Invalid chunk header
by Dennis Gnatowski
I’m getting an error when attempting to format a new blankcard (sc650).Fresh, new install of CA, KRA, TKS, TPS on single instance.Insert card into reader (3121) and ESC (1.1.0-13 on Windows10) prompts for phone Home URL.Enter TPS phone Home URL then press Format button and geterror (in localhost.log). I have the same issue on RHCS 9.1 (latest patches) as wellas Dogtag 10.3.x. Not sure where theissue lies or how to fix. SEVERE: Servlet.service() for servlet [tps] in context withpath [/tps] threw exceptionjava.io.IOException: Invalid chunk header atorg.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:615) atorg.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:192) atorg.apache.coyote.http11.AbstractInputBuffer.doRead(AbstractInputBuffer.java:287) atorg.apache.coyote.Request.doRead(Request.java:438) atorg.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:290) atorg.apache.tomcat.util.buf.ByteChunk.substract(ByteChunk.java:390) atorg.apache.catalina.connector.InputBuffer.readByte(InputBuffer.java:304) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:91) atorg.apache.catalina.connector.CoyoteInputStream$1.run(CoyoteInputStream.java:87) atjava.security.AccessController.doPrivileged(Native Method) atorg.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:85) atorg.dogtagpki.tps.TPSConnection.read(TPSConnection.java:55) atorg.dogtagpki.server.tps.TPSSession.read(TPSSession.java:72) atorg.dogtagpki.server.tps.processor.TPSProcessor.handleAPDURequest(TPSProcessor.java:311) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectApplet(TPSProcessor.java:279) atorg.dogtagpki.server.tps.processor.TPSProcessor.selectCardManager(TPSProcessor.java:2968) atorg.dogtagpki.server.tps.processor.TPSProcessor.getAppletInfo(TPSProcessor.java:2900) atorg.dogtagpki.server.tps.processor.TPSProcessor.format(TPSProcessor.java:1831) atorg.dogtagpki.server.tps.processor.TPSProcessor.process(TPSProcessor.java:2852) atorg.dogtagpki.server.tps.TPSSession.process(TPSSession.java:119) atorg.dogtagpki.server.tps.TPSServlet.service(TPSServlet.java:60) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) atsun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source) atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) atjava.lang.reflect.Method.invoke(Method.java:498) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) atorg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) atjava.security.AccessController.doPrivileged(Native Method) atjavax.security.auth.Subject.doAsPrivileged(Subject.java:549) -----------------------------------------------------------Dennis Gnatowski dgnatowski(a)yahoo.com
6 years, 11 months
Mac OS SCEP request failure: "Could not decode the request"
by Ryan Trinder
Hello PKI users!
I am looking to use Dogtag for my org as the full PKI solution. Initially,
Ill be using it for certificate issuance for an EAP-TLS rollout.
In the beginning to get certificates issued throughout the org, I would
like utilize the SCEP server across multiple devices including Mac OS, iOS,
Linux, Windows, Chromebooks.
So far, I have tested with the *sscep* utility on linux and with Mac OS
through the mobileconfig xml configuration. Using *sscep *works great on
linux, however any testing from Mac OS resides in a 500 from the server
declaring that the request could not be decoded. I initially thought the
requests were using the wrong CA, however intentionally using a wrong CA
with the *sscep *utility shows a completely different response in the logs.
