RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA
Summary: Add KRA Transport and Storage Certificates profiles, audit for IPA
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 7.9
Assignee: RHCS Maintainers
QA Contact: PKI QE
URL:
Whiteboard:
Depends On: 1869605 1875563
Blocks: 1872603 1872604
TreeView+ depends on / blocked
 
Reported: 2020-09-29 18:37 UTC by Dinesh Prasanth
Modified: 2021-03-16 13:48 UTC (History)
22 users (show)

Fixed In Version: pki-core-10.5.18-11.el7_9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1875563
Environment:
Last Closed: 2021-03-16 13:48:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Dinesh Prasanth 2020-09-29 18:37:00 UTC
+++ This bug was initially created as a clone of Bug #1875563 +++

+++ This bug was initially created as a clone of Bug #1869605 +++

Description of problem:
My long-running FreeIPA public demo instance (upgraded to the newest Fedora from 2018) cannot update KRA certificates. They always end up with error "Server at "http://ipa.demo1.freeipa.org:8080/ca/ee/ca/profileSubmit" replied: Missing credential: sessionID"

# getcert list -i 20190903113316
Number of certificates and requests being tracked: 11.
Request ID '20190903113316':
	status: CA_UNREACHABLE
	ca-error: Internal error
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
	subject: CN=KRA Storage Certificate,O=DEMO1.FREEIPA.ORG
	expires: 2020-08-19 10:35:41 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	profile: caInternalAuthDRMstorageCert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "storageCert cert-pki-kra"
	track: yes
	auto-renew: yes

# getcert resubmit -i 20190903113316


# getcert list -i 20190903113316
Number of certificates and requests being tracked: 11.
Request ID '20190903113316':
	status: MONITORING
	ca-error: Server at "http://ipa.demo1.freeipa.org:8080/ca/ee/ca/profileSubmit" replied: Missing credential: sessionID
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG
	subject: CN=KRA Storage Certificate,O=DEMO1.FREEIPA.ORG
	expires: 2020-08-19 10:35:41 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	profile: caInternalAuthDRMstorageCert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "storageCert cert-pki-kra"
	track: yes
	auto-renew: yes


Version-Release number of selected component (if applicable):
freeipa-server-4.8.7-1.fc32.x86_64
pki-ca-10.9.0-0.4.fc32.noarch
pki-kra-10.9.0-0.4.fc32.noarch
certmonger-0.79.11-2.fc32.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Check the status of renewed certificates with "getcert list"
2. Move the date or wait 1 week before KRA Transport/Storage Certificate expires
3. See if the certificate renews

Actual results:
Certificate does not renew

Expected results:
Certificate renews

Additional info:
I assume that the root cause is somewhere in updates of the certmonger tracking list.

--- Additional comment from Martin Kosek on 2020-08-18 10:53:45 UTC ---

Starting with FreeIPA component first, as this problem may be specific to FreeIPA deployment or upgrade process, rather than pki-core component (feel free to change!)

--- Additional comment from Rob Crittenden on 2020-08-18 20:58:42 UTC ---

I don't believe this is an issue with certmonger, it seems to be correctly reporting back an error from the CA.

Indeed this ignores IPA altogether and renews directly against the CA using the RA cert for auth.

So you need to look in the CA debug log for more details.

The journal may include the output that certmonger received.

--- Additional comment from Martin Kosek on 2020-08-19 12:36:35 UTC ---

Good point. Let me include output from certmonger and related PKI error file.

