Re: [Pki-users] New Release: PKI 10.7.3 is available for testing
by Arno Lehmann
Hi all,
I managed to upgrade my Fedora-based PKI system to Release 31, which is
not yet ready for production (as I think I found).
Now, after the upgrade, I can enjoy server error 500 messages once the
web server middleware gets busy:
https://...de:8443/pki/ui/
results in
> HTTP Status 500 – Internal Server Error
>
> Type Exception Report
>
> Message org.apache.jasper.JasperException: Unable to compile class for JSP
>
> Beschreibung The server encountered an unexpected condition that prevented it from fulfilling the request.
>
> Exception
>
> org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to compile class for JSP
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:604)
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
I can, of course, provide full stacktraces and configuration details.
Configuration is mostly unmodified, but the whole system has been going
through some upgrades since its first setup.
From the automatically created debug log, I gather that this:
> 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE: Servlet.service() for servlet [jsp] in context with path [/pki] threw exception [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause
> java.security.AccessControlException: access denied ("java.util.PropertyPermission" "tolerateIllegalAmbiguousVarargsInvocation" "read")
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at java.security.AccessController.checkPermission(AccessController.java:886)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
> ...
is probably the reason for the failure.
Status of the server, at a first glance, looks ok to me:
> [root@ca2 ~]# pki-server --verbose status CA2
> Command: status CA2
> INFO: Loading instance: CA2
> INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
> INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
> INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf
> INFO: Loading password config: /etc/pki/CA2/password.conf
> INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2
> INFO: Loading subsystem: ca
> INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg
> INFO: Loading subsystem: ocsp
> INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg
> Instance ID: CA2
> Active: True
> Unsecure Port: 8080
> Secure Port: 8443
> Tomcat Port: 8005
>
> CA Subsystem:
> Type: Root CA (Security Domain)
> SD Registration URL: https://ca2.<redacted>.de:8443
> Enabled: True
> Unsecure URL: http://ca2.<redacted>.de:8080/ca/ee/ca
> Secure Agent URL: https://ca2.<redacted>.de:8443/ca/agent/ca
> Secure EE URL: https://ca2.<redacted>.de:8443/ca/ee/ca
> Secure Admin URL: https://ca2.<redacted>.de:8443/ca/services
> PKI Console URL: https://ca2.<redacted>.de:8443/ca
>
> OCSP Subsystem:
> Type: OCSP
> SD Registration URL: https://ca2.<redacted>.de:8443
> Enabled: True
> Unsecure URL: http://ca2.<redacted>.de:8080/ocsp/ee/ocsp/<ocsp request blob>
> Secure Agent URL: https://ca2.<redacted>.de:8443/ocsp/agent/ocsp
> Secure EE URL: https://ca2.<redacted>.de:8443/ocsp/ee/ocsp/<ocsp request blob>
> Secure Admin URL: https://ca2.<redacted>.de:8443/ocsp/services
> PKI Console URL: https://ca2.<redacted>.de:8443/ocsp
There's no other PKI instance in place, and I'm not sufficiently skilled
with dogtag to actually do much with the configuration anyway, so I kept
my fingers off if as far as I could :-)
Is this a known problem, is there a reasonably simple fix, or is it time
to load my latest backup?
Thanks,
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
5 years, 2 months
- 2
- 2
sscep enroll error
by Pavel Ryabikh
Hello dear PKI-users!
Our pki system version is:
Fedora 29.
pki-server-10.8.0-0.1.fc30.noarch
We are configured SCEP following:
https://www.dogtagpki.org/wiki/SCEP_Setup
CS.cfg:
...
ca.scep.allowedEncryptionAlgorithms=DES,DES3
ca.scep.allowedHashAlgorithms=MD5,SHA1,SHA256,SHA512
ca.scep.enable=true
ca.scep.encryptionAlgorithm=DES
ca.scep.hashAlgorithm=MD5
ca.scep.nonceSizeLimit=16
...
