Unable to configure KRA subsystem in separate tomcat instance . Fails with error:
.fc23</Version></XMLResponse> pkispawn : INFO ....... constructing PKI configuration data. pkispawn : INFO ....... executing 'certutil -R -d /opt/Example1-RootKRA1/kra/alias -s cn=PKI Administrator,e=kraadmin@example.org,o=example.org Security Domain -k rsa -g 2048 -z /opt/Example1-RootKRA1/kra/alias/noise -f /opt/Example1-RootKRA1/kra/password.conf -o /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin' pkispawn : INFO ....... rm -f /opt/Example1-RootKRA1/kra/alias/noise pkispawn : INFO ....... BtoA /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin /opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin.asc pkispawn : INFO ....... configuring PKI configuration data. pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error for url: https://pki1.example.org:14443/kra/rest/installer/configure pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert srv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.io.IOException: Invalid Request"} pkispawn : DEBUG ....... Error Type: ParseError pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi guration.py", line 116, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3872, in configure_pki_data root = ET.fromstring(e.response.text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err
How reproducible:
Install and Configure CA Install and configure KRA using below config file <snip> [DEFAULT] pki_instance_name=Example1-RootKRA1 pki_https_port=14443 pki_http_port=14080 #NSS DB Token Password pki_token_password=Secret123 #RootKRA Admin password pki_admin_password=Secret123 #Security Domain pki_hostname=pki1.example.org pki_security_domain_hostname=pki1.example.org pki_security_domain_https_port=8443 pki_security_domain_user=caadmin pki_security_domain_password=Secret123 #Client Dir pki_client_dir=/opt/Example1-RootKRA1 pki_client_pkcs12_password=Secret123 pki_client_database_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 #ldap pki_ds_hostname=pki1.example.org pki_ds_ldap_port=1901 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=Secret123 [Tomcat] pki_ajp_port=14009 pki_tomcat_server_port=14005 [KRA] pki_admin_nickname=PKI KRA Administrator for Example Org pki_import_admin_cert=False </snip>
Actual results:
pkispawn fails to configure KRA
Expected results:
pkispawn should successfully configure KRA
Additional info:
CA Debug logs shows this error while creating KRA Admin cert [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: Start parsePKCS10(): MIICrDCCAZQC AQAwZzEkMCIGA1UEChMbZXhhbXBsZS5vcmcgU2VjdXJpdHkgRG9t%0DYWluMSMwIQYJKoZIhvcNAQkB FhRrcmFhZG1pbkBleGFtcGxlLm9yZzEaMBgGA1UE%0DAxMRUEtJIEFkbWluaXN0cmF0b3IwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEK%0DAoIBAQDGssnRrEBAwi03tz7d1cjhzPQuiyrkU8Sb8RBs65fE iJfqzGWQDQHHnQj%2F%0Do8NCP3IZXGbL%2FUIyPhZVymiCBaGNOEHa0LxkhEIzYGNNs80VJMmti0zo qvEnNh%2Fq%0DxZWNOcXmb0S3I1gep0TD%2BbUFP3WonrGgaRbwsQJbvUtsZh5aOlBAcNykE6mV2cXd %0DmUWbHXsRIQn29RRxNqWp7j5oxKdeWY2MMnw63vNNNcZO%2FN%2FveiqyoXdumU2MyPt%2B%0DE1Q nDaTEvEJHdfupWtPwROVEctNEchXRP4Z3mh09vPLpDZKXEVRDZ8eZIMHcJdGs%0DHUkkmpmS98AN%2F KOZtFWlP7lFZUXfAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA%0DAtV9uFxaU5PqdXVlmQcoR7wAc