To promote much better error reporting, many functions in ConfigurationUtils.java need to be updated to pass exceptions through rather than catching them.
The main problem is that the installation servlet is calling into the old installation code in ConfigurationUtils.java, and this old code has a bad habit of catching exceptions rather than letting them fall through which means that either the exception goes unreported --- or something else fails later down the line. In most cases where this is problematic, the installation should have been stopped immediately.
For example, since much of the certificate handling stuff is complicated, it will need to be determined which exceptions should be swallowed and which passed through so that the exception can be logged and reported appropriately.
An example of a type of error which is confusing is documented in PKI TRAC Ticket #933 - F20 clone pkispawn crashes when master is dogtag9 in which the message that gets displayed to the user is:
2014-03-26 09:10:58 pkispawn : ERROR ....... Exception from Java Configuration Servlet: Failed to obtain configuration entries from the master for cloning org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 50; White spaces are required between publicId and systemId.
whereas the actual culprit for this particular issue was because the profileSubmit servlet on the master CA had not been made available to sign the request submitted by the cloned CA.
Debug was only possible via examination of the debug log file and seeing the following informational message prior to the reported exception message:
[26/Mar/2014:09:10:56][http-bio-8443-exec-3]: NamePanel: For this Cloned CA, always use its Master CA to generate the 'sslserver' certificate to avoid any changes which may have been made to the X500Name directory string encoding order.
A second example of this occurred when a user was attempting to utilize an External CA certificate which contained a serial number which was identical to an existing serial number in the Dogtag CA.
The user witnessed a failure of the selftest with the following message:
0.localhost-startStop-1 - [03/Apr/2014:13:56:50 EDT] [20] [1] SystemCertsVerification: system certs verification failure
Upon closer examination of the debug file, the following error message had been reported, but the installation had not been stopped immediately:
[03/Apr/2014:13:53:58][http-bio-8443-exec-7]: handleCerts(): importCertChain: Exception: java.security.cert.CertificateEncodingException: CERT_ImportCAChainTrusted returned an error: (-8054) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
Although this ticket will undergo the formal triage process, it has been recommended for the 10.2 backlog Milestone by both alee and mharmsen.
Per CS/DS meeting of 4/7/2014, it was determined that this ticket would be filed for the 10.2 backlog milestone.
[06/04/2014] - Moving to Milestone 10.2.2 due to schedule restrictions.
Proposed Milestone: 10.3 (per CS Meeting of 09/17/2014)
Metadata Update from @mharmsen: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1508
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.