Bug 504240 - RA (nethsm) : unable to approve server cert
RA (nethsm) : unable to approve server cert
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: RA (Show other bugs)
unspecified
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-06-04 18:32 EDT by Chandrasekar Kannan
Modified: 2015-01-04 18:38 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:36:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix (5.20 KB, patch)
2009-06-16 02:20 EDT, Ade Lee
no flags Details | Diff

  None (edit)
Description Chandrasekar Kannan 2009-06-04 18:32:21 EDT
- installed today's build 06/04. system fully up2date.
- installed/configured all sub-systems to use nethsm2k
- Went to the RA EE Page. Submitted a CSR for approval
- Went to the RA Agent page. Attempt to approve shows
  CA Connection Error.

Here's the log information:

==> error_log <==
[Thu Jun 04 15:26:29 2009] [info] Connection to child 2 established (server sigma.dsdev.sjc.redhat.com:12889, client 10.14.52.236)
[Thu Jun 04 15:26:29 2009] [info] Initial (No.1) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
POST /ca/ee/ca/profileSubmit HTTP/1.0
Content-Length: 600
Content-Type: application/x-www-form-urlencoded

profileId=caRAserverCert&requestor_name=&cert_request_type=pkcs10&subject=&cert_request=MIIBYDCBygIBADAhMQ8wDQYDVQQKEwZyZWRoYXQxDjAMBgNVBAMTBXRlc3QxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7%2FXaZUDQXeu30EhdeLkvaiem6ej%2FeEDkNzO1klt3N%2BZewv52g3cEWaYtLAsU7nA4S4afdFjyv5nnDgYIlosiwcZmjJniMSwM9yQ6Ijp6yTC%2BOm8WigAfQ52vQFpWmn7hJ%2Ft%2BPzdt3ehHV1iwFvvOGD3lEeBpCVuffNeee%2F6kI4wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAYna4F4ncfzO3aaT393rVgBf7vHqQarespTr7s%2B0QJKPkV%2BJWNHMFm1fYyhHzPktocbnej%2BEW9OjecaRUfk7fUWwvVyia4JcasnDgeN6sYtu0jBdr6rpqESEjBieSnXSnXamjSjIi5ZgLgTD7NSL0DNy2xvq8ocUOSO%2FRikbDMRI&xmlOutput=true
==> ra-debug.log <==
Thu Jun  4 15:26:29 PDT 2009 - Thu Jun  4 15:26:29 PDT 2009 - URL '/agent/request/op.cgi?type=approve&id=1'
Thu Jun  4 15:26:29 PDT 2009 - Thu Jun  4 15:26:29 PDT 2009 - Param type='approve'
Thu Jun  4 15:26:29 PDT 2009 - Thu Jun  4 15:26:29 PDT 2009 - Param id='1'
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: admin has roles: administrators,agents
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: authorized groups are: administrators,agents
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: group matched
Thu Jun  4 15:26:29 PDT 2009 - in agent_auth: group matched

==> access_log <==
10.14.52.236 - - [04/Jun/2009:15:26:29 -0700] "GET /agent/request/op.cgi?type=approve&id=1 HTTP/1.1" 200 6165
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/bkgrnd_greydots.png HTTP/1.1" 404 378
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/account_loggedin.gif HTTP/1.1" 404 379
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/corner_mainnav_bottom_chopped.png HTTP/1.1" 404 392
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/corner_mainnav_top_chopped.png HTTP/1.1" 404 389
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/greybar_tr.gif HTTP/1.1" 404 373
10.14.52.236 - - [04/Jun/2009:15:26:32 -0700] "GET /img/greybar_br.gif HTTP/1.1" 404 373

