pkispawn of OCSP on HSM fails on both shared and nonshared tomcat instances
Steps to Reproduce:
Non shared tomcat instance: [root@sigma ~]# pkispawn -s OCSP -f /tmp/ocsp_hsm_instance_nonshared.inf Loading deployment configuration from /tmp/ocsp_hsm_instance_nonshared.inf. Installing OCSP into /var/lib/pki/rootocsp. Storing deployment configuration into /etc/sysconfig/pki/tomcat/rootocsp/ocsp/deployment.cfg. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Error in setting certificate names and key sizes: java.io.IOException: java.io.IOException: SSL_ForceHandshake failed: (-5938) Encountered end of file."} Installation failed. Attaching the ocsp debug log
Shared tomcat instance: [root@sigma ~]# pkispawn -s OCSP -f /tmp/ocsp_hsm_instance_shared.inf Loading deployment configuration from /tmp/ocsp_hsm_instance_shared.inf. Installing OCSP into /var/lib/pki/pki-new-master. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-new-master/ocsp/deployment.cfg. ERROR: Failed to add module "nfast". Probable cause : "The certificate/key database is in an old, unsupported format.". pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['modutil', '-dbdir', '/etc/pki/pki-new-master/alias', '-nocertdb', '-add', 'nfast', '-libfile', '/opt/nfast/toolkits/pkcs11/libcknfast.so', '-force']' returned non-zero exit status 22! Installation failed. Trying to add hsm module nfast when it already exist
Actual results:
pkispawn fails
Expected results:
pkispawn should succeed
Checked-in fix to 'master' to prevent re-registering a security module (shared instance):
Moving to 10.2.6 and marking 'critical'.
The remainder of this ticket will be addressed in the consolidated ticket:
Metadata Update from @mharmsen: - Issue set to the milestone: 10.2.5
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1987
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.