Here is an excerpt from the *ca/debug* log for a failed request:
==> ca/debug <==
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: operation=GetCACert
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert
message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert selected
chain=0
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: Output certificate chain:
30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62
79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f
6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43
41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66
69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31
35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35
32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a
0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72
69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03
55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20
43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30
0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82
01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27
e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21
40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c
34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33
d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d
6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9
a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c
43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9
bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57
08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72
4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46
0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a
e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41
d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc
58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66
7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f
92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00
01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18
30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01
01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f
01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e
04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05
05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05
05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67
74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38
30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44
f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72
c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61
d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f
cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71
62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6
60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c
69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf
81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77
e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b
f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96
16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06
ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07
99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a
c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c
b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2
b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: operation=PKIOperation
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]:
message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO/LkUf0nTArx4JSLCmm3efFVznb8rJOEI/9gbdLVpGLlRDcCLsjK//mJxO/nsDwmnrsGcQ/zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY
ayN8HdLHvYHJkHW3F0d5/NF9BD6fY7UjGwqjD3PrmP91rrBWk/QpTdnRg/IRUshxRm4TeWQWQOOtrlRU7XUTm/ALZlr9DXN3r/YoWMdrasD8AXsyzQpcyU
Y2OPpFIwpFaXXV/kxf9sc7OG
BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f/ECa7B0y/ahhtmGPvfP9QbQ/lOybhca83jg6dUOmfXmEZn/HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK
Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo/qq3VN
cAh2E95SgRE5ae1dje/490cmZY5aYniFr/ZfFVHHyyOODc
fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2/p6OeuiNP8YtN65suiavlFDkCINt2
GyXVow9IG7/ol
GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe/gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2
QfVITkfpkarKw9buDo/B
1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA
H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq
IpOdkr8TmsQygFqpfB6
gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8/GtYpwiqOn0H2Y8XpQnVX
gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt
wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75
AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b/g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK
KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3/WKTkHrzk5
WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh
FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA/tnVhx
a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL
qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg/3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG
EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG
EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S
8w0 EiqsakAO1
LfyToBz8atr/FXxJ45cKAOcPMk/sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG/m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg/86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc/KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW/3K41/QpDFy6H7vwoEVVibK7QXGgZI6xFY0T
dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis
java.io.EOFException
at org.mozilla.jss.asn1.ASN1Util.readFully(ASN1Util.java:114)
at org.mozilla.jss.asn1.ANY$Template.decode(ANY.java:274)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:157)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:146)
at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:400)
at
org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:254)
at
org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:247)
at
com.netscape.cmsutil.scep.CRSPKIMessage.decodeCRSPKIMessage(CRSPKIMessage.java:701)
at
com.netscape.cmsutil.scep.CRSPKIMessage.<init>(CRSPKIMessage.java:723)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:832)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:370)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: ServletException
javax.servlet.ServletException: Could not decode the request.
And the failure from localhost.log
==> localhost.2017-08-31.log <==
Aug 31, 2017 2:20:39 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [caSCEP] in context with path [/ca]
threw exception [Could not decode the request.] with root cause
javax.servlet.ServletException: Could not decode the request.
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:381)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
This seems like a MacOS specific difference in the requests, but I cannot
determine exactly what it is. Would anyone have any experience with this?
For reference, this is dogtag-pki 10.2.6+git20160317-1 installed via apt on
Ubuntu 16.04.
--
6 years, 11 months
pkiconsole does not launch on CentOS 7.4.1708
by Aleksey Chudov
Hi,
I'm trying to setup pkiconsole on CentOS 7.4.1708.