we also
- installed SSCEP client
- generated CA certificate
$ sscep getca -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c ca.crt
it is checked by
$ openssl x509 -in ca.crt -text
and it is correct
- generated CSR request and a key
$ /usr/bin/mkrequest -ip 172.16.24.238 Uojs93wkfd0IS
and when trying to test enroll we are getting the followng error:
(Could not unwrap PKCS10 blob: java.security.cert.CertificateException:
Error instantiating class for challenge_password
java.lang.ClassNotFoundException):
# sscep enroll -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c
ca.crt -k local.key -r local.csr -l cert.crt -d
sscep: starting sscep, version 0.6.1
sscep: new transaction
sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E
sscep: hostname: ca.lvm.postmet.com
sscep: directory: ca/cgi-bin/pkiclient.exe
sscep: port: 8080
sscep: Read request with transaction id:
9A6C3918C54DB994E7E951505983A181
sscep: generating selfsigned certificate
sscep: SCEP_OPERATION_ENROLL
sscep: sending certificate request
sscep: creating inner PKCS#7
sscep: inner PKCS#7 in mem BIO
sscep: request data dump
-----BEGIN CERTIFICATE REQUEST-----
MIIBmz..........GDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAsfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39M
ACJqfgxU6os8Kh6sElQcjXn5lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQ
Kr9c6oZIcvUc0mBWpDbv3jcqdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/
ckUCAwEAAaBDMBwGCSqGSIb3DQEJBzEPDA1Vb2pzOTN3a2ZkMElTMCMGCSqGSIb3
DQEJDjEWMBQwEgYDVR0RAQH/BAgwBocErBAY7jANBgkqhkiG9w0BAQsFAAOBgQA5
URuLsrH0bKtBqrNiaPT1nMQ+fRAJ6Ckjfj/pQsyXO0Nll7blBdbErOtSzDR5yV91
g6/oin5LPn/RwT1hATfjCniF4UVfotLnFjKQe7icsS82gl2FNT+pG1CjTAqxJqZO
oBe+ZWzs4cx7wHerjk5u8baz79XFfkQyCdL6QRVlTA==
-----END CERTIFICATE REQUEST-----
sscep: data payload size: 415 bytes
sscep: hexdump request payload
3082019b3082010402010030183116301406035504030c0d3137322e31362e32342e323
33830819f300d06092a864886f70d010101050003818d0030818902818100b1f7a86c4d
d44eab7849df6f3e7c86fae8336d6f6e1b59d7966f15bf7f4c00226a7e0c54ea8b3c2a1
eac12541c8d79f994d8b2f0bed5017fceab2a7648471be2a02820c0813132cded4cd11c
8a502abf5cea864872f51cd26056a436efde372a7537c5d4ca08b36feac8054f8367f9b
19e36575c3c20367a4ccdc964aebf72450203010001a043301c06092a864886f70d0109
07310f0c0d556f6a733933776b6664304953302306092a864886f70d01090e311630143
0120603551d110101ff040830068704ac1018ee300d06092a864886f70d01010b050003
81810039511b8bb2b1f46cab41aab36268f4f59cc43e7d1009e829237e3fe942cc973b4
36597b6e505d6c4aceb52cc3479c95f7583afe88a7e4b3e7fd1c13d610137e30a7885e1
455fa2d2e71632907bb89cb12f36825d85353fa91b50a34c0ab126a64ea017be656cece
1cc7bc077ab8e4e6ef1b6b3efd5c57e443209d2fa4115654c
sscep: hexdump payload 415
sscep: successfully encrypted payload
sscep: envelope size: 956 bytes
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIDu..........NAQcDoIIDqTCCA6UCAQAxggHYMIIB1AIBADCBuzCBpTELMAkG
A1UEBhMCU0MxGTAXBgNVBAgTEE1haGUsIFNleWNoZWxsZXMxHDAaBgNVBAoTE1Bv
c3RNZXQgQ29ycG9yYXRpb24xGTAXBgNVBAsTEFNTTCBrZXkgZGl2aXNpb24xIDAe
BgNVBAMTF1Bvc3RNZXQgUm9vdCBDQSBDbGFzcyAxMSAwHgYJKoZIhvcNAQkBFhFh
ZG1pbkBwb3N0bWV0LmNvbQIRE0hlg2RXY0h1Y0doMWQ1h8EwDQYJKoZIhvcNAQEB
BQAEggEAgHq5KowCLbOAX/E3YRrheGwmQqHHHCf2mPHEAx835nifRSd1pPbU9587
8zOFihn+BY76caLss0eJyjTmh68mksh9Qzgc8sewyPWWgq2ilnE3eZtiiGpjf6Gj
e7AN38gY4y6MU0NU04r/E16tcPAuP+/7mmrr+Lh4PYxSn/LkXFy9GOdnGaTmaphv
L0qwxb1pS4OO765cumy5IFyJHAn3O5EyNJYuxNPuoXu8azxACKb19SVnEuay0Z2W
L0/WCYMNpN6kdX/1KceTlg6Gu8oxqVwBvHUewLvn91Lyy8d+EgPMJOPTXRnZSC49
U4AUes2yA9Idbt4ZLNNIktdsK6MhgjCCAcIGCSqGSIb3DQEHATARBgUrDgMCBwQI
+d5X8SPX45KAggGg1CRRmVhAwHcj2zE7uScsfMUzyDiuw3c7fdy3W653pYswYVel
CpqQbK6chMv6ya1OCi3G1dMY3+M1sa21nc30tpAeF1MonFD9YSTuvTJVYHo5gAob
mjnhNsYL+7H0VGWiRzmDNG+HzgUzQbrdk5vFd/4Wbc5UMTy++7PdXO8e+e300FTl
iM96uijNS6QoZruM8vp2eNn1IymLwFv8xfwibJnzAz0SYXpbRJK9I+39g5rGA1/s
uTRAa7W2Bc4lp71ROdsHBH3aJDYkzcrffd9nGy+b5icnRZa2S6TJTOEQkWpQos5k
YQMi8+/3Chb8IBeH8HQ6/23PjjqIFVAHxj+pPlpiN4psx/10i9WAHzMBfUnodpPE
+yqKLTFmo037A/LNEH4NorN9E/yPDsHVp3gwjMG60cLO9ipQHCMMjpCxQF4jwaTC
5W0fZd8uVZyayBXR0qLKBAhhtz6Y6k3zcXUBNjqKO1tyCUemndxLbuMPBMB1JZ7c
Km7TipKk+LCMNBwVbLFIPCGQUchzGnJD+fzaQKLTca9fKieLpca8Ui/Ur8o=
-----END PKCS7-----
sscep: creating outer PKCS#7
sscep: signature added successfully
sscep: adding signed attributes
sscep: adding string attribute transId
sscep: adding string attribute messageType
sscep: adding octet attribute senderNonce
sscep: PKCS#7 data written successfully
