Issue #1517: user-cert-add --serial CLI request to secure port with remote CA shows authentication failure - dogtagpki

dogtagpki

#1517 user-cert-add --serial CLI request to secure port with remote CA shows authentication failure

Closed: Fixed None Opened 9 years ago by aakkiang.

user-cert-add CLI request to secure port with remote CA shows authentication failure.

Steps to Reproduce:

[root@vm-idm-002 ~]# pki -d /opt/rhqa_pki/certs_db    -n OCSP3_adminV    -c Secret123 -h XXXXX -t ocsp     -p 31172 -P https  -v  user-cert-add  ocsp_agent2 --serial=0x82
Server URI: https://XXXXX:31172/ocsp
Client security database: /opt/rhqa_pki/certs_db
Message format: null
Command: user-cert-add ocsp_agent2 --serial=0x82
Initializing client security database
Logging into security token
Module: user
Client certificate: OCSP3_adminV
HTTP request: GET /ocsp/rest/account/login HTTP/1.1
  Accept: application/xml
  Accept-Encoding: gzip, deflate
  Host: XXXXX:31172
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=XXXXX,O=Redhat
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Thu, 01 Jan 1970 05:30:00 IST
  Set-Cookie: JSESSIONID=31D1439495375824A1C4CD200D3EE6ED; Path=/ocsp/; Secure; HttpOnly
  Content-Type: application/xml
  Content-Length: 176
  Date: Fri, 24 Jul 2015 16:28:10 GMT
Account:
 - User ID: OCSP3_adminV
 - Full Name: OCSP3_Admin_ValidCert
 - Email: null
 - Roles: [Administrators]
Module: cert
Module: add
Downloading certificate 0x82.
HTTP request: GET /ocsp/rest/account/logout HTTP/1.1
  Accept: application/xml
  Accept-Encoding: gzip, deflate
  Host: XXXXX:31172
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=31D1439495375824A1C4CD200D3EE6ED
  Cookie2: $Version=1
HTTP response: HTTP/1.1 204 No Content
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Thu, 01 Jan 1970 05:30:00 IST
  Content-Type: application/xml
  Date: Fri, 24 Jul 2015 16:28:10 GMT
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:132)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:437)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:643)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
    at com.netscape.certsrv.client.SubsystemClient.exists(SubsystemClient.java:69)
    at com.netscape.cmstools.cli.MainCLI.createCAClient(MainCLI.java:280)
    at com.netscape.cmstools.user.UserCertAddCLI.execute(UserCertAddCLI.java:118)
    at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
    at com.netscape.cmstools.user.UserCertCLI.execute(UserCertCLI.java:53)
    at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
    at com.netscape.cmstools.user.UserCLI.execute(UserCLI.java:80)
    at com.netscape.cmstools.cli.ProxyCLI.execute(ProxyCLI.java:119)
    at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
    at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:557)
    at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:569)

Expected results:

Should prompt for CA's url to get the certificate.

Additional info:

Reference bug : [https://bugzilla.redhat.com/show_bug.cgi?id=1237330 Bugzilla Bug #1237330 - user-cert-add --serial doesn't work with remote CA]

mharmsen commented 9 years ago

Per CS/DS Meeting of 07/27/2015: 10.3

edewata commented 8 years ago

Moving to 10.3 per discussion with mharmsen.

edewata commented 8 years ago

Changes in master:

3d186983fa91e5e16b8fc48f580248bca99035c9
426f00afbdf73dde4c39d988e605dddaa5bb97ca

Changes in 10.3 branch:

20656a1a0bb3fa402494fb5c1374c2b14dd29f2d
2cc925cad40b5ec65e4c1c553c25e4165ee955f4

Metadata Update from @aakkiang:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.9

8 years ago

dmoluguw commented 4 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2076

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

edewata

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

10.3.9

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1246635

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

proposedpriority

None

fixedinversion

https://koji.fedoraproject.org/koji/buildinfo?buildID=825551

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Command-Line Utilities

proposedmilestone

None

dogtagpki

Source Code

#1517 user-cert-add --serial CLI request to secure port with remote CA shows authentication failure Closed: Fixed None Opened 9 years ago by aakkiang.

Metadata

#1517 user-cert-add --serial CLI request to secure port with remote CA shows authentication failure

Closed: Fixed None Opened 9 years ago by aakkiang.