I rebuild pki-console and redhat-pki-console-theme packages from
http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/RHCERT/SRPMS/
Than I placed two packages to local repo
pki-console-10.4.1-6.el7.centos.noarch.rpm
redhat-pki-console-theme-10.4.1-1.el7.centos.noarch.rpm
Than just yum install pki-console
Now I have the following packages installed
$ yum list installed | grep pki
pki-base.noarch 10.4.1-13.el7_4
@updates
pki-base-java.noarch 10.4.1-13.el7_4
@updates
pki-console.noarch 10.4.1-6.el7.centos
@local
redhat-pki-console-theme.noarch 10.4.1-1.el7.centos @local
But pkiconsole does not launch with PKIException: Not Found
$ pkiconsole -D 9:all https://dogtag.example.com:8443/ca
1 14:17:54.441 L9 (Console.java:1653) java.util.prefs.userRoot=/tmp/java
2 14:17:54.442 (0.001) L9 (Console.java:1653) java.runtime.name=OpenJDK
Runtime Environment
3 14:17:54.443 (0.001) L9 (Console.java:1653)
sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/amd64
4 14:17:54.444 (0.001) L9 (Console.java:1653) java.vm.version=25.144-b01
5 14:17:54.444 (0.0) L9 (Console.java:1653) java.vm.vendor=Oracle
Corporation
6 14:17:54.444 (0.0) L9 (Console.java:1653) java.vendor.url=
http://java.oracle.com/
7 14:17:54.444 (0.0) L9 (Console.java:1653) path.separator=:
8 14:17:54.445 (0.001) L9 (Console.java:1653)
java.util.logging.config.file=/usr/share/pki/etc/logging.properties
9 14:17:54.445 (0.0) L9 (Console.java:1653) java.vm.name=OpenJDK 64-Bit
Server VM
10 14:17:54.445 (0.0) L9 (Console.java:1653) file.encoding.pkg=sun.io
11 14:17:54.445 (0.0) L9 (Console.java:1653) user.country=US
12 14:17:54.446 (0.001) L9 (Console.java:1653)
sun.java.launcher=SUN_STANDARD
13 14:17:54.446 (0.0) L9 (Console.java:1653) sun.os.patch.level=unknown
14 14:17:54.446 (0.0) L9 (Console.java:1653) java.vm.specification.name=Java
Virtual Machine Specification
15 14:17:54.446 (0.0) L9 (Console.java:1653) user.dir=/home/aleksey
16 14:17:54.446 (0.0) L9 (Console.java:1653)
java.runtime.version=1.8.0_144-b01
17 14:17:54.446 (0.0) L9 (Console.java:1653)
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
18 14:17:54.447 (0.001) L9 (Console.java:1653)
java.endorsed.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/endorsed
19 14:17:54.447 (0.0) L9 (Console.java:1653) os.arch=amd64
20 14:17:54.447 (0.0) L9 (Console.java:1653) java.io.tmpdir=/tmp
21 14:17:54.447 (0.0) L9 (Console.java:1653) line.separator=
22 14:17:54.448 (0.001) L9 (Console.java:1653)
java.vm.specification.vendor=Oracle Corporation
23 14:17:54.448 (0.0) L9 (Console.java:1653) os.name=Linux
24 14:17:54.448 (0.0) L9 (Console.java:1653) sun.jnu.encoding=UTF-8
25 14:17:54.448 (0.0) L9 (Console.java:1653)
java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
26 14:17:54.448 (0.0) L9 (Console.java:1653) java.specification.name=Java
Platform API Specification
27 14:17:54.449 (0.001) L9 (Console.java:1653) java.class.version=52.0
28 14:17:54.449 (0.0) L9 (Console.java:1653)
sun.management.compiler=HotSpot 64-Bit Tiered Compilers
29 14:17:54.449 (0.0) L9 (Console.java:1653)
os.version=3.10.0-693.2.2.el7.x86_64
30 14:17:54.449 (0.0) L9 (Console.java:1653) user.home=/home/aleksey
31 14:17:54.449 (0.0) L9 (Console.java:1653) user.timezone=Europe/Riga
32 14:17:54.449 (0.0) L9 (Console.java:1653)
java.awt.printerjob=sun.print.PSPrinterJob
33 14:17:54.450 (0.001) L9 (Console.java:1653) file.encoding=UTF-8
34 14:17:54.450 (0.0) L9 (Console.java:1653) java.specification.version=1.8
35 14:17:54.450 (0.0) L9 (Console.java:1653)