# systemctl status certmonger.service -l
● certmonger.service - Certificate monitoring and PKI enrollment
     Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled)
     Active: active (running) since Wed 2020-08-19 05:02:24 UTC; 7h ago
   Main PID: 807 (certmonger)
      Tasks: 2 (limit: 2335)
     Memory: 119.2M
        CPU: 25min 949ms
     CGroup: /system.slice/certmonger.service
             ├─  807 /usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2
             └─11733 /usr/bin/python3 -I /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit

Aug 19 12:35:57 ipa.demo1.freeipa.org certmonger[11733]: Kh2TvPM0a8/8kr4WqVKH6GptBArjV/tRFRn1lr7xv1UkNoE6oy/ES2xDjrlzRTtp
Aug 19 12:35:57 ipa.demo1.freeipa.org certmonger[11733]: ZUQYCdrldOYWNrrKFtG5vq2jOd2tvYdwCcy33Rrszu0gc7EAH5qDiQ==
Aug 19 12:35:57 ipa.demo1.freeipa.org certmonger[11733]: -----END CERTIFICATE-----
Aug 19 12:35:57 ipa.demo1.freeipa.org certmonger[11733]: " for child.
Aug 19 12:35:57 ipa.demo1.freeipa.org certmonger[11733]: 2020-08-19 12:35:57 [11733] Redirecting stdin to /dev/null, leaving stdout and stderr open for child "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit".
Aug 19 12:35:57 ipa.demo1.freeipa.org certmonger[11733]: 2020-08-19 12:35:57 [11733] Running enrollment helper "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit".
Aug 19 12:35:59 ipa.demo1.freeipa.org /dogtag-ipa-ca-renew-agent-submit[11733]: Forwarding request to dogtag-ipa-renew-agent
Aug 19 12:35:59 ipa.demo1.freeipa.org dogtag-ipa-renew-agent-submit[11738]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Aug 19 12:35:59 ipa.demo1.freeipa.org /dogtag-ipa-ca-renew-agent-submit[11733]: dogtag-ipa-renew-agent returned 2
Aug 19 12:35:59 ipa.demo1.freeipa.org certmonger[807]: 2020-08-19 12:35:59 [807] Certificate submission still ongoing.

--- Additional comment from Martin Kosek on 2020-08-19 12:39:59 UTC ---

/var/log/pki/pki-tomcat/ca/debug.2020-07-14.log:

