This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2375332 - Missing registry entries for EST on upgraded server
Summary: Missing registry entries for EST on upgraded server
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Fedora
Classification: Fedora
Component: dogtag-pki
Version: 42
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Marco Fargetta
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-28 15:32 UTC by Pritam Singh
Modified: 2026-02-06 18:15 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-02-06 18:15:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 5149 0 None closed Missing registry entries for EST on upgraded server 2025-11-04 16:10:40 UTC
Red Hat Issue Tracker   DOGTAG-4280 0 None None None 2026-02-06 18:15:21 UTC

Description Pritam Singh 2025-06-28 15:32:48 UTC 
I've upgraded to the latest PKI version 11.7 from PKI-11.2 to reproduce: https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c6, At the time of EST deployment on the upgraded PKI version, Adding estServiceCert profile to CA was not working and failing with error "Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null"

Builds:

# uname -r
6.15.3-200.fc42.x86_64

# rpm -qa | grep -e pki -e jss -e jackson -e resteasy | sort
dogtag-jss-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-jss-tomcat-5.7.0-0.1.alpha1.20250326234708UTC.26cced2e.fc42.x86_64
dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-acme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-base-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ca-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-est-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-java-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-javadoc-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-kra-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-ocsp-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-server-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tests-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-theme-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tks-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
dogtag-pki-tools-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.x86_64
dogtag-pki-tps-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch
python3-dogtag-pki-11.7.0-0.1.alpha1.20250625031635UTC.1d57ec76.fc42.noarch

Reproducible: Always

Steps to Reproduce:
1. Follow test procedure: https://bugzilla.redhat.com/show_bug.cgi?id=2350322#c6
2. Deploying EST on upgraded PKI 11.7 version, refer: https://docs.redhat.com/en/documentation/red_hat_certificate_system/10/html/planning_installation_and_deployment_guide/installation_and_configuration#installing-est-pki-server
3. Add EST profile using following command:
$ pki -p 8443 -u caadmin -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
Actual Results:
[root@pki1 fedora]# pki -p 8443 -u caadmin -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg 
BadRequestException: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null

CA debug log:

2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: Creating profile from raw data
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - profileId: estServiceCert
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - classId: caEnrollImpl
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - name: EST Service Certificate Enrollment
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: ProfileService: - description: EST service certificate profile
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] SEVERE: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
java.lang.NullPointerException: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null
    at com.netscape.cms.profile.common.Profile.init(Profile.java:269)
    at org.dogtagpki.server.ca.rest.v1.ProfileService.createProfileRaw(ProfileService.java:646)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
    at java.base/java.lang.reflect.Method.invoke(Method.java:580)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
...
...
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
    at java.base/java.lang.Thread.run(Thread.java:1583)

2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: Returning BadRequestException
2025-06-26 15:32:41 [https-jsse-jss-nio-8443-exec-4] INFO: PKIExceptionMapper: XML exception:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PKIException>
  <ClassName>com.netscape.certsrv.base.BadRequestException</ClassName>
  <Attributes/>
  <Code>400</Code>
  <Message>Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "inputInfo" is null</Message>
</PKIException>

Expected Results:
EST profile add should work as expected.

Additional Information:
Missing parameters in upgraded PKI's registry.cfg file:

constraintPolicy.raClientAuthSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.RAClientAuthSubjectNameContraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.desc=RA Client Subject Name Constraint
constraintPolicy.raClientAuthSubjectNameConstraintImpl.name=RA Client Subject Name Constraint

raClientAuthInfoInputImpl from profileInput.ids=
raClientAuthSubjectNameConstraintImpl from constraintPolicy.ids=

profileInput.raClientAuthInfoInputImpl.class=com.netscape.cms.profile.input.RAClientAuthInfoInput
profileInput.raClientAuthInfoInputImpl.desc=RA Client Authentication Information Input
profileInput.raClientAuthInfoInputImpl.name=RA Client Authentication Information Input


As a workaround: When I replaced registry.cfg with latest or added above parameters in upgraded PKI's registry.cfg file, EST profile add worked.
Comment 1 Gilbert Kimetto 2026-02-06 18:15:54 UTC 
redhat-pki-javadoc-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-acme-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-console-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
python3-redhat-pki-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-java-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-tks-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-base-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-tools-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.x86_64
redhat-pki-est-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-tps-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-console-theme-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-theme-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-server-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-kra-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-ocsp-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-ca-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.noarch
redhat-pki-11.9.0~beta1-1.module+el8pki+23926+82be6c4f.x86_64

RESULTS:

]# pki -p 8443 -u caadmin -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
HttpHostConnectException: Connect to pki1.example.com:8443 [pki1.example.com/10.0.187.21] failed: Connection refused
[root@vm-10-0-187-21 tmp]# pki -p 20443 -n 'PKI CA Administrator for Example.Org' -w SECret.123 ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
BadRequestException: Unable to create profile: Cannot invoke "com.netscape.cmscore.registry.PluginInfo.getClassName()" because "<local10>" is null
Note You need to log in before you can comment on or make changes to this bug.