Invalid chunk header
by Dennis Gnatowski
I’m getting an error when attempting to format a new blankcard (sc650).Fresh, new install of CA, KRA, TKS, TPS on single instance.Insert card into reader (3121) and ESC (1.1.0-13 on Windows10) prompts for phone Home URL.Enter TPS phone Home URL then press Format button and geterror (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as wellas Dogtag 10.3.x. Not sure where theissue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context withpath [/tps] threw exceptionjava.io.IOException: Invalid chunk header atorg.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) atorg.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) atorg.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) atorg.apache.coyote.Request.doRead(Request.java:438) atorg.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) atorg.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) atorg.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) atjava.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) atorg.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) atorg.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) atorg.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) atorg.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) atorg.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) atorg.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) atorg.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) atorg.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) atsun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) atjava.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) atjava.security.AccessController.doPrivileged(Native Method) atjavax.security.auth.Subject.doAsPrivileged(Subject.java:549) -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
6 years, 11 months
Mac OS SCEP request failure: "Could not decode the request"
by Ryan Trinder
Hello PKI users!
I am looking to use Dogtag for my org as the full PKI solution. Initially,
Ill be using it for certificate issuance for an EAP-TLS rollout.
In the beginning to get certificates issued throughout the org, I would
like utilize the SCEP server across multiple devices including Mac OS, iOS,
Linux, Windows, Chromebooks.
So far, I have tested with the *sscep* utility on linux and with Mac OS
through the mobileconfig xml configuration. Using *sscep *works great on
linux, however any testing from Mac OS resides in a 500 from the server
declaring that the request could not be decoded. I initially thought the
requests were using the wrong CA, however intentionally using a wrong CA
with the *sscep *utility shows a completely different response in the logs.
Here is an excerpt from the *ca/debug* log for a failed request:
==> ca/debug <==
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: operation=GetCACert
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert
message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert selected
chain=0
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: Output certificate chain:
30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62
79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f
6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43
41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66
69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31
35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35
32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a
0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72
69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03
55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20
43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30
0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82
01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27
e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21
40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c
34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33
d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d
6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9
a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c
43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9
bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57
08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72
4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46
0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a
e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41
d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc
58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66
7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f
92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00
01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18
30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01
01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f
01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e
04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05
05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05
05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67
74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38
30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44
f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72
c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61
d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f
cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71
62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6
60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c
69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf
81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77
e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b
f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96
16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06
ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07
99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a
c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c
b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2
b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: operation=PKIOperation
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]:
message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO/LkUf0nTArx4JSLCmm3efFVznb8rJOEI/9gbdLVpGLlRDcCLsjK//mJxO/nsDwmnrsGcQ/zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY
ayN8HdLHvYHJkHW3F0d5/NF9BD6fY7UjGwqjD3PrmP91rrBWk/QpTdnRg/IRUshxRm4TeWQWQOOtrlRU7XUTm/ALZlr9DXN3r/YoWMdrasD8AXsyzQpcyU
Y2OPpFIwpFaXXV/kxf9sc7OG
BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f/ECa7B0y/ahhtmGPvfP9QbQ/lOybhca83jg6dUOmfXmEZn/HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK
Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo/qq3VN
cAh2E95SgRE5ae1dje/490cmZY5aYniFr/ZfFVHHyyOODc
fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2/p6OeuiNP8YtN65suiavlFDkCINt2
GyXVow9IG7/ol
GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe/gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2
QfVITkfpkarKw9buDo/B
1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA
H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq
IpOdkr8TmsQygFqpfB6
gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8/GtYpwiqOn0H2Y8XpQnVX
gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt
wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75
AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b/g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK
KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3/WKTkHrzk5
WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh
FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA/tnVhx
a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL
qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg/3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG
EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG
EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S
8w0 EiqsakAO1
LfyToBz8atr/FXxJ45cKAOcPMk/sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG/m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg/86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc/KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW/3K41/QpDFy6H7vwoEVVibK7QXGgZI6xFY0T
dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis
java.io.EOFException
at org.mozilla.jss.asn1.ASN1Util.readFully(ASN1Util.java:114)
at org.mozilla.jss.asn1.ANY$Template.decode(ANY.java:274)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:157)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:146)
at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:400)
at
org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:254)
at
org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:247)
at
com.netscape.cmsutil.scep.CRSPKIMessage.decodeCRSPKIMessage(CRSPKIMessage.java:701)
at
com.netscape.cmsutil.scep.CRSPKIMessage.<init>(CRSPKIMessage.java:723)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:832)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:370)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: ServletException
javax.servlet.ServletException: Could not decode the request.
