This ticket is a consolidation of the following three tickets:
Example of failure from KRA ticket:
[root@sigma alias]# pkispawn -s KRA -f /tmp/kra_hsm_instance_nonshared.inf Loading deployment configuration from /tmp/kra_hsm_instance_nonshared.inf. Installing KRA into /var/lib/pki/rootkra. Storing deployment configuration into /etc/sysconfig/pki/tomcat/rootkra/kra/deployment.cfg. Module "nfast" added to database. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Failed to import certificate chain from security domain master: java.io.IOException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file."} Installation failed. KRA debug log has the following messages: [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: === Security Domain Panel === [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Joining existing security domain [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Resolving security domain URLhttps://sigma.lab.eng.rdu.redhat.com:30042 [16/Jun/2015:14:06:57][http-bio-31242-exec-3]: Getting security domain cert chain [16/Jun/2015:14:06:58][http-bio-31242-exec-3]: getHttpResponse: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file. com.netscape.certsrv.base.PKIException: Failed to import certificate chain from security domain master: java.io.IOException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-5938) Encountered end of file. at org.dogtagpki.server.rest.SystemConfigService.getCertChainFromSecuri tyDomain(SystemConfigService.java:952) at org.dogtagpki.server.rest.SystemConfigService.logIntoSecurityDomain( SystemConfigService.java:927) at org.dogtagpki.server.rest.SystemConfigService.configureSecurityDomai n(SystemConfigService.java:886) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:149) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig Service.java:117) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce ssorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc eMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI nvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp atcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher .service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv ice(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App licationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application FilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper Valve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContext Valve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic atorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa lve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt p11Processor.java:1040) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:607) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi nt.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT hread.java:61) at java.lang.Thread.run(Thread.java:745)
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1234638 (Red Hat Certificate System)
Per discussion with cfu, a new deployment config parameter should be added to select the initial cipher set (RSA or ECC).
there is an existing pki_ssl_server_key_type which can be used.
The SSL_ForceHandshake failed issue has a workaround.
The workaround is the following: Edit the CA's server.xml: replace the sslRangeCiphers value with the following:
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
I will provide the actual fix in code in due time.
pushed to master: commit 7c1af7f7dac89363c7923802ec759ccb84813bfb
Metadata Update from @mharmsen: - Issue assigned to cfu - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1998
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.