Unable to publish CA certs to ldap server.
Steps to Reproduce:
1. Configure ldap publishing 2. Create publishing rule as below: ca.publish.ldappublish.enable=true ca.publish.ldappublish.ldap.ldapauth.authtype=BasicAuth ca.publish.ldappublish.ldap.ldapauth.bindDN=cn=Directory Manager ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt=CA LDAP Publishing ca.publish.ldappublish.ldap.ldapconn.host=pki2.example.org ca.publish.ldappublish.ldap.ldapconn.port=389 ca.publish.ldappublish.ldap.ldapconn.secureConn=false ca.publish.ldappublish.ldap.ldapconn.version=3 ca.publish.mapper.impl.LdapCaSimpleMap.class=com.netscape.cms.publish.mappers.L dapCaSimpleMap ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.cms.publish.mappers.Ld apCertCompsMap ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.cms.publish.mappers.Ld apCertExactMap ca.publish.mapper.impl.LdapEnhancedMap.class=com.netscape.cms.publish.mappers.L dapEnhancedMap ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.cms.publish.mappers.Lda pSimpleMap ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.cms.publish.mappers.L dapCertSubjMap ca.publish.mapper.impl.NoMap.class=com.netscape.cms.publish.mappers.NoMap ca.publish.mapper.instance.LdapCaCertMap.createCAEntry=true ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$subj.cn,OU=people,O=$su bj.o ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapCaSimpleMap ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$subj.cn,OU=people,O=$subj. o ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$subj.UID,OU=people,O= $subj.o ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap ca.publish.mapper.instance.NoMap.pluginName=NoMap ca.publish.mapper.instance.map1.createCAEntry=true ca.publish.mapper.instance.map1.dnPattern=cn=$subj.cn,dc=example,dc=org ca.publish.mapper.instance.map1.pluginName=LdapCaSimpleMap ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.pub lishers.FileBasedPublisher ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.cms.publish.pu blishers.LdapCaCertPublisher ca.publish.publisher.impl.LdapCertificatePairPublisher.class=com.netscape.cms.p ublish.publishers.LdapCertificatePairPublisher ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.cms.publish.publi shers.LdapCrlPublisher ca.publish.publisher.impl.LdapDeltaCrlPublisher.class=com.netscape.cms.publish. publishers.LdapCrlPublisher ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.cms.publish. publishers.LdapUserCertPublisher ca.publish.publisher.impl.OCSPPublisher.class=com.netscape.cms.publish.publishe rs.OCSPPublisher ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;bina ry ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=pkiCA ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublishe r ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationLis t;binary ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass=pkiCA ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher ca.publish.publisher.instance.LdapCrossCertPairPublisher.caObjectClass=pkiCA ca.publish.publisher.instance.LdapCrossCertPairPublisher.crossCertPairAttr=cros sCertificatePair;binary ca.publish.publisher.instance.LdapCrossCertPairPublisher.pluginName=LdapCertifi catePairPublisher ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlAttr=deltaRevocationList ;binary ca.publish.publisher.instance.LdapDeltaCrlPublisher.crlObjectClass=pkiCA,deltaC RL ca.publish.publisher.instance.LdapDeltaCrlPublisher.pluginName=LdapDeltaCrlPubl isher ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;bi nary ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPubl isher ca.publish.publisher.instance.file1.Filename.b64=true ca.publish.publisher.instance.file1.Filename.der=true ca.publish.publisher.instance.file1.crlLinkExt= ca.publish.publisher.instance.file1.directory=/tmp ca.publish.publisher.instance.file1.latestCrlLink=false ca.publish.publisher.instance.file1.pluginName=FileBasedPublisher ca.publish.publisher.instance.file1.timeStamp=LocalTime ca.publish.publisher.instance.file1.zipCRLs=false ca.publish.publisher.instance.file1.zipLevel=9 ca.publish.publisher.instance.ldap1.caCertAttr=caCertificate;binary ca.publish.publisher.instance.ldap1.caObjectClass=pkiCA ca.publish.publisher.instance.ldap1.pluginName=LdapCaCertPublisher ca.publish.queue.enable=true 3. Create cert request certutil -R -d /etc/pki/nssdb -s "CN=CA2,O=Example Domain" -a -o ca1.req -v 12 4. submit the certificate request using EE certificate manager profile. 5. Approve the request from agent. certutil -R -d /etc/pki/nssdb -s "CN=CA2,dc=example,dc=org" -a -o /tmp/ca1.req -v 12
