-10 21:11:28 UTC
Fedora Pagure dogtagpki issue 3118 0 None None None 2020-03-10 21:11:28 UTC
Github dogtagpki pki issues 2609 0 None None None 2020-10-04 21:16:09 UTC
Github dogtagpki pki issues 3235 0 None None None 2020-10-04 21:45:46 UTC

Description Geetika Kapoor 2016-09-28 07:13:17 UTC 
Description of problem:

Imported same ca_admin.p12 file in nssdb and firefox browser.Result varies in case of externalCA.

1. dogtag RootCA:

signing request works from both UI and cli.

2. Dogtag ExternalCA

signing request works from UI only.

For a third party ROOTCA, cli commands failed with error:

ERROR: UNKNOWN_ISSUER encountered on 'CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE' results in a denied SSL server cert!
Version-Release number of selected component (if applicable):

10.3.3.10
How reproducible:

always
Steps to Reproduce:
1. I have an externalCA setup.
2. Submit a cert request from cli using
<output>
pki -d /tmp/test -c Secret123 -h pki1.example.com -p 25144 -n "caadmin" cert-request-review 8 --action=approve-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 9
  Type: enrollment
  Request Status: pending
  Operation Result: success


</output>

3. approve request.

pki -d /tmp/test -c Secret123 -h pki1.example.com -p 25144 -n "caadmin" cert-request-review 9 --action=approve
ERROR: UNKNOWN_ISSUER encountered on 'CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE' results in a denied SSL server cert!
IOException: SocketException cannot write on socket


Actual results:


Expected results:


Additional info:


Complete stack::

ExternalCA cert::

[root@pki1 ~]# pki -v -d /tmp/test -c Secret123 -h pki1.example.com -p 25144 -n "caadmin" cert-request-review 8 --action=approve
PKI options: -v -d /tmp/test -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 25144 -n caadmin cert-request-review 8 --action=approve
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/test -c Secret123 --verbose -h pki1.example.com -p 25144 -n caadmin cert-request-review 8 --action=approve
Server URI: http://pki1.example.com:25144
Client security database: /tmp/test
Message format: null
Command: cert-request-review 8 --action=approve
Initializing client security database
Logging into security token
Module: cert
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25144
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Thu, 01 Jan 1970 05:30:00 IST
  Location: https://pki1.example.com:25142/ca/rest/account/login
  Content-Length: 0
  Date: Wed, 28 Sep 2016 14:20:17 GMT
HTTP redirect: https://pki1.example.com:25142/ca/rest/account/login
Client certificate: caadmin
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25142
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE
ERROR: UNKNOWN_ISSUER encountered on 'CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE' results in a denied SSL server cert!
Server certificate: CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE
java.io.IOException: SocketException cannot write on socket
	at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1099)
	at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:56)
	at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:147)
	at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:154)
	at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:278)
	at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:283)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:175)
	at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:260)
	at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
	at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
	at com.sun.proxy.$Proxy23.login(Unknown Source)
	at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:45)
	at com.netscape.cmstools.cli.ProxyCLI.execute(ProxyCLI.java:116)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)
ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/tmp/test', '-c', 'Secret123', '--verbose', '-h', 'pki1.example.com', '-p', '25144', '-n', 'caadmin', 'cert-request-review', '8', '--action=approve']' returned non-zero exit status 255
Comment 1 Matthew Harmsen 2016-09-28 15:54:00 UTC 
Upstream ticket:
https://fedorahosted.org/pki/ticket/2489
Comment 3 Endi Sukma Dewata 2016-10-04 01:26:29 UTC 
Geetika,

Could you try importing the external CA certificate into the client's NSS database? It's possible the external CA certificate was already imported into the browser in a previous test.
Comment 4 Geetika Kapoor 2016-10-04 03:35:12 UTC 
Hello Endi,

I have tried cert export and it didn't work out.Not sure if i am missing on something.Please have a look::

1. [root@pki1 ~]# pki-server ca-cert-chain-export  -i TestExternal_master --pkcs12-file cert.p12 --pkcs12-password Secret123
---------------
Export complete
---------------
------------------------------------------------------------
Deleted certificate "subsystemCert cert-TestExternal_master"
------------------------------------------------------------


2. [root@pki1 ~]# pk12util -i cert.p12  -d /tmp/ex
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@pki1 ~]# certutil -L -d /tmp/ex

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert External CA                                    ,,   
caSigningCert cert-TestExternal_master CA                    ,,  

