CZERTAINLY / CZERTAINLY-Core

CZERTAINLY - core of the platform managing certificate lifecycle management related tasks
https://www.czertainly.com
MIT License
4 stars 13 forks source link

Read-only file system error while trying to download intermediate CA certificate #783

Closed semik closed 3 months ago

semik commented 3 months ago

Describe the bug CZERTAINLY-Core is producing Read-only file system error when trying to download intermediate CA certificate.

To Reproduce Steps to reproduce the behavior:

  1. Find certificate which has some intermediate CA which is unknown to CZERTAINLY. For example www.czertainly.com, has R10
  2. Upload that certificate or click on validation of that certificate (www.czertainly.com)
  3. In UI you still see certificate as Invalid.
  4. Go to logs and se there [2024-07-12 09:22:30.410] ERROR [tomcat-handler-8951] [com.czertainly.core.service.impl.CertificateServiceImpl - 1488]: r10.i.lencr.org (Read-only file system)

Expected behavior I think it was planed to download intermediate certificates automaticaly. It is probably not working just because it downloads to wrong direction.

Screenshots image

Complete logs from develop-02:

[2024-07-12 09:22:30.396] DEBUG [tomcat-handler-8951] [com.czertainly.core.util.OcspUtil - 66]: Chain for the certificate is http://r10.i.lencr.org/
[2024-07-12 09:22:30.410] ERROR [tomcat-handler-8951] [com.czertainly.core.service.impl.CertificateServiceImpl - 1488]: r10.i.lencr.org (Read-only file system)
[2024-07-12 09:22:30.410] DEBUG [tomcat-handler-8951] [com.czertainly.core.validation.certificate.X509CertificateValidator - 59]: Initiating the certificate validation: Certificate(commonName=www.czertainly.com, serialNumber=47a509d2c06f3a77f44bc6356c2041a9bc6, issuerCommonName=R10, certificateContentId=2575, issuerDn=CN=R10, O=Let's Encrypt, C=US, issuerDnNormalized=2.5.4.10=Let's Encrypt,2.5.4.3=R10,2.5.4.6=US, subjectDn=CN=www.czertainly.com, subjectDnNormalized=2.5.4.3=www.czertainly.com, notBefore=2024-06-18 13:37:01.0, notAfter=2024-09-16 13:37:00.0, publicKeyAlgorithm=RSA, signatureAlgorithm=SHA256withRSA, extendedKeyUsage=["1.3.6.1.5.5.7.3.1","1.3.6.1.5.5.7.3.2"], keyUsage=["digitalSignature","keyEncipherment"], basicConstraints=Subject Type=End Entity, state=ISSUED, validationStatus=INVALID, fingerprint=a10882212b38e64891c9eef989ab6b20dd694a9f7707fde6948e428c22e501ba, publicKeyFingerprint=1783a187b952d9419be08de4d4a3ffa6b7ad5011d8cfb7b996d9faaf514d7817, subjectAlternativeNames={"registeredID":[],"ediPartyName":[],"iPAddress":[],"x400Address":[],"rfc822Name":[],"otherName":[],"dNSName":["www.czertainly.com"],"uniformResourceIdentifier":[],"directoryName":[]}, raProfileUuid=null, statusValidationTimestamp=2024-07-12T09:22:22.412840, keySize=2048, certificateType=X509, issuerSerialNumber=null, issuerCertificateUuid=null, certificateValidationResult={"certificate_chain":{"validationCheck":"certificate_chain","status":"invalid","message":"Incomplete certificate chain. Issuer certificate is not available in the inventory or in the AIA extension."},"signature":{"validationCheck":"signature","status":"not_checked","message":"Issuer certificate is not available."},"certificate_validity":{"validationCheck":"certificate_validity","status":"valid","message":"Certificate is valid."},"ocsp_verification":{"validationCheck":"ocsp_verification","status":"not_checked","message":"Issuer certificate is not available."},"crl_verification":{"validationCheck":"crl_verification","status":"not_checked","message":"Issuer certificate is not available."},"basic_constraints":{"validationCheck":"basic_constraints","status":"valid","message":"Certificate basic constraints verification successful."},"key_usage":{"validationCheck":"key_usage","status":"not_checked","message":"Certificate is not CA."}}, complianceResult=null, complianceStatus=NOT_CHECKED, userUuid=null, keyUuid=null, certificateRequestUuid=null, sourceCertificateUuid=null, trustedCa=null)