java.class.path=/usr/share/java/pki/pki-console.jar:/usr/share/java/pki/pki-console-theme.jar:/usr/share/java/389-console_en.jar:/usr/share/java/idm-console-base.jar:/usr/share/java/idm-console-mcc_en.jar:/usr/share/java/idm-console-mcc.jar:/usr/share/java/idm-console-nmclf_en.jar:/usr/share/java/idm-console-nmclf.jar:/usr/share/pki/lib/commons-cli.jar:/usr/share/pki/lib/commons-codec.jar:/usr/share/pki/lib/commons-httpclient.jar:/usr/share/pki/lib/commons-io.jar:/usr/share/pki/lib/commons-lang.jar:/usr/share/pki/lib/commons-logging.jar:/usr/share/pki/lib/httpclient.jar:/usr/share/pki/lib/httpcore.jar:/usr/share/pki/lib/jackson-core-asl.jar:/usr/share/pki/lib/jackson-jaxrs.jar:/usr/share/pki/lib/jackson-mapper-asl.jar:/usr/share/pki/lib/jackson-mrbean.jar:/usr/share/pki/lib/jackson-smile.jar:/usr/share/pki/lib/jackson-xc.jar:/usr/share/pki/lib/jaxb-api.jar:/usr/share/pki/lib/jss4.jar:/usr/share/pki/lib/ldapjdk.jar:/usr/share/pki/lib/pki-certsrv.jar:/usr/share/pki/lib/pki-cmsutil.jar:/usr/share/pki/lib/pki-nsutil.jar:/usr/share/pki/lib/pki-tools.jar:/usr/share/pki/lib/resteasy-atom-provider.jar:/usr/share/pki/lib/resteasy-client.jar:/usr/share/pki/lib/resteasy-jackson-provider.jar:/usr/share/pki/lib/resteasy-jaxb-provider.jar:/usr/share/pki/lib/resteasy-jaxrs-api.jar:/usr/share/pki/lib/resteasy-jaxrs-jandex.jar:/usr/share/pki/lib/resteasy-jaxrs.jar:/usr/share/pki/lib/servlet.jar:/usr/share/pki/lib/slf4j-api.jar:/usr/share/pki/lib/slf4j-jdk14.jar
36 14:17:54.450 (0.0) L9 (Console.java:1653) user.name=aleksey
37 14:17:54.450 (0.0) L9 (Console.java:1653)
java.vm.specification.version=1.8
38 14:17:54.450 (0.0) L9 (Console.java:1653)
sun.java.command=com.netscape.admin.certsrv.Console -D 9:all
https://dogtag.example.com:8443/ca
39 14:17:54.451 (0.001) L9 (Console.java:1653)
java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre
40 14:17:54.451 (0.0) L9 (Console.java:1653) sun.arch.data.model=64
41 14:17:54.451 (0.0) L9 (Console.java:1653)
java.util.prefs.systemRoot=/tmp/.java
42 14:17:54.451 (0.0) L9 (Console.java:1653) user.language=en
43 14:17:54.451 (0.0) L9 (Console.java:1653)
java.specification.vendor=Oracle Corporation
44 14:17:54.452 (0.001) L9 (Console.java:1653)
awt.toolkit=sun.awt.X11.XToolkit
45 14:17:54.452 (0.0) L9 (Console.java:1653) java.vm.info=mixed mode
46 14:17:54.452 (0.0) L9 (Console.java:1653) java.version=1.8.0_144
47 14:17:54.452 (0.0) L9 (Console.java:1653)
java.ext.dirs=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/ext:/usr/java/packages/lib/ext
48 14:17:54.452 (0.0) L9 (Console.java:1653)
sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/classes
49 14:17:54.452 (0.0) L9 (Console.java:1653) java.vendor=Oracle Corporation
50 14:17:54.452 (0.0) L9 (Console.java:1653) file.separator=/
51 14:17:54.453 (0.001) L9 (Console.java:1653) java.vendor.url.bug=
http://bugreport.sun.com/bugreport/
52 14:17:54.453 (0.0) L9 (Console.java:1653)
sun.io.unicode.encoding=UnicodeLittle
53 14:17:54.453 (0.0) L9 (Console.java:1653) sun.cpu.endian=little
54 14:17:54.453 (0.0) L9 (Console.java:1653) sun.desktop=gnome
55 14:17:54.453 (0.0) L9 (Console.java:1653) sun.cpu.isalist=
56 14:17:54.454 (0.001) L1 (Unknown Source) ResourceSet:getString():Unable
to resolve console-displayVersion
57 14:17:54.454 (0.0) L0 (Console.java:1665) Management-Console/null
B2017.257.1933
58 14:17:54.460 (0.006) L9 (Unknown Source) ResourceSet: NOT found in cache
loader118352462:com.netscape.management.client.default
59 14:17:54.464 (0.004) L9 (Unknown Source) ResourceSet: NOT found in cache
loader118352462:com.netscape.management.client.topology.topology
60 14:17:54.469 (0.005) L9 (Unknown Source) ResourceSet: NOT found in cache
loader118352462:CMSAdminRS
61 14:17:54.501 (0.032) L9 (Unknown Source) ResourceSet: found in cache
loader118352462:CMSAdminRS
PKIException: Not Found
How to launch pkiconsole on CentOS 7.4.1708?