2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Property useThreadNaming not found
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting useThreadNaming=false
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet:service() uri: /ca/ee/ca/profileSubmit
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet::service() param name='profileId' value='caInternalAuthAuditSigningCert'
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet::service() param name='cert_request_type' value='pkcs10'
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet::service() param name='cert_request' value='(sensitive)'
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet::service() param name='xml' value='true'
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet::service() param name='requestor_name' value='IPA'
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet: caProfileSubmit start to service.
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: GET r=http-request-params,k=authenticator,v=null,d=null
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: xmlOutput true
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: ProfileSubmitServlet: isRenewal false
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Property processor.caProfileSubmit.profileId not found
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.profileId=
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.authzResourceName=certServer.ee.profile
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.authzResourceName=certServer.ee.profile
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.authzResourceName=certServer.ee.profile
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Property processor.caProfileSubmit.authMgr not found
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.authMgr=
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.getClientCert=false
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.getClientCert=false
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.getClientCert=false
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Property processor.caProfileSubmit.profileSubId not found
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.profileSubId=
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Property processor.caProfileSubmit.ACLinfo not found
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.ACLinfo=
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.authzMgr=BasicAclAuthz
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.authzMgr=BasicAclAuthz
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting processor.caProfileSubmit.authzMgr=BasicAclAuthz
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting authz.sourceType=ldap
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting authz.sourceType=ldap
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: ServletUtils: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}.
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: ProfileSubmitServlet: profile: caInternalAuthAuditSigningCert
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: GET r=http-request-params,k=cert_request_type,v=pkcs10,d=null
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: GET r=http-request-params,k=cert_request,v=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDZTCCAk0CAQAwMDEaMBgGA1UECgwRREVNTzEuRlJFRUlQQS5PUkcxEjAQBgNV
BAMMCUtSQSBBdWRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6E
Y4UA9vLK3jR4cekjbfYNYr8CFAliA/QxgPWRnqh6VfvZ3+Y3378csIuhEFefR89R
93oPt5OCqotEBHKCHkDqYKHeqvS+NKE5DicfEeOjRuR2sWYFXTVNn+1W6nNK0Y/l
PIYg/DeQ4UU08nlzNnYxFIu16bZ/UQcta00a2Wb119RdSQbTzptLJSRZt/WattNs
KzOzi0p18gDKPqRVVbV3VR77Yq6KnsIweTB9N7gaWNfPpU5YWBf4QTVEK43HBNF4
6s3X8zdYXh+Zn+FmLCSDEELaLbBCZVZ+lM7oYE7WxfvD3hmTSZYIOhOk37Rr+x1p
WwBS8BuK1a03cOITLDECAwEAAaCB7zBJBgkqhkiG9w0BCRQxPB46AGEAdQBkAGkA
dABTAGkAZwBuAGkAbgBnAEMAZQByAHQAIABjAGUAcgB0AC0AcABrAGkALQBrAHIA
YTCBoQYJKoZIhvcNAQkOMYGTMIGQMA4GA1UdDwEBAAQEAwIGwDAMBgNVHRMBAf8E
AjAAMCAGA1UdDgEBAAQWBBTBT9Znj0Ri1GOS4Vnb0ahgUDNeEzBOBgkrBgEEAYI3
FAIBAQAEPh48AGMAYQBJAG4AdABlAHIAbgBhAGwAQQB1AHQAaABBAHUAZABpAHQA
UwBpAGcAbgBpAG4AZwBDAGUAcgB0MA0GCSqGSIb3DQEBCwUAA4IBAQBgrQdFWBwl
V8lleevn+FYehajPZBvz4/Q+k+wW4pdy7r+GisQEJsW/9o9U4O9YUY/5AAnfraGw
Xx/sQImFO+DFXAFw2ePnIvgR8Gno5Cdj9PcmRHiMqO7vwcKuN2Q8iRqa32DgoalH
wFhkkDE/5V6u5nlD4E33HLuaCTnvTvAMJYM5GLshEyBxOwhRZAkZDzYz/cUR/sWi
7wyjxo4TWDRsKPX6QEl1q8RG+VUIzYdTry4MLjGxioF1FG4kO5UTRfuejJjzAnrr
ghW5Z3bAWupjjFrukTg14PIKuMPLy08T4gaWZHOuxuBztbPw1B0bcYaq9Wy5udTz
eqf3blQPb9KL
-----END NEW CERTIFICATE REQUEST-----
,d=null
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: GET r=http-request-params,k=requestor_name,v=IPA,d=null
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: GET r=http-request-params,k=requestor_email,v=null,d=null
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: GET r=http-request-params,k=requestor_phone,v=null,d=null
