Invalid chunk header
by Dennis Gnatowski
I’m getting an error when attempting to format a new blankcard (sc650).Fresh, new install of CA, KRA, TKS, TPS on single instance.Insert card into reader (3121) and ESC (1.1.0-13 on Windows10) prompts for phone Home URL.Enter TPS phone Home URL then press Format button and geterror (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as wellas Dogtag 10.3.x. Not sure where theissue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context withpath [/tps] threw exceptionjava.io.IOException: Invalid chunk header atorg.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) atorg.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) atorg.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) atorg.apache.coyote.Request.doRead(Request.java:438) atorg.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) atorg.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) atorg.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) atjava.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) atorg.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) atorg.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) atorg.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) atorg.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) atorg.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) atorg.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) atorg.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) atorg.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) atsun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) atjava.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) atjava.security.AccessController.doPrivileged(Native Method) atjavax.security.auth.Subject.doAsPrivileged(Subject.java:549) -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
6 years, 9 months
Invalid chunck header
by Dennis Gnatowski
I’m getting an error when attempting to format a new blankcard (sc650).Fresh, new install of CA, KRA, TKS, TPS on single instance.Insert card into reader (3121) and ESC (1.1.0-13 on Windows10) prompts for phone Home URL.Enter TPS phone Home URL then press Format button and geterror (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as wellas Dogtag 10.3.x. Not sure where theissue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context withpath [/tps] threw exceptionjava.io.IOException: Invalid chunk header atorg.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) atorg.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) atorg.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) atorg.apache.coyote.Request.doRead(Request.java:438) atorg.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) atorg.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) atorg.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) atjava.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) atorg.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) atorg.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) atorg.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) atorg.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) atorg.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) atorg.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) atorg.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) atorg.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) atsun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) atjava.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) atjava.security.AccessController.doPrivileged(Native Method) atjavax.security.auth.Subject.doAsPrivileged(Subject.java:549) -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
7 years
Submit CSR failure: your request is not submitted, The reason is “Missing credential: sessionID”
by Susumu Sai
On https://<dogtag_ca_url>:8443/ca/ee/ca,
using profile of ‘Manual Certificate Manager Signing Certificate
Enrollment’,
copy and paste CSR,
click Submit,
got failure:
Sorry, your request is not submitted, The reason is “Missing
credential: sessionID”
I used openssl command verified my csr: openssl reg -in csr.CSR -text , I
am not getting any error with the command, I guess this says that my CSR is
fine.
Any comments? suggestions?
Thanks.
Susumu
7 years, 1 month
pki api question with RHCS 9
by Henry Graham
Hello,
I'm trying to setup a script using the API mentioned here:
http://pki.fedoraproject.org/wiki/Dogtag_10_Python_Cert_Client_API#Python...
Is there anyway to return the requestor_name and requestor_email when
you know the cert CN or serial number (or some other info unique to
the signed cert) using the PKI api?
This information is saved, I can see it in the "Agent Services" UI when I:
"Search for Certificates" -> click "Details" for the returned cert ->
then scroll down to "Certificate request info" and click the "Request
ID"
These are then both displayed on the page:
requestor_name
requestor_email
So far I can get the pki.cert.CertClient.list_certs() to return a
"CertDataInfoCollection" object just fine. This doesn't provide the
information and neither does the "CertRequestInfo" object.
Our use case is we are building an automation script that will notify
requestor's team if a cert is going to expire and the requestor_name
and requestor_email returned via api will make this job much easier.
Thanks,
Henry
7 years, 1 month
Re: [Pki-users] Pki-users Digest, Vol 110, Issue 1
by Rafael Leiva-Ochoa
Thanks for the update Christina. Where does the Dogtag CA store its
certificate for the https://<dogtag_ca_url>:8443/. I checked the
/etc/ssl/certs/
directory, but I found nothing.
Thanks again Christina
Rafael
On Thu, Jun 1, 2017 at 9:00 AM, <pki-users-request(a)redhat.com> wrote:
> Send Pki-users mailing list submissions to
> pki-users(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/pki-users
> or, via email, send a message with subject or body 'help' to
> pki-users-request(a)redhat.com
>
> You can reach the person managing the list at
> pki-users-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pki-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Dogtag Cert Lauch Page Renewal (Christina Fu)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 31 May 2017 14:31:31 -0700
> From: Christina Fu <cfu(a)redhat.com>
> To: pki-users(a)redhat.com
> Subject: Re: [Pki-users] Dogtag Cert Lauch Page Renewal
> Message-ID: <034773bd-3756-73df-8c77-7dd1ebe93082(a)redhat.com>
> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
>
> Hi Rafael,
>
> I think the following should work for you in theory (Note: I have not
> tried it myself).
>
> If you mean the web server cert, by default it uses the caServerCert
> profile. So to add SAN you would want to add Subject Alt Name Default
> and possibly constraint to that profile. You can look up how other
> default profiles.
>
> Here is an example policy you could add:
>
> policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
> policyset.serverCertSet.9.constraint.name=No Constraint
> policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
> policyset.serverCertSet.9.default.name=Subject Alternative Name
> Extension Default
> policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
> policyset.serverCertSet.9.default.params.subjAltExtPattern_0=yourServer
> .example.com
> policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
> policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
>
> Make sure you add the set id "9" (if unique..you can change it to
> another unique id) to
>
> policyset.serverCertSet.list=
>
> It is important that you add that to the profile before you proceed with
> the renewal instruction (under the assumption that you wish to reuse
> keys), because the instruction I am about to give you will use the same
> profile that the original cert was issued through. Restart the CA after
> the above config change.
>
> About renewal, if you want to reuse the same keys of the original web
> server certificate, you could try going to the ee page
> Enrollment/Renewal tab. Where you would find on the last link of the
> page to be
>
> Renewal: Renew certificate to be manually approved by agents.
>
> Enter the current (to be replaced) server cert serial number and
> submit. Have the CA agent approve the request. Download and update
> your server cert, restart the intended web server.
>
> If you don't want to reuse keys, then simply enroll through the Manual
> Server Certificate Enrollment, which uses the profile that you just
> modified, but will expect a whole new csr to be the input (rekey).
> Incidentally, if you happen to have the original CSR (hence preserving
> the same keys), you would end up having the same keys with the new
> update profile (with SAN) as well, which would effectively give you the
> same result.
>
> Let us know if that works for you.
>
> Christina
>
>
> On 05/30/2017 06:29 PM, Rafael Leiva-Ochoa wrote:
> > Any takers?
> >
> > Rafael
> >
> > On Sat, May 27, 2017 at 10:29 PM, Rafael Leiva-Ochoa
> > <spawn(a)rloteck.net <mailto:spawn@rloteck.net>> wrote:
> >
> > Hi Everyone,
> >
> > I am was looking through the Dogtag CA documentation, and I
> > was not able to find the process for renewing the Dogtag Web page
> > certificate. I wanted to update the cert since all browser now
> > required a SAN on the cert. Any help would be great.
> >
> > Thanks,
> >
> > Rafael
> >
> >
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://www.redhat.com/archives/pki-users/
> attachments/20170531/7a1c9f30/attachment.html>
>
> ------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
> End of Pki-users Digest, Vol 110, Issue 1
> *****************************************
>
7 years, 1 month