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIHc..........NAQcCoIIHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ
KoZIhvcNAQcBoIIDwASCA7wwggO4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw
ggHUAgEAMIG7MIGlMQswCQYDVQQGEwJTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl
bGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM
IGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE1ldCBSb290IENBIENsYXNzIDEx
IDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY29tAhETSGWDZFdjSHVjR2gx
ZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8TdhGuF4bCZCocccJ/aY
8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHryaSyH1DOBzyx7DI
9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/uaauv4uHg9
jFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li7E0+6h
e7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7Au+f3
UvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKoZI
hvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI
OK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X
UyicUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt
zlQxPL77s91c7x757fTQVOWIz3q6KM1LpChmu4zy+nZ42fUjKYvAW/zF/CJsmfMD
PRJheltEkr0j7f2DmsYDX+y5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm
JydFlrZLpMlM4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc+OOogVUAfGP6k+WmI3
imzH/XSL1YAfMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR
ws72KlAcIwyOkLFAXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7
W3IJR6ad3Etu4w8EwHUlntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx
r18qJ4ulxrxSL9SvyqCCAccwggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0
RTdFOTUxNTA1OTgzQTE4MTANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu
MTYuMjQuMjM4MB4XDTE5MDkwOTA3MTIzMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG
A1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
sfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39MACJqfgxU6os8Kh6sElQcjXn5
lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQKr9c6oZIcvUc0mBWpDbv3jcq
dTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCAwEAATANBgkqhkiG9w0B
AQQFAAOBgQATop2OWQJzY3Axds0+9PGPAc0xGtlUQ462teCwgkm6bbrBr7eYhQeL
gsT07aesE+37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHglt8nUUESy9ooF490
TZDBIIQ5yBbMk+AYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyELXxDGCAakwggGl
AgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MThDNTREQjk5
NEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQkC
MQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X
DTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw
IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG+EUBCQcx
IhMgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB
BQAEgYBThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu
Ax/ohg2CAU8+g+k914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb
zMp1TGXlKryeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg==
-----END PKCS7-----
sscep: applying base64 encoding
sscep: base64 encoded payload size: 2588 bytes
sscep: scep msg: GET /ca/cgi-
bin/pkiclient.exe?operation=PKIOperation&message=MIIHc..........NAQcCoI
IHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ%0AKoZIhvcNAQcBoIIDwASCA7wwgg
O4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw%0AggHUAgEAMIG7MIGlMQswCQYDVQQGEw
JTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl%0AbGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3
Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM%0AIGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE
1ldCBSb290IENBIENsYXNzIDEx%0AIDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY2
9tAhETSGWDZFdjSHVjR2gx%0AZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8T
dhGuF4bCZCocccJ/aY%0A8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHry
aSyH1DOBzyx7DI%0A9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/
uaauv4uHg9%0AjFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li
7E0%2B6h%0Ae7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7A
u%2Bf3%0AUvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKo
ZI%0AhvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI%0
AOK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X%0AUyi
cUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt%0AzlQxPL7
7s91c7x757fTQVOWIz3q6KM1LpChmu4zy%2BnZ42fUjKYvAW/zF/CJsmfMD%0APRJheltEk
r0j7f2DmsYDX%2By5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm%0AJydFlrZLpMl