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: Input Parameters:
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: - isRenewal: false
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: - remoteHost: 127.0.0.1
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: - cert_request_type: pkcs10
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: - profileId: caInternalAuthAuditSigningCert
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: - cert_request: (sensitive)
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: - requestor_name: IPA
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: - remoteAddr: 127.0.0.1
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: EnrollmentProcessor: isRenewal false
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: EnrollmentProcessor: profileId caInternalAuthAuditSigningCert
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting enable=true
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting enable=true
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: EnrollmentProcessor: set Inputs into profile Context
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: EnrollmentProcessor: authenticator TokenAuth found
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CertProcessor: Authentication credentials:
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: EnrollmentProcessor: set sslClientCertProvider
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: authenticate: authentication required.
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: in auditSubjectID
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor: auditSubjectID auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientCertProvider@c1c7291, profileContext={cert_request_type=pkcs10, cert_request=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDZTCCAk0CAQAwMDEaMBgGA1UECgwRREVNTzEuRlJFRUlQQS5PUkcxEjAQBgNV
BAMMCUtSQSBBdWRpdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6E
Y4UA9vLK3jR4cekjbfYNYr8CFAliA/QxgPWRnqh6VfvZ3+Y3378csIuhEFefR89R
93oPt5OCqotEBHKCHkDqYKHeqvS+NKE5DicfEeOjRuR2sWYFXTVNn+1W6nNK0Y/l
PIYg/DeQ4UU08nlzNnYxFIu16bZ/UQcta00a2Wb119RdSQbTzptLJSRZt/WattNs
KzOzi0p18gDKPqRVVbV3VR77Yq6KnsIweTB9N7gaWNfPpU5YWBf4QTVEK43HBNF4
6s3X8zdYXh+Zn+FmLCSDEELaLbBCZVZ+lM7oYE7WxfvD3hmTSZYIOhOk37Rr+x1p
WwBS8BuK1a03cOITLDECAwEAAaCB7zBJBgkqhkiG9w0BCRQxPB46AGEAdQBkAGkA
dABTAGkAZwBuAGkAbgBnAEMAZQByAHQAIABjAGUAcgB0AC0AcABrAGkALQBrAHIA
YTCBoQYJKoZIhvcNAQkOMYGTMIGQMA4GA1UdDwEBAAQEAwIGwDAMBgNVHRMBAf8E
AjAAMCAGA1UdDgEBAAQWBBTBT9Znj0Ri1GOS4Vnb0ahgUDNeEzBOBgkrBgEEAYI3
FAIBAQAEPh48AGMAYQBJAG4AdABlAHIAbgBhAGwAQQB1AHQAaABBAHUAZABpAHQA
UwBpAGcAbgBpAG4AZwBDAGUAcgB0MA0GCSqGSIb3DQEBCwUAA4IBAQBgrQdFWBwl
V8lleevn+FYehajPZBvz4/Q+k+wW4pdy7r+GisQEJsW/9o9U4O9YUY/5AAnfraGw
Xx/sQImFO+DFXAFw2ePnIvgR8Gno5Cdj9PcmRHiMqO7vwcKuN2Q8iRqa32DgoalH
wFhkkDE/5V6u5nlD4E33HLuaCTnvTvAMJYM5GLshEyBxOwhRZAkZDzYz/cUR/sWi
7wyjxo4TWDRsKPX6QEl1q8RG+VUIzYdTry4MLjGxioF1FG4kO5UTRfuejJjzAnrr
ghW5Z3bAWupjjFrukTg14PIKuMPLy08T4gaWZHOuxuBztbPw1B0bcYaq9Wy5udTz
eqf3blQPb9KL
-----END NEW CERTIFICATE REQUEST-----
, requestor_name=IPA}}
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CAProcessor auditSubjectID: subjectID: null
2020-08-19 12:35:50 [http-nio-8080-exec-23] SEVERE: CAProcessor: authentication error: Missing credential: sessionID
Missing credential: sessionID
	at com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:423)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:482)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:178)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:276)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:130)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:494)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at sun.reflect.GeneratedMethodAccessor45.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: SignedAuditLogger: event AUTH
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting pidDir=/var/run/pki/tomcat
2020-08-19 12:35:50 [http-nio-8080-exec-23] FINEST: Getting pidDir=/var/run/pki/tomcat
2020-08-19 12:35:50 [http-nio-8080-exec-23] SEVERE: ProfileSubmitServlet: authentication error in processing request: Missing credential: sessionID
Missing credential: sessionID
	at com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:423)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:482)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:178)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:276)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:130)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:494)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at sun.reflect.GeneratedMethodAccessor45.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: CMSServlet: curDate: Wed Aug 19 12:35:50 UTC 2020 id: caProfileSubmit time: 21