==> error_log <==
Can't find certificate nethsm2k:subsystemCert cert-pki-ra
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.2) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.3) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.4) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.5) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.6) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css
[Thu Jun 04 15:26:32 2009] [info] Subsequent (No.7) HTTPS request received for child 2 (server sigma.dsdev.sjc.redhat.com:12889)
[Thu Jun 04 15:26:32 2009] [error] [client 10.14.52.236] File does not exist: /var/lib/pki-ra/docroot/img, referer: https://sigma.dsdev.sjc.redhat.com:12889/css/pki-360.css

==> ra-debug.log <==
Thu Jun  4 15:26:32 PDT 2009 - benchmark total= 3 wallclock secs ( 0.02 usr  0.03 sys +  0.02 cusr  0.05 csys =  0.12 CPU) db total= 3 wallclock secs ( 0.01 usr  0.01 sys +  0.01 cusr  0.03 csys =  0.06 CPU) template total= 0 wallclock secs ( 0.01 usr +  0.00 sys =  0.01 CPU) 

============================================================================

Notice it says "Can't find certificate nethsm2k:subsystemCert cert-pki-ra".
[root@sigma logs]# certutil -L -d /var/lib/pki-ra/alias/ -h nethsm2k

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "nethsm2k":
nethsm2k:subsystemCert cert-pki-kra                          u,u,u
nethsm2k:auditSigningCert cert-pki-ca                        u,u,u
nethsm2k:ocspSigningCert cert-pki-ca                         u,u,u
nethsm2k:transportCert cert-pki-kra                          u,u,u
nethsm2k:auditSigningCert cert-pki-tks                       u,u,u
nethsm2k:Server-Cert cert-pki-ra                             u,u,u
nethsm2k:subsystemCert cert-pki-ocsp                         u,u,u
nethsm2k:auditSigningCert cert-pki-kra                       u,u,u
nethsm2k:auditSigningCert cert-pki-tps                       u,u,u
nethsm2k:subsystemCert cert-pki-ca                           u,u,u
nethsm2k:auditSigningCert cert-pki-ocsp                      u,u,u
nethsm2k:Server-Cert cert-pki-ca                             u,u,u
nethsm2k:Server-Cert cert-pki-tps                            u,u,u
nethsm2k:subsystemCert cert-pki-tks                          u,u,u
nethsm2k:caSigningCert cert-pki-ca                           CTu,Cu,Cu
nethsm2k:subsystemCert cert-pki-tps                          u,u,u
nethsm2k:Server-Cert cert-pki-ocsp                           u,u,u
nethsm2k:Server-Cert cert-pki-tks                            u,u,u
nethsm2k:ocspSigningCert cert-pki-ocsp                       u,u,u
nethsm2k:storageCert cert-pki-kra                            u,u,u
nethsm2k:Server-Cert cert-pki-kra                            u,u,u
nethsm2k:subsystemCert cert-pki-ra                           u,u,u
[root@sigma logs]#
Comment 1 Chandrasekar Kannan 2009-06-04 18:50:10 EDT
if RA is not on nethsm, this works fine.
Comment 2 Ade Lee 2009-06-16 02:20:11 EDT
Created attachment 348049 [details]
patch to fix

problem was that we were attempting to retrieve the subsystem-cert using the internal password - rather than the nethsm one.

cfu, please review!
Comment 3 Christina Fu 2009-06-16 10:55:25 EDT
https://bugzilla.redhat.com/attachment.cgi?id=348049
cfu+
Comment 4 Ade Lee 2009-06-16 11:47:56 EDT
[builder@oliver pki]$ svn ci -m "Bugzilla Bug #504240  RA (nethsm) : unable to approve server cert" base/ra
Sending        base/ra/lib/perl/PKI/Conn/CA.pm
Transmitting file data .
Committed revision 615.
[builder@oliver pki]$ svn ci -m "Bugzilla Bug #504240  RA (nethsm) : unable to approve server cert" dogtag
Sending        dogtag/ra/pki-ra.spec
Transmitting file data .
Committed revision 616.

Note You need to log in before you can comment on or make changes to this bug.