3. [root@pki1 ~]# pk12util -i /root/.dogtag/TestExternal_master/ca_admin_cert.p12 -d /tmp/ex
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
You have new mail in /var/spool/mail/root
[root@pki1 ~]# certutil -L -d /tmp/ex

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert External CA                                    ,,   
caadmin                                                      u,u,u
caSigningCert cert-TestExternal_master CA                    ,,   

4. [root@pki1 ~]# pki  -d /tmp/ex -c Secret123 -h pki1.example.com -p 25144 -n "caadmin" cert-request-review 8 --action=approveERROR: UNKNOWN_ISSUER encountered on 'CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE' results in a denied SSL server cert!
IOException: SocketException cannot write on socket
Comment 5 Endi Sukma Dewata 2016-10-04 14:24:18 UTC 
Geetika,

The CA certificates do not seem to be trusted yet. Could you set the trust attributes for both CA certificates to "CT,C,C"?
Comment 6 Geetika Kapoor 2016-10-04 15:08:11 UTC 
[root@pki1 ~]# certutil -L -d /tmp/ex

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caadmin                                                      u,u,u
caSigningCert External CA                                    CT,C,C
caSigningCert cert-TestExternal_master CA                    CT,C,C
[root@pki1 ~]# pki -v  -d /tmp/ex -c Secret123 -h pki1.example.com -p 25144 -n "caadmin" cert-request-review 8 --action=approve
PKI options: -v -d /tmp/ex -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 25144 -n caadmin cert-request-review 8 --action=approve
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /tmp/ex -c Secret123 --verbose -h pki1.example.com -p 25144 -n caadmin cert-request-review 8 --action=approve
Server URI: http://pki1.example.com:25144
Client security database: /tmp/ex
Message format: null
Command: cert-request-review 8 --action=approve
Initializing client security database
Logging into security token
Module: cert
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25144
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Thu, 01 Jan 1970 05:30:00 IST
  Location: https://pki1.example.com:25142/ca/rest/account/login
  Content-Length: 0
  Date: Tue, 04 Oct 2016 22:43:48 GMT
HTTP redirect: https://pki1.example.com:25142/ca/rest/account/login
Client certificate: caadmin
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25142
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=TestExternal_master,O=EXAMPLE
java.io.IOException: SocketException cannot write on socket
	at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1099)
	at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:56)
	at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:147)
	at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:154)
	at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:278)
	at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:283)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:175)
	at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:260)
	at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
	at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
	at com.sun.proxy.$Proxy23.login(Unknown Source)
	at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:45)
	at com.netscape.cmstools.cli.ProxyCLI.execute(ProxyCLI.java:116)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)
ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/tmp/ex', '-c', 'Secret123', '--verbose', '-h', 'pki1.example.com', '-p', '25144', '-n', 'caadmin', 'cert-request-review', '8', '--action=approve']' returned non-zero exit status 255
Comment 7 Endi Sukma Dewata 2016-10-04 20:32:06 UTC 
Geetika,

I was not able to reproduce the problem. Here's what I did:

1. Install CA with externally-signed CA certificate.
2. pki -c Secret123 client-init
3. pki -c Secret123 pkcs12-import --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password Secret123
4. pki -c Secret123 -n caadmin ca-user-find

In step #4 the CLI will ask whether to import the CA certificate (including the external CA). Once the certificate chain is imported, the command works just fine.

Could you try the same steps?
Comment 8 Geetika Kapoor 2016-10-05 09:37:45 UTC 
Endi, I think the same issue we are seeing with 
https://bugzilla.redhat.com/show_bug.cgi?id=1381084

Basically do you think the place where we need to sign certificate using ExternalCA we saw this issue as it is not able to trust as that chain of ROOTCA cert is not there in nssdb with correct trust flags.
However, it works with the workaround.
Comment 9 Endi Sukma Dewata 2016-10-05 14:50:22 UTC 
Per discussion with alee we're going to include the certificate chain in the PKCS #12 file so it's no longer necessary to import the certificate chain separately to the client database.

This is not a blocker since the certificate chain can still be imported separately.
Comment 11 Matthew Harmsen 2017-10-25 21:33:04 UTC 
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Comment 12 Matthew Harmsen 2018-04-19 00:12:11 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

edewata: usability improvement
Comment 13 Matthew Harmsen 2018-07-03 23:52:21 UTC 
Moved to RHEL 7.7.
Comment 14 Endi Sukma Dewata 2020-02-10 04:06:02 UTC 
This ticket has been moved upstream:
https://pagure.io/dogtagpki/issue/3118
Note You need to log in before you can comment on or make changes to this bug.