And the failure from localhost.log
==> localhost.2017-08-31.log <==
Aug 31, 2017 2:20:39 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [caSCEP] in context with path [/ca]
threw exception [Could not decode the request.] with root cause
javax.servlet.ServletException: Could not decode the request.
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:381)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
This seems like a MacOS specific difference in the requests, but I cannot
determine exactly what it is. Would anyone have any experience with this?
For reference, this is dogtag-pki 10.2.6+git20160317-1 installed via apt on
Ubuntu 16.04.
--
6 years, 11 months
Spawn KRA subsystem to existing CA instance fails with Error in setting certificate names and key sizes
by Michal Kašpar
Hello.
I've got a problem with spawning kra subsystem on existing Dogtag
instance which was created as part of IPA installation. When i run ipa-
kra-install or pkispawn -s KRA, the result is the same error in
/var/lib/pki/pki-tomcat/kra/logs/debug (see bellow).
The pki version is 10.4.1, the ca component works without problem.
I've tried turning off SELinux, checked file permissions on the pki-
tomcat componets but haven't found anything wrong.
Has anyone an idea, how to debug or solve this problem? The debug level
is set to 0 for KRA component and still no hint what might be the
problem.
Thank you for any hint.
The last lines in the debug log are:
29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: getting public key for certificate transport
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: getting private key for certificate transport
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: private key ID: 76c3a8268120fe025d
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: generating generic extensions
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: createGenericExtensions: begins
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: generating PKCS #10 request
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: storing cert request
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: configCert: caType is remote
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: updateConfig() for certTag storage
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: updateConfig() done
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: configCert: remote CA
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: CertRequestPanel: got public key
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: CertRequestPanel: got private key
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: injectSAN=false
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: CertUtil: content: {xmlOutput=[true], cert_request_type=[pkcs10], profil
eId=[caInternalAuthDRMstorageCert], cert_request=[MIICfjCCAWYCAQAwOTEV...
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: POST https://server:443/ca/ee/ca/profileSubmit
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: Server certificate:
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: - subject: CN=server,O=REALM
[29/Aug/2017:13:21:54][http-bio-8443-exec-25]: - issuer: CN=Certificate Authority,O=REALM
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: CertUtil: status: 0
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: CertUtil: cert: MMIIDdjC...
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: getting public key for certificate storage
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: getting private key for certificate storage
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: private key ID: 74c90cb1bb054bd06d9e8b6013
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: generating generic extensions
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: ConfigurationUtils: createGenericExtensions: begins
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: generating PKCS #10 request
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: storing cert request
java.lang.NullPointerException
at java.util.Hashtable.put(Hashtable.java:459)
at com.netscape.cmscore.base.SourceConfigStore.put(SourceConfigStore.java:57)
at com.netscape.cmscore.base.PropConfigStore.put(PropConfigStore.java:157)
at com.netscape.cmscore.base.PropConfigStore.putString(PropConfigStore.java:306)
at org.dogtagpki.server.rest.SystemConfigService.updateConfiguration(SystemConfigService.java:593)
at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:359)
at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:176)
at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
...
[29/Aug/2017:13:21:55][http-bio-8443-exec-25]: Error in setting certificate names and key sizes: java.lang.NullPointerException
--
Michal Kašpar
7 years, 1 month
Unable to retrieve CA chain: request failed with HTTP status 500
by pgb205
I have an install that fails at the following stage:importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500
the logs are not showing anything obvious22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is true[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown true[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - caDirUserRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - caDirUserRenewal[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - IECUserRoles[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)
and
[23/Aug/2017:15:24:09][CertStatusUpdateTask]: returnConn: mNumConns now 5[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: searching for entry 20170823152409Z[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList.getEntries()[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: entries: 1[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: top: 0[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: size: 640[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpiredCertificates: list size: 640[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpiredCertificates: ltSize 1[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpired: curRec: 0 CertRecord: 76[23/Aug/2017:15:24:09][CertStatusUpdateTask]: Record does not qualify,notAfter Mon Aug 28 16:47:53 UTC 2017 date Wed Aug 23 15:24:09 UTC 2017[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitCertList REVOKED_EXPIRED[23/Aug/2017:15:24:09][CertStatusUpdateTask]: updateCertStatus done
I have full logs if necessary. but I'm unable to determine the cause for the failure. Asking on freeipa forums this is a problem on the CA server but thats as far as I got with this.
7 years, 1 month