Actual results:
CA cert is not published
Additional info:
[13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Setting AUTH_TOKEN-authMgrInstName=certUserDBAuthMgr [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: RequestProcessor: profileId=caCACert [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameDefault: setValue name=CN=CA2,DC=example,DC=org [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue name= notBefore [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue name= notAfter [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue name= bypassCAnotafter [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue: bypassCAvalidity=false [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAValidityDefault: setValue: bypassCAvalidity off. reset notAfter to caNotAfter. reset [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: parseRecords: Record0 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate start [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate start [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate cert subject =CN=CA2,DC=example,DC=org [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate() - sn500 dname = CN=CA2,DC=example,DC=org [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SubjectNameConstraint: validate end [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: validate start [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: not before: Tue Oct 13 15:51:56 IST 2015 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: not after: Tue Oct 09 11:13:07 IST 2035 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: range: 7305 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: range unit: day [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: limit: Sat Oct 13 15:51:56 IST 2035 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: ValidityConstraint: validate end [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyConstraint: validate start [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyConstraint.validate: RSA key contraints passed. [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyConstraint: validate end [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: BasicConstraintsExtConstraint: validate start [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: BasicConstraintsExtConstraint: validate end [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyUsageExtConstraint: validate start [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: KeyUsageExtConstraint: validate end [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SigningAlgConstraint: validate start [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: SigningAlgConstraint: validate end [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CMSServlet: in auditSubjectID [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CMSServlet: auditSubjectID auditContext {locale=en_US,EN;Q=0.5, userid=caadmin, ipAddress=192.168.122.133, authManagerId=certUserDBAuthMgr} [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CMSServlet auditSubjectID: subjectID: caadmin [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAEnrollProfile: execute reqId=25 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: issueX509Cert [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: dnUTF8Encoding false [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CertificateRepository: getNextSerialNumber mEnableRandomSerialNumbers=false [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Repository: in getNextSerialNumber. [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Repository: checkRange mLastSerialNo=23 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Repository: getNextSerialNumber: returning retSerial 23 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CAService: issueX509Cert: setting