--- Additional comment from Rob Crittenden on 2020-08-20 11:58:09 UTC ---

I have no idea what session ID this is referring to and what is responsible for setting it. Need some assistance from the pki team on this.

--- Additional comment from Alex Scheel on 2020-08-20 15:29:49 UTC ---

Rob, note the profile used above:

2020-08-19 12:35:50 [http-nio-8080-exec-23] FINE: EnrollmentProcessor: profileId caInternalAuthAuditSigningCert

This profile (internalAuthAuditSigningCert) requires token authentication (passed as "sessionID"). This is only used during installation. 


However, above, in mkosek's request, we see:

	profile: caInternalAuthDRMstorageCert

So something is not correctly passing or handling the profile. It isn't obvious to me how or why or what changed, so I'll needinfo jmagne and cfu to see if they can assist.

--- Additional comment from Christina Fu on 2020-08-24 17:50:21 UTC ---

As Alex pointed out, those caInternalXXX enrollment profiles require "token authentication", where tokens are per "session" during installation.  They are only meant to be used for installation, unless of course someone has changed the "auth.instance_id" in those profiles to something else.  And that I would not recommend.  It's best if you create new profiles specific to your need.

Seeing that you seem to want to do "renewal", did you really intend to use those caInternalXXX profiles?  Has it always been the case for FreeIPA to renew using those profiles?  If so, then I suspect someone must have changed the auth.instance_id values for those profiles.

If you want to use RA cert to authenticate, the auth.instance_id value in the profile should be "AgentCertAuth".
Hope this helps.

--- Additional comment from Alex Scheel on 2020-08-24 21:37:10 UTC ---

To clarify, this is a bug in FreeIPA.


These profiles are for subsystem installation only. If you require similar profiles with agent auth, please ask. Until then, this commit should probably be reverted, as it will not work.

https://github.com/freeipa/freeipa/commit/3c388f5a228b767dfd92bd824dfced166acda143
https://github.com/freeipa/freeipa/blob/master/ipaserver/install/krainstance.py#L72

--- Additional comment from Christina Fu on 2020-08-24 22:01:21 UTC ---

So, I think the proper KRA profiles to use would be caStorageCert.cfg and caTransportCert.cfg.  However, the out of box authentication method used is manual agent approval for those.

If you wish to use RA cert to authenticate, copy each profile to something like ipaKRAStorageCert and ipaKRATransportCert, change the authentication id to the following:
auth.instance_id=AgentCertAuth

Anyways, there's a bit more details than that to create customized profiles.  Is this what you guys need from us?

--- Additional comment from Alexander Bokovoy on 2020-08-25 09:49:37 UTC ---

Yes, more details would be good to have.

My guess is that we need:

1. Create new profiles, as outlined by Christina in comment #9.

2. Add the profiles to LDAP store during upgrade or install

3. Add use of KRA profiles to a specific CA ACL so that IPA replica host can request one

4. Make sure to use the profiles when issuing KRA certificate

5. Convert existing KRA certificate's request in certmonger to use new profile

Most of these steps are on IPA side.

--- Additional comment from Martin Kosek on 2020-08-26 07:10:00 UTC ---

Thanks for the quick analysis. I think you are getting somewhere.
Please let me know if you need to get an access to the FreeIPA demo machine, I can easily provide it. But I assume this is a general problem, since I was not doing lot of special configuration to the FreeIPA demo, I just keep it up-to-date.

--- Additional comment from Rob Crittenden on 2020-08-26 19:19:10 UTC ---

I think Alexander's proposal is the way to go. We can't revert the suggested commit as it does more than just define the KRA tracking profiles. We'll adjust it with the new names once the profiles are created.

--- Additional comment from Asha Akkiangady on 2020-09-03 19:06:21 UTC ---



--- Additional comment from Christina Fu on 2020-09-09 20:52:13 UTC ---

Hi, I'm about to get started on this bug.  I just want to confirm if my understanding is correct on what's expected from RHCS:
 - I'll create the two profiles (in files), with proper CS.cfg changes
 - I'll create necessary upgrade scripts

I'd do minimum tests within CS itself just to make sure the profiles are correct.

