#2415 Expired certs logging is not handled and generic message for expired and revoked certs
Closed: migrated 3 years ago by dmoluguw. Opened 7 years ago by gkapoor.

When we run a cli using revoked and valid certs, debug logs keeps the
serial number of certs but it never logs the serial number details for expired
certs.

My understanding is since ocsp is enabled and it keep information and does a
check for certs. So, like we are logging for valid and revoked certs this can
happen for expired ones as well in logs.

I am not sure if this is expected behavior or there is some setting in CS.cfg
that needs to be changed.

<debug log snip>
[19/Jul/2016:06:27:25][http-bio-20080-exec-14]: Serial Number: 46 Status:
com.netscape.cmsutil.ocsp.GoodInfo
[19/Jul/2016:06:28:27][http-bio-20080-exec-7]: Serial Number: 47
[19/Jul/2016:06:28:27][http-bio-20080-exec-7]: Serial Number: 47 Status:
com.netscape.cmsutil.ocsp.RevokedInfo
</debug log snip>

Earlier for all users with revoked or expired certs, I was getting "unable
to invoke request" but now for all certs ( Expired, Revoked, UnTrusted) other
than valid it gives "IOException: SocketException cannot write on socket" .

Is it is right exception or expected result that we should be looking ?

Can we make it more clear exception about what went wrong with certificate?

Generally if we put revoked and expired certs in a browser we see below
exceptions which are more informative and gives clear idea about certificate
status.Also, They are more user friendly.

Error code: SSL_ERROR_REVOKED_CERT_ALERT
Error code: SSL_ERROR_EXPIRED_CERT_ALERT

In debug logs, I actually saw the right exceptions as mentioned below. Can we
use the same information and provide in place of generic exceptions?

Valid certs ::  Serial Number: 46 Status: com.netscape.cmsutil.ocsp.GoodInfo
Revoked certs :: Serial Number: 47 Status:
com.netscape.cmsutil.ocsp.RevokedInfo
Expired certs :: < no logging >

Steps to Reproduce:

1. Install TPS. Add a token
2. Use cli pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p
25080 -n "TPS_AgentE" tps-cert-find
3.pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 -n
"TPS_AgentR" tps-cert-find

Actual results:

1. Expired certs status are not in debug logs of ca.
2. Generic exception for both revoked and expired certs.

Expected results:

1. Expired cert status should exist in logs like ocsp shows for valid and
revoked certs.
2. Revoked and expired certs are handled differently in firefox when try to
access TPS UI using expired and revoked certs.So sim ilar output and logging
should be provided by cli.

Generally if we put revoked and expired certs in a browser we see below
exceptions which are more informative and gives clear idea about certificate
status.Also, They are more user friendly.

Error code: SSL_ERROR_REVOKED_CERT_ALERT
Error code: SSL_ERROR_EXPIRED_CERT_ALERT

  • file separate TRAC ticket that needs to be logged in audit log
  • requires either a tomcatjss and/or JSS bug to fix this
  • dependencies should be updated in this TRAC Ticket

Per PKI Bug Council of 08/02/2016: 10.4

Metadata Update from @gkapoor:
- Issue set to the milestone: UNTRIAGED

7 years ago

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue set to the milestone: 10.4 (was: UNTRIAGED)

7 years ago

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

Metadata Update from @mharmsen:
- Issue set to the milestone: FUTURE (was: 10.4)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2535

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata