When we run a cli using revoked and valid certs, debug logs keeps the serial number of certs but it never logs the serial number details for expired certs.
My understanding is since ocsp is enabled and it keep information and does a check for certs. So, like we are logging for valid and revoked certs this can happen for expired ones as well in logs.
I am not sure if this is expected behavior or there is some setting in CS.cfg that needs to be changed.
<debug log snip> [19/Jul/2016:06:27:25][http-bio-20080-exec-14]: Serial Number: 46 Status: com.netscape.cmsutil.ocsp.GoodInfo [19/Jul/2016:06:28:27][http-bio-20080-exec-7]: Serial Number: 47 [19/Jul/2016:06:28:27][http-bio-20080-exec-7]: Serial Number: 47 Status: com.netscape.cmsutil.ocsp.RevokedInfo </debug log snip>
Earlier for all users with revoked or expired certs, I was getting "unable to invoke request" but now for all certs ( Expired, Revoked, UnTrusted) other than valid it gives "IOException: SocketException cannot write on socket" .
Is it is right exception or expected result that we should be looking ?
Can we make it more clear exception about what went wrong with certificate?
Generally if we put revoked and expired certs in a browser we see below exceptions which are more informative and gives clear idea about certificate status.Also, They are more user friendly.
Error code: SSL_ERROR_REVOKED_CERT_ALERT Error code: SSL_ERROR_EXPIRED_CERT_ALERT
In debug logs, I actually saw the right exceptions as mentioned below. Can we use the same information and provide in place of generic exceptions?
Valid certs :: Serial Number: 46 Status: com.netscape.cmsutil.ocsp.GoodInfo Revoked certs :: Serial Number: 47 Status: com.netscape.cmsutil.ocsp.RevokedInfo Expired certs :: < no logging >
Steps to Reproduce:
1. Install TPS. Add a token 2. Use cli pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 -n "TPS_AgentE" tps-cert-find 3.pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 25080 -n "TPS_AgentR" tps-cert-find
Actual results:
1. Expired certs status are not in debug logs of ca. 2. Generic exception for both revoked and expired certs.
Expected results:
1. Expired cert status should exist in logs like ocsp shows for valid and revoked certs. 2. Revoked and expired certs are handled differently in firefox when try to access TPS UI using expired and revoked certs.So sim ilar output and logging should be provided by cli. Generally if we put revoked and expired certs in a browser we see below exceptions which are more informative and gives clear idea about certificate status.Also, They are more user friendly. Error code: SSL_ERROR_REVOKED_CERT_ALERT Error code: SSL_ERROR_EXPIRED_CERT_ALERT
Per PKI Bug Council of 08/02/2016: 10.4
Metadata Update from @gkapoor: - Issue set to the milestone: UNTRIAGED
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue set to the milestone: 10.4 (was: UNTRIAGED)
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Metadata Update from @mharmsen: - Issue set to the milestone: FUTURE (was: 10.4)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2535
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.