issuerDN using exact CA signing cert subjectDN encoding [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: About to mCA.sign cert. [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: sign cert get algorithm [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: sign cert encoding cert [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: sign cert encoding algorithm [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: CA cert signing: signing cert [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: Signing Certificate [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: storeX509Cert 23 [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: In storeX509Cert [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: In LdapBoundConnFactory::getConn() [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: masterConn is connected: true [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: getConn: conn is connected true [13/Oct/2015:15:52:08][http-bio-30042-exec-10]: getConn: mNumConns now 5 [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: returnConn: mNumConns now 6 [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: done storeX509Cert [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome =Success][ReqID=25][InfoName=certificate][InfoValue=MIIDljCCAn6gAwIBAgIBFzANBgk qhkiG9w0BAQsFADA3MRQwEgYDVQQKDAtFeGFtcGxlIE9yZzEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZX J0aWZpY2F0ZTAeFw0xNTEwMTMxMDIxNTZaFw0zNTEwMDkwNTQzMDdaMDwxEzARBgoJkiaJk/IsZAEZF gNvcmcxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMQwwCgYDVQQDDANDQTIwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC8COtmvYH5m8YmQKVjsd4JFpWiCcrxayTQwLmwikloVMvU5hilhOehJ4k YSan45MXTPOduTuETcx8pN54HcH6Qsbcf9AKhb21JanelgBQIq6DxuRbgltb9zfgoT3FQ0SWjcO7a3+ bUhqWiJQK05oI3SP7TR+tyVGypTvGbrKUdt5gNRfJaZ1UsHZSFSnTXlGCEWR+CaVsBha2exKsdOvvXj pzpE8QydN9moI0GmR+8yec2HLWZ6ZT40mKqL342V0HyALqRGglXn30bNYBI3XPMNneaSaC09B5F3w4a 5Dix8bGH7IooVnjv6ddSTmFjoYzxEHw4M8A3clbNuI+nwU3RAgMBAAGjgacwgaQwHwYDVR0jBBgwFoA Uw7uxHPz6vzw/k8ic6lIg2omwMD0wHQYDVR0OBBYEFLTiUaL5xrY5Lrdu1Rcs151HQn6OMA8GA1UdEw EB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0c DovL3BraTIuZXhhbXBsZS5vcmc6MzAwNDQvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAXIwJQ340 rfMI+1gBlZCp2I9ioTFpFjjc8Hv/dwrcOkNvKPhHTvNGWR8zxYY78mtd2fCNepx5qVRkDD8OmSPnFOF qd03SjLiyvYvKDDvYANSy87K/cagdV1oGG5Hfn2LTyZp1ngrKrZ5UTU1XlBVwvDyq5Oaa3/W5BwBGQ9 s5yBtLFLwX+Oc6f4/ntQzDFkztjiKgllAAKZYnECKx7wdLsSrVTuiGlCec7saoZMtbLXcIM9Sv3SkRH W5yRnAd5/KdpKUVcqCONbU54Sz1gihBmEOZdwRStP8Us3jlLFc7TvUR+N9fIN3fOoIVl5Ci4Ng7kCUz yLyYeat2nVW+ESXEWg==] certificate request processed [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: In LdapBoundConnFactory::getConn() [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: masterConn is connected: true [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: getConn: conn is connected true [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: getConn: mNumConns now 5 [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: returnConn: mNumConns now 6 [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: ARequestNotifier notify mIsPublishingQueueEnabled=true mMaxThreads=3 [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: addToNotify extended buffer to 1(40) requests by adding request 25 [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: morePublishingThreads moreThreads: true [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: Number of publishing threads: 1 [13/Oct/2015:15:52:09][Thread-14]: RunListeners:: Queue: 1 noSingleRequest [13/Oct/2015:15:52:09][Thread-14]: getRequest mRequests=1 mSearchForRequests=false [13/Oct/2015:15:52:09][Thread-14]: getRequest getting request: 25 [13/Oct/2015:15:52:09][http-bio-30042-exec-10]: CMSServlet: curDate=Tue Oct 13 15:52:09 IST 2015 id=caProfileProcess time=2238 [13/Oct/2015:15:52:09][Thread-14]: In LdapBoundConnFactory::getConn() [13/Oct/2015:15:52:09][Thread-14]: masterConn is connected: true [13/Oct/2015:15:52:09][Thread-14]: getConn: conn is connected true [13/Oct/2015:15:52:09][Thread-14]: getConn: mNumConns now 5 [13/Oct/2015:15:52:09][Thread-14]: returnConn: mNumConns now 6 [13/Oct/2015:15:52:09][Thread-14]: getRequest request 