1891577 – Sub-ordinate installation is failing with NullPointerException

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1891577 - Sub-ordinate installation is failing with NullPointerException

Summary: Sub-ordinate installation is failing with NullPointerException

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Endi Sukma Dewata
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:	1889830
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-26 17:38 UTC by Endi Sukma Dewata
Modified:	2021-05-18 15:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:	pki-core-10.6-8040020201118014620.d4d99205
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1889830
Environment:
Last Closed:	2021-05-18 15:25:15 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Gitlab	dogtagpki/pki/-/blob/master/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_subca.yml	0	None	None	None	2020-11-30 07:40:49 UTC

Description Endi Sukma Dewata 2020-10-26 17:38:19 UTC

+++ This bug was initially created as a clone of Bug #1889830 +++

Description of problem:
SubCA installation is failing with NullPointerException

Version-Release number of selected component (if applicable):
pki-10.10.0-0.1.alpha1.20201016000407UTC.d9607c2b.fc32.src.rpm

How reproducible:
Always

Steps to Reproduce:
1. pkispawn CA

[root@pki1 test_dir]# cat ca.cfg 
[DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080

pki_token_password = SECret.123

pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA

pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = SECret.123

pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = 3389

pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa

pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA

pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org

pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA

pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

# pkispawn -s CA -f ca.cfg --debug

2. Install SubCA

[root@pki1 test_dir]# cat subca.cfg 
[DEFAULT]
pki_instance_name=topology-SubCA-SubCA
pki_http_port=18080
pki_https_port=18443
pki_ajp_port=18009
pki_tomcat_server_port=18005

pki_admin_password=SECret.123
pki_client_dir = /opt/topology-SubCA-SubCA
pki_client_pkcs12_password = SECret.123
pki_ds_password=SECret.123
pki_ds_ldap_port=3389
pki_security_domain_password=SECret.123
pki_security_domain_hostname=pki1.example.com
pki_security_domain_https_port=20443
pki_security_domain_user=caadmin

pki_cert_chain_path=/var/lib/pki/topology-02-CA/alias/ca.crt

[CA]
pki_subordinate=True
pki_issuing_ca=https://pki1.example.com:20443
pki_ca_signing_subject_dn=cn=CA Subordinate Signing,o=example.com
pki_subordinate_create_new_security_domain=True
pki_subordinate_security_domain_name=SUBORDINATE

3. pkispawn -s CA -f subca.cfg --debug

Actual results:

INFO: Getting sslserver cert info from NSS database
DEBUG: Command: certutil -L -d /etc/pki/topology-SubCA-SubCA/alias -f /tmp/tmpy5855paj/password.txt -n Server-Cert cert-topology-SubCA-SubCA -a
DEBUG: Command: certutil -L -d /etc/pki/topology-SubCA-SubCA/alias -f /tmp/tmphjjmyq9c/password.txt
INFO: Setting up signing certificate
/usr/lib/python3.8/site-packages/urllib3/connection.py:411: SubjectAltNameWarning: Certificate for pki1.example.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
  warnings.warn(

Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> java.lang.NullPointerException</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
	org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
	org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
	org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)

Expected results:

SubCA installation should be successful without fail.

Additional info:

SubCA debug log has been attached.

Comment 10 errata-xmlrpc 2021-05-18 15:25:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1775

Note You need to log in before you can comment on or make changes to this bug.