KRA installation with externally-signed CA fails if the CA only has partial certificate chain (i.e. no root CA).
Steps to Reproduce:
1. Root CA config [DEFAULT] pki_instance_name = pki-rootCA pki_admin_password = Secret123 pki_hostname = beast.idmqe.lab.eng.bos.redhat.com pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-CA pki_client_pkcs12_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 389 pki_token_password=Secret123 [CA] pki_import_admin_cert = False pki_ds_hostname = beast.idmqe.lab.eng.bos.redhat.com pki_admin_nickname = PKI CA Administrator for Example.Org 2. First externally signed CA in the chain (topCA) Step 1 [DEFAULT] pki_instance_name = pki-topCA pki_admin_password = Secret123 pki_hostname = spider.idmqe.lab.eng.bos.redhat.com pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-CA pki_client_pkcs12_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 389 pki_token_password=Secret123 pki_client_database_password=Secret123 [CA] pki_import_admin_cert = False pki_ds_hostname = spider.idmqe.lab.eng.bos.redhat.com pki_admin_nickname = PKI CA Administrator for Example.Org pki_external=True pki_external_csr_path=/tmp/ca_signing.csr Step 2 [DEFAULT] pki_instance_name = pki-topCA pki_admin_password = Secret123 pki_hostname = spider.idmqe.lab.eng.bos.redhat.com pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-CA pki_client_pkcs12_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 389 pki_token_password=Secret123 pki_client_database_password=Secret123 [CA] pki_import_admin_cert = False pki_ds_hostname = spider.idmqe.lab.eng.bos.redhat.com pki_admin_nickname = PKI CA Administrator for Example.Org pki_external=True pki_external_ca_cert_path=/tmp/ca_signing.crt pki_external_ca_cert_chain_path=/tmp/ca_cert_chain.cert pki_external_step_two=True 3. second externally signed CA Step 1: [root@cisco-b200m1-04 ~]# cat ca.cfg [DEFAULT] pki_instance_name = pki-sdCA pki_admin_password = Secret123 pki_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-CA pki_client_pkcs12_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 389 pki_token_password=Secret123 [CA] pki_import_admin_cert = False pki_ds_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_admin_nickname = PKI CA Administrator for Example.Org pki_external=True pki_external_csr_path=/tmp/ca_signing.csr [root@cisco-b200m1-04 ~]# cat ca-step2.cfg Step 2 [DEFAULT] pki_instance_name = pki-sdCA pki_admin_password = Secret123 pki_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-CA pki_client_pkcs12_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 389 pki_token_password=Secret123 pki_client_database_password=Secret123 [CA] pki_import_admin_cert = False pki_ds_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_admin_nickname = PKI CA Administrator for Example.Org pki_external=True pki_external_ca_cert_path=/tmp/ca_signing.crt pki_external_ca_cert_chain_path=/tmp/ca_cert_chain.cert pki_external_step_two=True KRA config [root@cisco-b200m1-04 ~]# cat kra.cfg [DEFAULT] pki_instance_name = pki-kra pki_https_port = 21443 pki_http_port = 21080 pki_admin_password = Secret123 pki_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_security_domain_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_security_domain_https_port = 8443 pki_security_domain_password = Secret123 pki_client_dir = /opt/topology-KRA pki_client_pkcs12_password = Secret123 pki_ds_password = Secret123 pki_ds_ldap_port = 5389 pki_client_database_password = Secret123 pki_token_password=Secret123 [Tomcat] pki_ajp_port = 21009 pki_tomcat_server_port = 21005 [KRA] pki_import_admin_cert = False pki_ds_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com pki_admin_nickname = PKI KRA Administrator for Example.Org [root@cisco-b200m1-04 ~]# certutil -L -d /var/lib/pki/pki-sdCA/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert External CA CT,C,C ocspSigningCert cert-pki-sdCA CA u,u,u subsystemCert cert-pki-sdCA u,u,u caSigningCert cert-pki-sdCA CA CTu,Cu,Cu Server-Cert cert-pki-sdCA u,u,u auditSigningCert cert-pki-sdCA CA u,u,Pu
Actual results:
KRA installation fails
Expected results:
KRA installation should succeed
Additional info:
KRA installation was succesful after executing the following commands on rootCA pki-server ca-cert-chain-export --pkcs12-file pki-server.p12 --pkcs12-password Secret123 and adding the following to KRA's config file pki_server_pkcs12_path=pki-server.p12 pki_server_pkcs12_password=Secret123 The following is the error in the log messages [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443, securityDomainName=null, securityDomainUser=caadmin, securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=KRA cisco-b200m1-04.rhts.eng.bos.redhat.com 21443, p12File=null, p12Password=XXXX, hierarchy=null, dsHost=cisco-b200m1-04.rhts.eng.bos.redhat.com, dsPort=5389, baseDN=o=pki-kra-KRA, bindDN=cn=Directory Manager, bindpwd=XXXX, database=pki-kra-KRA, secureConn=false, removeData=true, replicateSchema=null, masterReplicationPort=null, cloneReplicationPort=null, replicationSecurity=null, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData@75339348, com.netscape.certsrv.system.SystemCertData@15e02ca6, com.netscape.certsrv.system.SystemCertData@42b0c9be, com.netscape.certsrv.system.SystemCertData@22b5d29f, com.netscape.certsrv.system.SystemCertData@4b75ac52], issuingCA=https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443, backupKeys=false, backupPassword=XXXX, adminCertRequestType=pkcs10, adminSubjectDN=cn=PKI