dogtagpki

Clone
Source Code
GIT

#662 pkispawn and wizard config rfe to "enforce" valid SSL server cert subject DN
Closed: migrated 3 years ago by dmoluguw. Opened 10 years ago by nkinder.

Closed: migrated
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Certificate System): Bug 961552

Description of problem:

When using pkisilent or the web based configuration wizard, any string can be
provided for the SSL server cert subject DNs, like in the option
ca_server_cert-usbject option of a CA instance.

A CA instance can be configured and started successfully with what seem like a
possibly invalid subject DN, incorrect example that is accepted by the CA:
        Subject: "CN=example root ca8 ca1.example.com,OU=pki,DC=example,DC=co
            m"

And this becomes a problem when it comes to create other subsystems, like a
TKS.
The configuration wizard of a TKS instance will use the CA's SSL server
certificate, and fail with an SSL error like this:

[06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication authenticate
Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-12276) Unable to communicate securely with peer: requested domain name does
not match the server's certificate.


This configuration failure of a TKS is not obvious at all if that small TKS
debug log entry is missed in the large log file.

Using a "correct" SSL server cert subject DN works fine, like for example with:
        Subject: "CN=ca1.example.com,OU=pki-ca8,O=Example Domain ca8"

If sub system configuration can fail on a SSL server cert subject DN, then the
pkisilent configuration tool and the web wizard should make sure the subject DN
of the SSL server certicates for the sub systems are valid with
a fully qualified domain name of a server hostname as the value of the cn
attribute.

like in
http://www.ietf.org/rfc/rfc2377.txt
5.2.5 Server and Server Application Schema
where is says
"
...some context snipped...
the server's subject DN for the SSL server
   certificate should be cn=host.acme.com, dc=host, dc=acme, dc=com and
   the server's certificate should be stored in a directory entry with
   this name.
"



Version-Release number of selected component (if applicable):
8.1

How reproducible:
always


Steps to Reproduce:

1. pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca8
-subsystem_type=ca -agent_secure_port=8443 -ee_secure_port=8444
-ee_secure_client_auth_port=8446 -admin_secure_port=8445 -unsecure_port=8180
-tomcat_server_port=8701 -redirect conf=/etc/pki-ca8 -redirect
logs=/var/log/pki-ca8

2. configre CA with incorrect SSL server cert subject DN like
CN=example root ca8 ca1.example.com,OU=pki,DC=example,DC=com

3. create a TKS
pkicreate -pki_instance_root=/var/lib        \
          -pki_instance_name=pki-tks8        \
          -subsystem_type=tks                \
          -agent_secure_port=13843           \
          -ee_secure_port=13844              \
          -admin_secure_port=13845           \
          -unsecure_port=13880               \
          -tomcat_server_port=13801          \
          -user=pkiuser                      \
           -group=pkiuser                     \
          -redirect conf=/etc/pki-tks8       \
          -redirect logs=/var/log/pki-tks8   \
          -verbose


4. configure the TKS
it will fail in the "Requests and Certificates" panel





Actual results:

Requests and Certificates

No Certificate Generated. Please import.
        View Certificate Request (CSR)

View Certificate in Base64-Encoding

VelocityServlet: Error processing the template

Invocation of method 'getEscapedCertpp' in  class
com.netscape.cms.servlet.csadmin.Cert threw exception class
java.lang.NullPointerException : null
org.apache.velocity.exception.MethodInvocationException: Invocation of method
'getEscapedCertpp' in  class com.netscape.cms.servlet.csadmin.Cert threw
exception class java.lang.NullPointerException : null
        at
org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:246)
        at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTRefe
rence.java:175)
...snip...


