There appears to be a bug in parseCMC() where if cmc.popLinkWitnessRequired=false in CS.cfg (that happens to be default), error would occur.
Workaround is to set cmc.popLinkWitnessRequired=true until fix is available.
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1447145 - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue close_status updated to: fixed - Issue priority set to: critical - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.4 (was: 10.4)
Metadata Update from @mharmsen: - Issue assigned to cfu
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.1-4.el7
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.9 (was: 10.4.4)
Need to reopen this bug.
While the cmc.popLinkWitnessRequired param in CS.cfg is working as expected, when it is true, it is impossible to do encryptedPOP because there is no POP to start with and would therefore be rejected. Changing this value and restarting the server is not a reasonable option for most deployment sites.
We should add a caveat to the cmc.popLinkWitnessRequired logic so that encryptedPOP is allowed.
Metadata Update from @cfu: - Issue status updated to: Open (was: Closed)
Metadata Update from @mharmsen: - Issue priority set to: blocker (was: critical)
patch for review: https://review.gerrithub.io/#/c/395013/
commit c52c51c6516cd39caec52441d0756b1756050ae3 (HEAD -> master, origin/master, origin/HEAD) Author: Christina Fu cfu@redhat.com Date: Tue Jan 16 18:15:21 2018 -0800
Ticket #2675 additional fix to allow requests without POP This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism. Fixes: https://pagure.io/dogtagpki/issue/2675 Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b
Metadata Update from @cfu: - Issue close_status updated to: fixed
previous fix did not put PKCS#10 into account. Need to address that.
https://review.gerrithub.io/#/c/395574/
commit 91c6c781e5e2c26b77619e6f4c08dc5d77bb5adf (HEAD -> master, origin/master, origin/HEAD, pop) Author: Christina Fu cfu@redhat.com Date: Fri Jan 19 14:45:17 2018 -0800
Ticket #2675 take care of PKCS#10 for cmc.popLinkWitnessRequired This patch adds support to handle PKCS#10 which was neglected in previous "additional" fix. Fixes: https://pagure.io/dogtagpki/issue/2675 Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2795
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.