M4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc%2BOOogVUAfGP6k%2BWmI3%0AimzH/XSL1YA
fMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR%0Aws72KlAcIwyOkLF
AXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7%0AW3IJR6ad3Etu4w8EwHU
lntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx%0Ar18qJ4ulxrxSL9SvyqCCAcc
wggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0%0ARTdFOTUxNTA1OTgzQTE4MTANBgk
qhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu%0AMTYuMjQuMjM4MB4XDTE5MDkwOTA3MTI
zMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG%0AA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgk
qhkiG9w0BAQEFAAOBjQAwgYkCgYEA%0AsfeobE3UTqt4Sd9vPnyG%2BugzbW9uG1nXlm8Vv
39MACJqfgxU6os8Kh6sElQcjXn5%0AlNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQK
r9c6oZIcvUc0mBWpDbv3jcq%0AdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCA
wEAATANBgkqhkiG9w0B%0AAQQFAAOBgQATop2OWQJzY3Axds0%2B9PGPAc0xGtlUQ462teC
wgkm6bbrBr7eYhQeL%0AgsT07aesE%2B37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHgl
t8nUUESy9ooF490%0ATZDBIIQ5yBbMk%2BAYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyEL
XxDGCAakwggGl%0AAgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MTh
DNTREQjk5%0ANEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvh
FAQkC%0AMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8
X%0ADTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw%0A
IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG%2BEUBCQcx%0AIh
MgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB%0ABQAEgY
BThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu%0AAx/ohg2CAU
8%2Bg%2Bk914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb%0AzMp1TGXlKr
yeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg%3D%3D%0A HTTP/1.0
sscep: server returned status code 500
sscep: mime_err: HTTP/1.1 500
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 3234
Date: Mon, 09 Sep 2019 07:12:32 GMT
Connection: close
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal
Server Error</title><style type="text/css">h1 {font-
family:Tahoma,Arial,sans-serif;color:white;background-
color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-
serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-
family:Tahoma,Arial,sans-serif;color:white;background-
color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-
serif;color:black;background-color:white;} b {font-
family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-
size:12px;} a {color:black;} a.name {color:black;} .line
{height:1px;background-
color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 –
Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception
Report</p><p><b>Message</b> Couldn't handle CEP request (PKCSReq) -
Could not unwrap PKCS10 blob: java.security.cert.CertificateException:
Error instantiating class for challenge_password
java.lang.ClassNotFoundException:
com.netscape.cms.servlet.cert.scep.ChallengePassword</p><p><b>Descripti
on</b> The server encountered an unexpected condition that prevented it
from fulfilling the
request.</p><p><b>Exception</b></p><pre>javax.servlet.ServletException:
Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10
blob: java.security.cert.CertificateException: Error instantiating
class for challenge_password java.lang.ClassNotFoundException:
com.netscape.cms.servlet.cert.scep.ChallengePassword
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnr
ollment.java:397)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMetho
dAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.
java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(Securit
yUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.j
ava:53)
sun.reflect.GeneratedMethodAccessor47.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMetho
dAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.
java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(Securit
yUtil.java:253)
</pre><p><b>Note</b> The full stack trace of the root cause is
available in the server logs.</p><hr class="line" /><h3>Apache
Tomcat/9.0.21</h3></body></html>
sscep: wrong (or missing) MIME content type
sscep: error while sending message
Why it is trying to unwrap PKCS10 if we are sending PKCS7 ?
How it can be fixed ?
I am sure you know it.
Please help.
--
Pavel Ryabih
PostMet Corporation
http://www.postmet.com
Call to sip:pr@postmet.com
5 years, 3 months
- 2
- 5
Installation failed: import_pkcs7
by Pavel Ryabikh
Hello dear Dogtag PKI users!
