search

SilleBille / pki

Dogtag PKI Issues should be reported to the Dogtag PKI Pagure Issues site
https://pagure.io/dogtagpki/issues
GNU General Public License v2.0
1 stars 1 forks source link

Verify system cert flags in the beginning of Selftest #477

Closed SilleBille closed 4 years ago

SilleBille commented 5 years ago

This issue was migrated from Pagure Issue #3065.Originally filed by dmoluguw on 2018-09-24

When selftests are executed, if the nssdb doesn't have certs with correct flags, the debug logs will be misleading.

Solution: Verify flags of the certs in the beginning of the SelfTest process before verifying the certificate validity.

To reproduce:

  1. Install CA
  2. Stop server 
systemctl stop pki-tomcatdpki-tomcat
  1. Remove Trusted Peer flag (P) for ca_audit_signing
certutil -M -t "u,u,u" -n ca_audit_signing -d /var/lib/pki/pki-tomcat/alias/`
  1. Restart server 
systemctl start pki-tomcatdpki-tomcat
  1. Look at the self test and debug logs.

debug-2018-09-xx.log

2020-08-24 16:04:05 [localhost-startStop-1] FINE: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate ca_audit_signing is invalid: Invalid certificate: (-8101) Certificate type not approved for application.
2020-08-24 16:04:05 [localhost-startStop-1] FINE: SignedAuditLogger: event CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: LogFile: event type not selected: CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: SignedAuditLogger: event CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: LogFile: event type not selected: CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] WARNING: java.lang.Exception: java.lang.Exception: Certificate ca_audit_signing is invalid: Invalid certificate: (-8101) Certificate type not approved for application.
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:845)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:937)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1054)
        at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1692)
        at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1310)
        at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:856)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1802)
        at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1826)

ca_audit_signing should have trust flags of "u,u,Pu"