Hide Forgot
Description of problem: pkispawn fails occasionally with this failure ACCESS_SESSION_ESTABLISH_FAILURE Version-Release number of selected component (if applicable): pki-ca-10.4.1-3.el7.noarch How reproducible: inconsistent Steps to Reproduce: 1. [DEFAULT] pki_instance_name = topology-02-CA pki_https_port = 20443 pki_http_port = 20080 pki_token_password = pki_admin_password = pki_hostname = pki1.example.com pki_security_domain_name = topology-02_Foobarmaster.org pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-02-CA pki_client_pkcs12_password = pki_backup_keys = True pki_backup_password = pki_ds_password = pki_ds_ldap_port = 3389 pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa [Tomcat] pki_ajp_port = 20009 pki_tomcat_server_port = 20005 [CA] pki_import_admin_cert = False pki_ds_hostname = pki1.example.com pki_admin_nickname = PKI CA Administrator for Example.Org pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_signing_algorithm=SHA512withRSA Using the above installation file run pkispawn -s CA -f ca.cfg 2. 3. Actual results: pkispawn fails Expected results: pkispawn should be successful Additional info: 03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup start [03/May/2017:13:39:58][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: selftests startup done [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup start [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: stats startup done [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup start [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: auths startup done [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup start [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: authz startup done [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [03/May/2017:13:39:58][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [03/May/2017:13:39:58][http-bio-23443-exec-1]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:00][http-bio-23443-exec-2]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:01][http-bio-23443-exec-3]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:02][http-bio-23443-exec-4]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:03][http-bio-23443-exec-5]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:05][http-bio-23443-exec-6]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:06][http-bio-23443-exec-7]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:07][http-bio-23443-exec-8]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:08][http-bio-23443-exec-9]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:09][http-bio-23443-exec-10]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:10][http-bio-23443-exec-11]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:11][http-bio-23443-exec-12]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:12][http-bio-23443-exec-13]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE [03/May/2017:13:40:14][http-bio-23443-exec-14]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_ESTABLISH_FAILURE
The problem only happens if the randomly generated NSS database password contains a backslash character. As a workaround, specify a fixed password without backslash, for example: [DEFAULT] pki_pin=Secret.123
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Fixed in master: * https://github.com/dogtagpki/pki/commit/29dbed75f1c214a065cd3bcc438d0584fd980d4f
*** Bug 1459337 has been marked as a duplicate of this bug. ***
[root@cloud-qe-19 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.4.1 Release : 9.el7 Architecture: noarch Install Date: Wed 14 Jun 2017 09:37:00 AM EDT Group : System Environment/Daemons Size : 2308437 License : GPLv2 Signature : (none) Source RPM : pki-core-10.4.1-9.el7.src.rpm Build Date : Tue 13 Jun 2017 02:08:27 PM EDT Build Host : ppc-046.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority pkispawn was successful after trying a couple of times. Do we want to fail pkispawn with an appropriate error message if a pin with \ is provided in the installation file?
Yes, we can add some code to check user-provided password validity and generate the proper error message. Feel free to change the ticket to ASSIGNED or open a new ticket.
Opened a new bug for comment 14 https://bugzilla.redhat.com/show_bug.cgi?id=1462973
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110