CA debug log trace, see the
"
TokenAuthentication authenticate
Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-12276) Unable to communicate securely with peer: requested domain name does
not match the server's certificate.
"


[06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication: start
[06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication:
content=sessionID=-4514535760947022742&hostname=10.14.5.14
[06/May/2013:21:16:38][http-8444-Processor25]: TokenAuthentication authenticate
Exception=org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-12276) Unable to communicate securely with peer: requested domain name does
not match the server's certificate.
[06/May/2013:21:16:38][http-8444-Processor25]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=$NonRoleUser$ :
Unidentified][Outcome=Success][AuthMgr=TokenAuth] authentication success

[06/May/2013:21:16:38][http-8444-Processor25]: ProfileSubmitServlet authToken
not null
[06/May/2013:21:16:38][http-8444-Processor25]: ProfileSubmitServlet: authz
using acl: group="Enterprise OCSP Administrators" || group="Enterprise RA
Administrators" || group="Enterprise CA Administrators" || group="Enterprise
KRA Administrators" || group="Enterprise TKS Administrators" ||
group="Enterprise TPS Administrators"
[06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: in auditSubjectID
[06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: auditSubjectID
auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientC
ertProvider@40b890dc,
profileContext=com.netscape.cms.profile.common.EnrollProfileContext@152e7cb6,
authManagerId=TokenAuth}
[06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet auditSubjectID:
subjectID: null
[06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: in auditGroupID
[06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: auditGroupID
auditContext {sslClientCertProvider=com.netscape.cms.servlet.profile.SSLClientC
ertProvider@40b890dc,
profileContext=com.netscape.cms.profile.common.EnrollProfileContext@152e7cb6,
authManagerId=TokenAuth}
[06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet auditGroupID:
groupID: null
[06/May/2013:21:16:38][http-8444-Processor25]: evaluating expressions:
group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators"
|| group="Enterprise CA Administrators" || group="Enterprise KRA
Administrators" || group="Enterprise TKS Administrators" || group="Enterprise
TPS Administrators"
[06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate:
uid null
[06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression:
group="Enterprise OCSP Administrators" to be false
[06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate:
uid null
[06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression:
group="Enterprise RA Administrators" to be false
[06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate:
uid null
[06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression:
group="Enterprise CA Administrators" to be false
[06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate:
uid null
[06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression:
group="Enterprise KRA Administrators" to be false
[06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate:
uid null
[06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression:
group="Enterprise TKS Administrators" to be false
[06/May/2013:21:16:38][http-8444-Processor25]: GroupAccessEvaluator: evaluate:
uid null
[06/May/2013:21:16:38][http-8444-Processor25]: evaluated expression:
group="Enterprise TPS Administrators" to be false
[06/May/2013:21:16:38][http-8444-Processor25]: SignedAuditEventFactory:
create() message=[AuditEvent=AUTHZ_FAIL][SubjectID=$NonRoleUser$][Outcome=Failu
re][aclResource=caInternalAuthAuditSigningCert.authz.acl][Op=enroll]
authorization failure

[06/May/2013:21:16:38][http-8444-Processor25]: SignedAuditEventFactory:
create() message=[AuditEvent=ROLE_ASSUME][SubjectID=$NonRoleUser$][Outcome=Fail
ure][Role=$NonRoleUser$] assume privileged role

[06/May/2013:21:16:38][http-8444-Processor25]: ProfileSubmitServlet authorize:
Authorization failed on resource: group="Enterprise OCSP Administrators" ||
group="Enterprise RA Administrators" || group="Enterprise CA Administrators" ||
group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators"
|| group="Enterprise TPS Administrators", operation: {1}
[06/May/2013:21:16:38][http-8444-Processor25]: CMSServlet: curDate=Mon May 06
21:16:38 PDT 2013 id=caProfileSubmit time=22



Expected results:


Additional info:

workaround: use a valid subject DN in CA SSL server cert
CN=ca1.example.com,OU=pki-ca8,O=Example Domain ca8


I havn't tested with Dogtag 10 newer tools.

[06/04/2014] - Moving to Milestone 10.3 due to schedule restrictions.

Metadata Update from @nkinder:
- Issue assigned to mharmsen
- Issue set to the milestone: UNTRIAGED
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1232

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
defect
None
None
None
None
Installer Cleanup/ Improvement
Community
None
None
None
None
None
None
Installation/Configuration
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.