--- Additional comment from Alexander Bokovoy on 2020-09-10 04:41:10 UTC ---

Christina,

Sounds good to me. Thank you!

--- Additional comment from Christina Fu on 2020-09-10 22:47:39 UTC ---

commit e6531d9bf0d7a4cbe346dc610c19ad3f41b2f18a (HEAD -> master, origin/master, origin/HEAD)
Author: Christina Fu <cfu>
Date:   Thu Sep 10 14:19:25 2020 -0700

    Bug1875563-Add KRA Transport and Storage Certificates profiles for IPA
    
    This patch adds two profiles for IPA, namely
     caIPAKraTransportCert
     caIPAKraStorageCert
    
    Both are consistent with with the existing profile caIPAserviceCert where
      visible=false
      auth.instance_id=raCertAuth
        raCertAuth is an instance of AgentCertAuth with
        agentGroup=Registration Manager Agents
    
    Upgrade scripts are provided to handle upgrades as well.
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=1875563

--- Additional comment from Christina Fu on 2020-09-10 23:03:06 UTC ---

Test procedure for RHCS QE:

There are two things to test. 
 One being that the upgrade scripts work - this could be achieved by upgrading the rpms, and restart a previously installed instance, then observe that the two caIPAKra* profiles show up under /var/lib/pki/<instance>/ca/profiles/ca/

 The other being that the profiles actually work;
Here is the minimum test I did on the RHCS side (feel free to improve upon or automate it):
I edited both /var/lib/pki/<instance>/ca/profiles/ca/caIPAKraStorageCert.cfg
and /var/lib/pki/<instance>/ca/profiles/ca/caIPAKraTransportCert.cfg
so that 
visible=true
restart the CA

(QE, for this following step, I suggest you create a role user that belongs to Registration Manager Agents and load the user's cert to the browser to test)
I took a short cut and simply changed the auths.instance.raCertAuth.agentGroup= value in CS.cfg to Certificate Manager Agents and just use my CA agent cert.

I generated a PKCS#10 request. e.g.
PKCS10Client -d . -p netscape -n "CN=KRA Storage Certificate,OU=testUpgrade,O=ladycfu-caRSA072820" -l 2048 -o sys_kraStorage_pkcs10_upgrade.req

From browser, I went to EE portal (should be asked to authenticate using a cert; you'd want to select the RA user cert) profile list and pasted the request into each profile and submit.
The cert should be returned immediately.

--- Additional comment from Rob Crittenden on 2020-09-15 15:30:58 UTC ---

On a related note, does the "auditSigningCert cert-pki-kra" also need to be a separate profile? In IPA it uses the profile caInternalAuthAuditSigningCert for renewals.

--- Additional comment from Christina Fu on 2020-09-21 15:49:39 UTC ---

If that's what you need, yes I could add that.  I'm resetting this bug to Assigned

--- Additional comment from Florence Blanc-Renaud on 2020-09-25 12:56:39 UTC ---

Hi Christina,
I did a quick test with the new profiles and the certs don't get renewed when I use them:
# getcert list -i 20200925125218
Number of certificates and requests being tracked: 12.
Request ID '20200925125218':
	status: MONITORING
	ca-error: Server at "http://server.domain.com:8080/ca/ee/ca/profileSubmit" replied: Invalid Credential.
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB',pin set
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert cert-pki-kra',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=DOMAIN.COM
	subject: CN=KRA Storage Certificate,O=DOMAIN.COM
	expires: 2022-09-15 14:51:01 CEST
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-clientAuth
	profile: caIPAKraStorageCert
	pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
	post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "storageCert cert-pki-kra"
	track: yes
	auto-renew: yes


/var/log/pki/pki-tomcat/ca/debug.2020-09-25.log:

