dogtagpki

Clone
Source Code
GIT

#1669 adminEnroll servlet EnrollSuccess.template succeeds but fails on import into browser
Closed: Fixed None Opened 8 years ago by msauton.

Closed: Fixed
Reopen Issue

trying to figure out why the EnrollSuccess.template fails in adminEnroll with
error in the web browser:

re-enroll the admin cert
https://ca1.example.com:8443/ca/admin/ca/adminEnroll.html

succeeds before redirecting to

https://ca1.example.com:8443/ca/getAdminCertBySerial?serialNumber=10&importCert=true

HTTP Status 404 - /ca/getAdminCertBySerial
type Status Report
message /ca/getAdminCertBySerial
description The requested resource is not available

Steps to Reproduce:

1. have a CA up and running
2. systemctl stop pki-tomcatd@pki-tomcat.service
3. edit /etc/pki/pki-tomcat/ca/CS.cfg to set:

   ca.Policy.enable=true
   cmsgateway.enableAdminEnroll=true

4. systemctl start pki-tomcatd@pki-tomcat.service
5. re-enroll the admin cert from the browser:
   https://pki.example.com:8443/ca/admin/ca/adminEnroll.html

Additional Information:

# tail /var/log/pki/pki-tomcat/ca/system
0.Thread-46 - [22/Oct/2015:10:51:30 MDT] [8] [3] Publishing: Could not
publish certificate sserial number 0x10. Error Failed to publish using
rule: No rules enabled.

# tail /var/log/pki/pki-tomcat/ca/transactions
0.http-bio-8443-exec-22 - [22/Oct/2015:10:51:30 MDT] [20] [1] Enrollment
request reqID 16 fromAgent agentID: caadmin authenticated by passwdUserDBAuthMgr
is completed. DN requested: CN=CS Administrator 20151022,UID=caadmin,C=US cert
issued serial number: 0x10 time: 1548
0.http-bio-8443-exec-22 - [22/Oct/2015:10:51:30 MDT] [11] [1] Admin UID: caadmin
added cert for User UID: caadmin.
cert DN: CN=CS Administrator 20151022,UID=caadmin,C=US serial number: 0x10

there is no useful detail in the debug log

As a workaround, the Retrieval tab of the EE interface can still be used
from the browser to import the newly minted Admin Certificate into the browser.

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1179514 (Red Hat Certificate System)

Per CS/DS meeting of 11/02/2015: 10.3

Closed as WONT FIX for RHCS 8.x version of product.

Checked into master:

  • 8037777298814440227451931eb607c5226cd35c

To test this patch:

This was tested on Fedora 23 by doing the following:

  • installed and configured a CA
  • Successfully tested enrollment in a browser after importing the original Admin certificate
  • systemctl stop pki-tomcatd@pki-tomcat.service
  • edited /etc/pki/pki-tomcat/ca/CS.cfg to set:
ca.Policy.enable=true
cmsgateway.enableAdminEnroll=true
  • systemctl start pki-tomcatd@pki-tomcat.service
  • created a new Firefox profile
  • traversed to the EE page, went to the Retrieval tab, imported the CA cert, and trusted it
  • within this new profile, traversed to https://pki.example.com:8443/ca/admin/ca/adminEnroll.html,
    and filled out the form
  • with this patch installed, it should generate a new admin certificate and import it successfully
    into this new profile -- to check, attempt to use the imported admin certificate to traverse to
    the Agents page

Per Bug Triage of 05/05/2016: 10.3.0

The process to restore admin access could be simplified in ticket #2260.

Metadata Update from @msauton:
- Issue assigned to mharmsen
- Issue set to the milestone: 10.3.1
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2228

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
None
None
defect
None
None
None
None
None
RHCust
None
None
None
None
None
None
General
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.