25 found [13/Oct/2015:15:52:09][Thread-14]: getRequest mRequests=0 mSearchForRequests=false done [13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateIssuedListener [13/Oct/2015:15:52:09][Thread-14]: CertificateIssuedListener: accept 25 [13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener = com.netscape.ca.CRLIssuingPoint$RevocationRequestListener [13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener = com.netscape.cmscore.ldap.LdapRequestListener [13/Oct/2015:15:52:09][Thread-14]: LdapRequestListener handling publishing for enrollment request id 25 [13/Oct/2015:15:52:09][Thread-14]: Checking publishing for request 25 [13/Oct/2015:15:52:09][Thread-14]: In PublisherProcessor::publishCert [13/Oct/2015:15:52:09][Thread-14]: Publishing: can't find publishing rule,exiting routine. [13/Oct/2015:15:52:09][Thread-14]: PublishProcessor::publishCert : Failed to publish using rule: No rules enabled [13/Oct/2015:15:52:09][Thread-14]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateRevokedListener [13/Oct/2015:15:52:09][Thread-14]: RunListeners: mRequest = 25 [13/Oct/2015:15:52:09][Thread-14]: updatePublishingStatus requestId: 25 [13/Oct/2015:15:52:09][Thread-14]: RequestRepository: setPublishingStatus mBaseDN: ou=ca,ou=requests,o=Example1-RootCA-CA status: 25 [13/Oct/2015:15:52:09][Thread-14]: In LdapBoundConnFactory::getConn() [13/Oct/2015:15:52:09][Thread-14]: masterConn is connected: true [13/Oct/2015:15:52:09][Thread-14]: getConn: conn is connected true [13/Oct/2015:15:52:09][Thread-14]: getConn: mNumConns now 5 [13/Oct/2015:15:52:10][Thread-14]: returnConn: mNumConns now 6 [13/Oct/2015:15:52:10][Thread-14]: updatePublishingStatus mSavePublishingCounter: 1 mSavePublishingStatus: 200 [13/Oct/2015:15:52:10][Thread-14]: RunListeners: noQueue SingleRequest [13/Oct/2015:15:52:10][Thread-14]: RequestRepository: setPublishingStatus mBaseDN: ou=ca,ou=requests,o=Example1-RootCA-CA status: -1 [13/Oct/2015:15:52:10][Thread-14]: In LdapBoundConnFactory::getConn() [13/Oct/2015:15:52:10][Thread-14]: masterConn is connected: true [13/Oct/2015:15:52:10][Thread-14]: getConn: conn is connected true [13/Oct/2015:15:52:10][Thread-14]: getConn: mNumConns now 5 [13/Oct/2015:15:52:10][Thread-14]: returnConn: mNumConns now 6
Per CS/DS meeting of 10/19/2015: 10.3 - major
OK:
Here is what is going on.
We are trying to publish a CA cert.
To do this we need the rule "LdapCACertRule"
The type of this rule in the console is defaulted to "cacert".
When the publish happens this stack trace occurs:
PublisherProcessor.publishCert(X509Certificate, IRequest) line: 1029 LdapEnrollmentListener.acceptX509(IRequest, Certificate[]) line: 230 LdapEnrollmentListener.accept(IRequest) line: 217 LdapRequestListener.accept(IRequest) line: 161
The crucial piece of code:
public void publishCert(X509Certificate cert, IRequest req) throws ELdapException { boolean error = false; StringBuffer errorRule = new StringBuffer();
CMS.debug("In PublisherProcessor::publishCert"); if (!enabled()) return; // get mapper and publisher for cert type. Enumeration<ILdapRule> rules = getRules("certs", req);
Note how this routine is looking for rules of type "certs", where ours is "cacert".
There is another routine called publishCACert, which is not called here. The reason for this I don not know why.
The workaround is to change the type of that publish rule to "certs" and it works.
The fix is not known as of yet.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1265678 (Red Hat Certificate System)
Should be simple bug fix, despite workaround, moving to 10.3.2
Per Bug Triage of 05/05/2016: 10.3.2
Per PKI Bug Council of 06/23/2016: 10.4
Metadata Update from @mrniranjan: - Issue assigned to jmagne - Issue set to the milestone: UNTRIAGED
Metadata Update from @mharmsen: - Custom field feature adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field version adjusted to None - Issue close_status updated to: None - Issue priority set to: minor (was: major) - Issue set to the milestone: FUTURE (was: UNTRIAGED)
Per 10.5.x/10.6 Triage: FUTURE
jmagne says that this is a corner-case
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2210
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.