I am trying to install the system already for some days - it fails:
There is a description:
[root@ca ~]# pkispawn -f ca-external-step2.cfg -s CA
Installation log: /var/log/pki/pki-ca-spawn.20190819144510.log
Loading deployment configuration from ca-external-step2.cfg.
Installing CA into /var/lib/pki/pki-tomcat.
ParsingException: IOException: Sequence tag error 9
ERROR : pkispawn CalledProcessError: Command '['pki', '-d',
'/var/lib/pki/pki-tomcat/alias', 'pkcs7-cert-export', '--pkcs7-file',
'/tmp/tmpgx3puk6p/cert_chain.p7b', '--output-prefix',
'/tmp/tmptc7rw5h0/cert', '--output-suffix', '.crt']' returned non-zero
exit status 255.
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line
546, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.7/site-
packages/pki/server/deployment/scriptlets/configuration.py", line 643,
in spawn
self.import_system_certs(deployer, nssdb, subsystem)
File "/usr/lib/python3.7/site-
packages/pki/server/deployment/scriptlets/configuration.py", line 199,
in import_system_certs
self.import_system_cert(deployer, nssdb, subsystem, 'signing',
'CT,C,C')
File "/usr/lib/python3.7/site-
packages/pki/server/deployment/scriptlets/configuration.py", line 144,
in import_system_cert
trust_attributes=trust_attributes)
File "/usr/lib/python3.7/site-packages/pki/nssdb.py", line 1295, in
import_cert_chain
trust_attributes=trust_attributes)
File "/usr/lib/python3.7/site-packages/pki/nssdb.py", line 1327, in
import_pkcs7
subprocess.check_call(cmd)
File "/usr/lib64/python3.7/subprocess.py", line 347, in check_call
raise CalledProcessError(retcode, cmd)
Installation failed: Command failed: pki -d /var/lib/pki/pki-
tomcat/alias pkcs7-cert-export --pkcs7-file
/tmp/tmpgx3puk6p/cert_chain.p7b --output-prefix /tmp/tmptc7rw5h0/cert
--output-suffix .crt
Please check pkispawn logs in /var/log/pki/pki-ca-
spawn.20190819144510.log
And these are configs:
STEP1:
[DEFAULT]
pki_server_database_password=121212
[CA]
pki_admin_email=admin(a)postmet.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=121212
pki_admin_uid=caadmin
pki_client_database_password=121212
pki_client_database_purge=False
pki_client_pkcs12_password=121212
pki_ds_base_dn=dc=ca,dc=lvm,dc=postmet,dc=com
pki_ds_database=ca
pki_ds_password=121212
pki_security_domain_name=lvm.postmet.com Security Domain
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
pki_external=True
pki_external_step_two=False
pki_ca_signing_csr_path=ca_signing.csr
STEP2:
[DEFAULT]
pki_instance_name = pki-tomcat
pki_admin_password = 121212
pki_backup_password = 121212
pki_client_database_password = 121212
pki_client_pin = 121212
pki_client_pkcs12_password = 121212
pki_clone_pkcs12_password = 121212
pki_ds_password = 121212
pki_external_pkcs12_password = 121212
pki_pkcs12_password = 121212
pki_replication_password = 121212
pki_security_domain_password = 121212
pki_server_database_password = 121212
pki_server_pkcs12_password = 121212
pki_token_password = 121212
[CA]
pki_admin_email=admin(a)postmet.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=121212
pki_admin_uid=caadmin
pki_client_database_password=121212
pki_client_database_purge=False
pki_client_pkcs12_password=121212
pki_ds_base_dn=dc=ca,dc=lvm,dc=postmet,dc=com
pki_ds_database=ca
pki_ds_password=121212
pki_security_domain_name=lvm.postmet.com Security Domain
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
pki_external=True
pki_external_step_two=True
pki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_cert_path=ca_signing.crt
pki_cert_chain_nickname=external
pki_cert_chain_path=cert_chain.p7b
pki_import_admin_cert = False
pki_client_admin_cert = ca_admin.cert
pki_admin_subject_dn=cn=PKI
Administrator,o=%(pki_security_domain_name)s
Please help
--
Pavel Ryabih
PostMet Corporation
http://www.postmet.com
Call to sip:pr@postmet.com
5 years, 3 months
- 2
- 2
- ← Newer
- 1
- Older →