2020-09-25 14:54:33 [http-nio-8080-exec-21] WARNING: CertProcessor: No authenticator credentials required
2020-09-25 14:54:33 [http-nio-8080-exec-21] SEVERE: AgentCertAuthentication: No SSL Client Certs Found
2020-09-25 14:54:33 [http-nio-8080-exec-21] SEVERE: CAProcessor: authentication error: Invalid Credential.
Invalid Credential.
	at com.netscape.cms.authentication.AgentCertAuthentication.authenticate(AgentCertAuthentication.java:164)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:434)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:486)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:178)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:277)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:130)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:494)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

2020-09-25 14:54:33 [http-nio-8080-exec-21] SEVERE: ProfileSubmitServlet: authentication error in processing request: Invalid Credential.
Invalid Credential.
	at com.netscape.cms.authentication.AgentCertAuthentication.authenticate(AgentCertAuthentication.java:164)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:434)
	at com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:486)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:178)
	at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:277)
	at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:130)
	at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:494)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
	at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)


I checked the other profiles that IPA is using to renew the certs (caSignedLogCert, caOCSPCert, caSubsystemCert...) and they define auth.class_id= instead of auth.instance_id=raCertAuth.

--- Additional comment from Christina Fu on 2020-09-25 23:22:26 UTC ---

Hi Florence,
Ok, I must be mistaken in thinking that I should use the same authentication method as caIPAserviceCert.
So, if it is auth.class_id= (without any value after '='), that means the profile will require manual CA agent approval.
Could you confirm if that's what you want?
If so, I can make the change.  I'll also do the same with the audit one that Rob was asking about.

Please let me know. thanks!

--- Additional comment from Florence Blanc-Renaud on 2020-09-28 11:18:54 UTC ---

Hi Christina,

as far as I understand, the renewal for these certs is done in 2 steps from certmonger:
1/ the submission, which is not authenticated
2/ the approval, which requires the RA authentication

So yes, the profile requires CA agent approval.
Thanks

Comment 2 Christina Fu 2020-10-15 00:34:46 UTC
commit 73efcea0c74eb4882c003a7fe6cef21fa7627363 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date:   Tue Oct 13 16:19:06 2020 -0700

    Bug1883639-add profile caAuditSigningCert
    
      Existing profiiles caStorageCert.cfg and caTransportCert.cfg
      should be used for KRA.
      a caAuditSigningCert profile is added, although I find
      a misleading profile named caSignedLogCert.cfg  that was intended for
      the use.  I disabled caSignedLogCert.cfg instead.
    
      I also removed the SHA1 algorithms from all the *storage* and *audit*
      profiles while I'm at it.
    
      The upgrade scripts only adds the new profile caAuditSigningCert.  It
      does not modify existing profiles or remove those two IPA specific
      ones.
    
      fixes https://bugzilla.redhat.com/show_bug.cgi?id=1883639

Comment 3 Christina Fu 2020-10-15 00:38:22 UTC
Test procedure for RHCS QE:

There are two things to test. 
 One being that the upgrade scripts work - this could be achieved by upgrading the rpms, and restart a previously installed instance, then observe that the new caAuditSigningCert.cfg profiles show up under /var/lib/pki/<instance>/ca/profiles/ca/

 The other being that the profile actually work;
Here is the minimum test I did on the RHCS side (feel free to improve upon or automate it):

I generated a PKCS#10 request. e.g.
PKCS10Client -d . -p netscape -n "CN=Audit Signing Certificate,OU=testUpgrade,O=ladycfu-caRSA072820" -l 2048 -o sys_auditSigning_pkcs10_upgrade.req

On browser, I went to EE portal select the Manual Audit Signing cert profile and pasted the request into each profile and submit.
The request should be created successfully.
As a CA agent, approve the request, andthe cert should be issued successfully.

Comment 38 errata-xmlrpc 2021-03-16 13:48:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: pki-core security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0851


Note You need to log in before you can comment on or make changes to this bug.