TACxMD%2B6KioXixOEuYVGXs%2Fh88UNCyH0wq89ETv%0D6fW8t%2FRdTIdDKqXNIM9gU17HqQbPAWL VyoPCmZLH0OjXh3d%2B3RpwIdXduUWAMax1%0Dwry2826%2BeHHCLqglEspym2Iv0LrKi2EXZvCNm6d 5ZXxbnfYuJKJHCNhADrwXrlRs%0DX6LJtu4R%2FAq8FvjCiGqiuELy6T5NiTlWphSGBsfN7HIX5Iy3c AY8cvdQkrgn745y%0DVFTtlU%2BzflRZnCUe2okn%2FyjY0vR8NCfGLn3UT9W99Sau7fAEQX4PsbmFI kFKE8XT%0DikbCEi%2FxsKYeVVwZOmfNtw%3D%3D%0D [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: signature verification enabled [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: use internal token [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 setting thread token [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=25, too big. [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10 restoring thread token [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: ProfileSubmitServlet: error in processing request: Invalid Request [04/Feb/2016:13:03:15][http-bio-8443-exec-9]: CMSServlet: curDate=Thu Feb 04 13:03:15 IST 2016 id=caProfileSubmit time=58
I was able to reproduce with latest Dogtag master on F22 with exact same error:
[15/Feb/2016:15:03:48]http-bio-30042-exec-24: Start parsePKCS10(): MIICrjCCAZYCAQAwaTEjMCEGA1UEChMacGtpLWluLWNhMS1zZWN1cml0eS1kb21h%0DaW4xJjAkBgkqhkiG9w0BCQEWF2tyYWFkbWluQHNqYy5yZWRoYXQuY29tMRowGAYD%0DVQQDExFQS0kgQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC%0DAQoCggEBAMA9i070BlcEUDOFPDqG1GizqIZG%2Byadu4hMLrdA7q%2B3PweGX6fRiKlf%0Dn6JkCGljpF1Cnmo3RmOMtUiB%2FsgvJ9%2F0SUYJUrHAPx5iJGnAmJTrIAKUXsdDfpJ5%0D7%2BXMvagdHTRJ5Sw9AAY8MDQ7IfBDQ9D0M9D6vLuskExwxuK107GQ%2BcVjKlzolFFq%0DWRVH0Bs3u%2Fev72j3uG%2B%2BwFLNPg%2BFK1jKdwous84Fz35YtvcSA9xSfNYl26HOfn1l%0DAG0lt2DEgPqZ7mPmm8CuUtZQx%2BRT6gRfUWngJLk%2BJFleX%2Fk04Kfi8rSjMeNoJjEG%0D2hJ4DHyn6VZnM9HxB%2BXxr0q0Y78MMhkCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB%0DAQANnStPgikEE%2FVMrMZO7Uc2L5BM4PLzdlk5hbLqj7ZCgca7uHX%2FJYh4x23Fp9c4%0DniFYSJUP148owVc32d3M0u4kwa%2BSDSasA4EyPXi8El7CI2h8XkN17SI8xxOta1%2Fx%0DNTOyyZBTrEFdqtDgbTZLDwUJL4vecyw9M%2FwzkNfezmKc5RWzxqo%2F9J0rGdkBjLan%0DezDpjuhzjKof5ZgvIDW02uSGHdo2HUoy6tL%2Fyvabooss0b1ZU%2FxPcP%2BTAXzeKrwL%0DW5XGZevNRP81fhn15K96JCBEzi9OyKwb%2FF5HEiwlzvXUjG2jvbhPW6b9ajiqD6wj%0DHdNNK1P4X7o53T%2FVa5yxsoIe%0D [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10: signature verification enabled [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10: use internal token [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10 setting thread token [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=79, too big. [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10 restoring thread token [15/Feb/2016:15:03:48]http-bio-30042-exec-24: ProfileSubmitServlet: error in processing request: Invalid Request
Looking at the PKCS10 blob, I believe it needs to be URL decoded. Did something change in this area lately?
Per previous comment: 10.3 - major
The problem seems to happen only when pki_import_admin_cert is set to False. Apparently the code has always been tested with the default value (i.e. True).
Fixed in master:
Metadata Update from @nkarandi: - Issue assigned to edewata - Issue set to the milestone: 10.3.0.a2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2312
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.