[2024-07-12 09:22:30.411] DEBUG [tomcat-handler-8951] [com.czertainly.core.validation.certificate.X509CertificateValidator - 85]: Certificate validation of Certificate(commonName=www.czertainly.com, serialNumber=47a509d2c06f3a77f44bc6356c2041a9bc6, issuerCommonName=R10, certificateContentId=2575, issuerDn=CN=R10, O=Let's Encrypt, C=US, issuerDnNormalized=2.5.4.10=Let's Encrypt,2.5.4.3=R10,2.5.4.6=US, subjectDn=CN=www.czertainly.com, subjectDnNormalized=2.5.4.3=www.czertainly.com, notBefore=2024-06-18 13:37:01.0, notAfter=2024-09-16 13:37:00.0, publicKeyAlgorithm=RSA, signatureAlgorithm=SHA256withRSA, extendedKeyUsage=["1.3.6.1.5.5.7.3.1","1.3.6.1.5.5.7.3.2"], keyUsage=["digitalSignature","keyEncipherment"], basicConstraints=Subject Type=End Entity, state=ISSUED, validationStatus=INVALID, fingerprint=a10882212b38e64891c9eef989ab6b20dd694a9f7707fde6948e428c22e501ba, publicKeyFingerprint=1783a187b952d9419be08de4d4a3ffa6b7ad5011d8cfb7b996d9faaf514d7817, subjectAlternativeNames={"registeredID":[],"ediPartyName":[],"iPAddress":[],"x400Address":[],"rfc822Name":[],"otherName":[],"dNSName":["www.czertainly.com"],"uniformResourceIdentifier":[],"directoryName":[]}, raProfileUuid=null, statusValidationTimestamp=2024-07-12T09:22:30.411139894, keySize=2048, certificateType=X509, issuerSerialNumber=null, issuerCertificateUuid=null, certificateValidationResult={"certificate_chain":{"validationCheck":"certificate_chain","status":"invalid","message":"Incomplete certificate chain. Issuer certificate is not available in the inventory or in the AIA extension."},"signature":{"validationCheck":"signature","status":"not_checked","message":"Issuer certificate is not available."},"certificate_validity":{"validationCheck":"certificate_validity","status":"valid","message":"Certificate is valid."},"ocsp_verification":{"validationCheck":"ocsp_verification","status":"not_checked","message":"Issuer certificate is not available."},"crl_verification":{"validationCheck":"crl_verification","status":"not_checked","message":"Issuer certificate is not available."},"basic_constraints":{"validationCheck":"basic_constraints","status":"valid","message":"Certificate basic constraints verification successful."},"key_usage":{"validationCheck":"key_usage","status":"not_checked","message":"Certificate is not CA."}}, complianceResult=null, complianceStatus=NOT_CHECKED, userUuid=null, keyUuid=null, certificateRequestUuid=null, sourceCertificateUuid=null, trustedCa=null) finalized with result: INVALID

Additional context

Tested on CZERTAINLY 2.2.11 and 2.2.12 and also on version running on develop-02.

3keyroman commented 3 months ago

I assume you mean version 2.11.0 or 2.12.0...

We should not store the content of downloaded certificate in file as we typically use read-only file system for security and compliance reasons.

We should fix it. Thanks for reporting!

semik commented 3 months ago

Yes, I mean versions 2.11.0 or 2.12.0...