Administrator,e=kraadmin@rhts.eng.bos.redhat.com,ou=pki-k ra,o=rhts.eng.bos.redhat.com Security Domain, adminName=kraadmin, adminProfileID=caAdminCert, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=true, sharedDB=true, sharedDBUserDN=uid=pkidbuser,ou=people,o=pki-kra-CA, createNewDB=true, setupReplication=null, subordinateSecurityDomainName=null, reindexData=null, startingCrlNumber=null] [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: === Token Authentication === [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: === Security Domain Configuration === [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: Joining existing security domain [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: Resolving security domain URL https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443 [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: Getting security domain cert chain [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: ConfigurationUtils.importCertChain() [30/Sep/2016:13:51:53][http-bio-21443-exec-3]: ConfigurationUtils: GET https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443/ca/admin/ca/getCertChain [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: Server certificate: [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: - subject: CN=cisco-b200m1-04.r hts.eng.bos.redhat.com,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: - issuer: CN=CA Signing Certificate,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: ERROR: UNKNOWN_ISSUER [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: Server certificate: [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: - subject: CN=cisco-b200m1-04.r hts.eng.bos.redhat.com,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: - issuer: CN=CA Signing Certificate,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain [30/Sep/2016:13:51:54][http-bio-21443-exec-3]: ERROR: UNKNOWN_ISSUER javax.ws.rs.ProcessingException: Unable to invoke request at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invo ke(ApacheHttpClient4Engine.java:287) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(Cli entInvocation.java:407) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(Cli entInvocation.java:442) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.get (ClientInvocationBuilder.java:165) at com.netscape.certsrv.client.PKIConnection.get(PKIConnection.java:467) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.get(Configuratio nUtils.java:237) at com.netscape.cms.servlet.csadmin.ConfigurationUtils.importCertChain( ConfigurationUtils.java:266) at org.dogtagpki.server.rest.SystemConfigService.logIntoSecurityDomain( SystemConfigService.java:965) at org.dogtagpki.server.rest.SystemConfigService.configureSecurityDomai n(SystemConfigService.java:922) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:160) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:121) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc eMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher .service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati onFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil terChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic atorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt p11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi nt.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT hread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: SocketException cannot write on socket at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1099) at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:56) at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(Abst ractSessionOutputBuffer.java:147) at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSe ssionOutputBuffer.java:154) at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHt tpClientConnection.java:278) at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttp ClientConnection.java:283) at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedC lientConnectionImpl.java:175) at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpReque stExecutor.java:260) at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExec utor.java:125) at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(Defaul tRequestDirector.java:715) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRe questDirector.java:520) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpC lient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpC lient.java:805) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invo ke(ApacheHttpClient4Engine.java:283) ... 72 more
Per CS/DS Meeting of 10/03/2016: 10.4.0
Per PKI Bug Council Meeting of 10/04/2016: 10.4
Fixed in master:
Metadata Update from @rpattath: - Issue set to the milestone: 10.3.7
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2617
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.