fedora-infrastructure

Clone
Source Code
GIT

#10470 centos-cert fails to retrieve TLS certificate
Closed: Fixed with Explanation 2 years ago by kevin. Opened 2 years ago by lveyde.

Closed: Fixed with Explanation
Reopen Issue

I'm getting the following while trying to get a certificate as per instructions in the https://wiki.centos.org/Authentication :

$ centos-cert -u lveyde

[+] 20220111-13:16 centos-cert -> Validating user [lveyde] with realm [FEDORAPROJECT.ORG] against https://fasjson.fedoraproject.org
[+] 20220111-13:16 centos-cert -> We can reach [https://fasjson.fedoraproject.org] with realm [lveyde@FEDORAPROJECT.ORG], so now asking for TLS cert ...
Generating CSR...
Uploading CSR for signature...
Error: could not sign the CSR (400: Failed to authenticate to CA REST API, {'message': 'Failed to authenticate to CA REST API', 'code': 4016, 'source': 'RPC'}).
[+] 20220111-13:16 centos-cert -> [ISSUE] : Unable to retrieve TLS cert

I take it this used to work fine with that exact command line/setup/kerberos ticket?

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops
2 years ago

I take it this used to work fine with that exact command line/setup/kerberos ticket?

I haven't used this procedure before, but following the documentation, as mentioned.

The Kerberos seems to be setup fine, as without a valid ticket it gives a different error.

ok, so I spent a few hours digging today,,, the underlying problem is that tha CMS is not reachable....

ipa cert-find --users=kevin

ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (403)

This looks a lot like https://access.redhat.com/solutions/6632811

but the solution there didn't help.

@abompard any ideas? or shall we ping ipa folks? who exactly?

There's some java errors in /var/log/pki/pki-tomcat/ca/debug.2022-01-13.log (after restarting it)

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: LDAPProfileSubsystem: error creating or reading profile: java.lang.NullPointerException
java.lang.NullPointerException
        at com.netscape.cms.profile.common.Profile.init(Profile.java:278)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: Error creating profile 'caServerKeygen_UserCert': Error creating or reading profile: java.lang.NullPointerException
Error creating or reading profile: java.lang.NullPointerException
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:263)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
        at com.netscape.cms.profile.common.Profile.init(Profile.java:278)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        ... 3 more

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: LDAPProfileSubsystem: error creating or reading profile: java.lang.NullPointerException
java.lang.NullPointerException
        at com.netscape.cms.profile.common.Profile.init(Profile.java:278)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: Error creating profile 'caServerKeygen_DirUserCert': Error creating or reading profile: java.lang.NullPointerException
Error creating or reading profile: java.lang.NullPointerException
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:263)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
        at com.netscape.cms.profile.common.Profile.init(Profile.java:278)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        ... 3 more

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: Profile: createProfilePolicy:  Cannot find SignedCertificateTimestampListExtDefaultImpl
2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: LDAPProfileSubsystem: error creating or reading profile: Cannot find SignedCertificateTimestampListExtDefaultImpl
Cannot find SignedCertificateTimestampListExtDefaultImpl
        at com.netscape.cms.profile.common.Profile.createProfilePolicy(Profile.java:1041)
        at com.netscape.cms.profile.common.Profile.init(Profile.java:378)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: Error creating profile 'caServerCertWithSCT': Error creating or reading profile: Cannot find SignedCertificateTimestampListExtDefaultImpl
Error creating or reading profile: Cannot find SignedCertificateTimestampListExtDefaultImpl
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:263)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)
Caused by: Cannot find SignedCertificateTimestampListExtDefaultImpl
        at com.netscape.cms.profile.common.Profile.createProfilePolicy(Profile.java:1041)
        at com.netscape.cms.profile.common.Profile.init(Profile.java:378)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        ... 3 more

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: Profile: createProfilePolicy:  Cannot find SignedCertificateTimestampListExtDefaultImpl
2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: LDAPProfileSubsystem: error creating or reading profile: Cannot find SignedCertificateTimestampListExtDefaultImpl
Cannot find SignedCertificateTimestampListExtDefaultImpl
        at com.netscape.cms.profile.common.Profile.createProfilePolicy(Profile.java:1041)
        at com.netscape.cms.profile.common.Profile.init(Profile.java:378)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)

2022-01-13 00:26:49 [profileChangeMonitor] SEVERE: Error creating profile 'caECServerCertWithSCT': Error creating or reading profile: Cannot find SignedCertificateTimestampListExtDefaultImpl
Error creating or reading profile: Cannot find SignedCertificateTimestampListExtDefaultImpl
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:263)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.readProfile(LDAPProfileSubsystem.java:208)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:539)
        at java.lang.Thread.run(Thread.java:748)
Caused by: Cannot find SignedCertificateTimestampListExtDefaultImpl
        at com.netscape.cms.profile.common.Profile.createProfilePolicy(Profile.java:1041)
        at com.netscape.cms.profile.common.Profile.init(Profile.java:378)
        at com.netscape.cmscore.profile.LDAPProfileSubsystem.createProfile(LDAPProfileSubsystem.java:256)
        ... 3 more

Wondering if we can have an incident on status.fedoraproject.org (and also on status.centos.org) for SIGs users trying to renew/obtain their certs, until it's resolved ?

My usual contact for this sort of issue is @cheimes.
It may be worthwhile to also ask on IRC in #freeipa.

The Java traceback suggests a problem inside Dogtag. I'm out. :)

@edewata may be able to assist.

Check the secrets configuration in the tomcat server.xml. A bug in dogtag causes a duplicate value to be created. See https://access.redhat.com/solutions/6632811 for more details.

Yeah, I tried that... it didn't seem to help any. I can try again and see if the errors change any I guess...

AAAAAAAArgh. I must have used requiredsecret instead of requiredSecret yesterday. I did it correctly today and it's working!

It was that issue.

Thanks everyone!

@lveyde it should be working now, please re-open if you still hit anything.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)
2 years ago

AAAAAAAArgh. I must have used requiredsecret instead of requiredSecret yesterday. I did it correctly today and it's working!

It was that issue.

Thanks everyone!

@lveyde it should be working now, please re-open if you still hit anything.

Hi Kevin,

Just tried it, and it seems to work just fine now. Thanks!

Login to comment on this ticket.

Metadata
None

medium-trouble ops medium-gain

None
None
Waiting on Assignee
Boards 1
ops Status: Backlog
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.