Regards,
Aleksey
7 years
Cannot install Dogtag on CentOS 7.4.1708
by Vesselin Kolev
Hello All,
I thing something is wrong with dogtag packages included in the new
CentOS 7 release. Once CentOS 7.4.1708 arrived in the distro
repositories we got our systems updated. But when we rebooted the PKI
infrastructure server nodes we realized that pki-tomcat somehow cannot
load the certificates and some of the other settings.
We started analyzing the problem by presuming that we made some mistake
in the configuration but when we tried to create from scratch CA
subsystem on freshly installed system (CentOS 7.4.1708, 389 server, and
the pki-* packages installed), we failed:
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password:
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [ds.example.com]:
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=pki-tomcat-CA]:
Security Domain:
Name [example.com Security Domain]:
Begin installation (Yes/No/Quit)? Yes
Log file: /var/log/pki/pki-ca-spawn.20170925074602.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
pkispawn : ERROR ....... server failed to restart
Installation failed: server failed to restart
Note that it is a fresh installation. No any customization. 389 server
is running and it got tested before starting with the CA subsystem
installation procedure. All DNS records matching the machine address are
available.
I checked the spawn log file
(/var/log/pki/pki-ca-spawn.20170925074602.log). Most of the entries
there seem absolutely fine. The only records that show some problems are:
2017-09-25 06:32:28 pkispawn : INFO ....... executing 'systemctl
daemon-reload'
2017-09-25 06:32:28 pkispawn : INFO ....... executing 'systemctl
start pki-tomcatd(a)pki-tomcat.service'
2017-09-25 06:32:29 pkispawn : DEBUG ........... No connection -
server may still be down
2017-09-25 06:32:29 pkispawn : DEBUG ........... No connection -
exception thrown: 404 Client Error: Not Found
2017-09-25 06:32:30 pkispawn : DEBUG ........... No connection -
server may still be down
2017-09-25 06:32:30 pkispawn : DEBUG ........... No connection -
exception thrown: 404 Client Error: Not Found
2017-09-25 06:32:31 pkispawn : DEBUG ........... No connection -
server may still be down
2017-09-25 06:32:31 pkispawn : DEBUG ........... No connection -
exception thrown: 404 Client Error: Not Found
...
2017-09-25 06:33:30 pkispawn : ERROR ....... server failed to restart
2017-09-25 06:33:30 pkispawn : DEBUG ....... Error Type: Exception
2017-09-25 06:33:30 pkispawn : DEBUG ....... Error Message: server
failed to restart
2017-09-25 06:33:30 pkispawn : DEBUG ....... File
"/sbin/pkispawn", line 533, in main
Since that piece of information is not very particular on what exactly
happens, I checked the debug log in /var/log/pki/pki-tomcat/ca/debug and
found these pieces of suspicious info:
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine: cert not
found:auditSigningCert cert-pki-tomcat
[25/Sep/2017:07:46:56][localhost-startStop-1]: CMSEngine:
Exception:org.mozilla.jss.crypto.ObjectNotFoundException
...
Property internaldb.ldapconn.port missing value
...
I know that "Property internaldb.ldapconn.port missing value" error is
explained here http://pki.fedoraproject.org/wiki/Troubleshooting as
something that could be ignored, but the spawn process does not create
any new LDAP data base (it is supposed to create o=pki-tomcat-CA).
Moreover, except from the cn=Directory Manager dn password validation,
there is no even a single attempt to connect to the 389 directory server
running on the same machine.
Anyone with experience in that?
Best,
Veselin
7 years