pki console adding a CA certificate/Local certificate throws error

[pki-bot]

This issue was migrated from Pagure Issue #812. Originally filed by nkinder (@nkinder) on 2013-12-02 19:40:06:

• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1032209

---

Description of problem: pki console adding a CA certificate/Local certificate as an admin user throws error

Steps to Reproduce: Login to cosole as an admin user Select the Configuration tab. Click on "System Keys and Certificates" in the left navigation menu. Go to "CA Certificate" tab. Click Add. On Introduction, Click Next On Certificate Selection, Select "UnTrusted CA Certificate Chain", and click Next. On Location of Certificate, Select "The certificate is located in the text area below:", Paste in the CA certificate chain blob (of a different CA, since CA that issued certs to DRM is already trusted) and click Next.

Actual results: Error message Imported cert has not been verified to be valid. Please review the usual validity properties of this certificate before using this as part of the system.

CA certificate gets added.

Expected results: Instead of error this should be a warning message.

Additional info: Same error message is thrown in the Local Certificates tab while adding a auditSigning cert created using profile caSignedLogCert., the certificate is added.

DRM debug log: [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet:service() uri = /kra/server [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='pkcs10' value='-----BEGIN CERTIFICATE----- MIID2DCCAsCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBSMR8wHQYDVQQKExZJZG1M YWJCb3NSZWRoYXQgRG9tYWluMQ8wDQYDVQQLEwZwa2ktY2ExHjAcBgNVBAMTFUNl cnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMDExNTU4MzFaFw0yMTExMDExNTU4 MzFaMFIxHzAdBgNVBAoTFklkbUxhYkJvc1JlZGhhdCBEb21haW4xDzANBgNVBAsT BnBraS1jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2o/oIcSORMF7fWNLjjqFd5eSaCI8tzy BxUfM5tMwIRyugGWN/nuQY4g02XJpIqPK2NWpslrbw4Wx1BGlZTI/N/mqsC+l3GW HSqWbh2rehSEWngEetijUxHLX8Iw+dhDLOGecmylJvV/YoT0olLmHNF1stNWTHpr jE6Iuefwq1/xqziP6Aw3gnNWezousZts0flG/IZCzVAbvkF/LCSDyoRJ467mLSnR A5MW+LjhAZEd1eBbqfSMonbARHugbhgpDhFM6sHW1O9QlhbgiQdfcJ5XQK6h4Eq0 PriNYfWL6PnyNuQDrP3ZNrRa8NNUOqc5ydgqB/EASInkVCEuHMvkUQIDAQABo4G4 MIG1MB8GA1UdIwQYMBaAFFB4YnXz5UwxeszAd9LeHb1N79jNMA8GA1UdEwEB/wQF MAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBRQeGJ18+VMMXrMwHfS3h29 Te/YzTBSBggrBgEFBQcBAQRGMEQwQgYIKwYBBQUHMAGGNmh0dHA6Ly9xZS1ibGFk ZS0wMi5pZG0ubGFiLmJvcy5yZWRoYXQuY29tOjkxODAvY2Evb2NzcDANBgkqhkiG 9w0BAQsFAAOCAQEAS3w8bTmfQ4VTV6l3v/bsvylkOB0+EIhukyoVZBEGKEhsNjkM 4G/Rwb1kfBt4DJHD68zKoVH6EmcfRoMbboRcSPz1GSj2cLQ9oKI15fszAj0F2wsP w4Z0EFodORZCACAvsDNcuTatRmLezwtEzqvCWlRXg0tSobse3rPFpebdHTvG0sjp 2wuZj7X+r+7K6et0s11DxxDioPQlNSIMUfhgrgW7rEbTcA6pBCj/ht8mFAgq761U Q3sZtUXtIh3pOI5fsf7Q5seM+SROSdtiG8P5cvh+V8BIeKEo7lNYobmmRyAbHciz ewMwvh1mlSFNcdSBOsjloywqXHzscAr2gWH+3w== -----END CERTIFICATE-----' [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='nickname' value= [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='serverID' value='instanceID' [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='RS_ID' value='serverCertChain' [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='serverRoot' value= [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='pathname' value=* [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='OP_SCOPE' value='installCert' [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet::service() param name='OP_TYPE' value='OP_MODIFY' [19/Nov/2013:18:55:22]http-10445-Processor24: Authentication: UID=testadmin1 [19/Nov/2013:18:55:22]http-10445-Processor24: In LdapBoundConnFactory::getConn() [19/Nov/2013:18:55:22]http-10445-Processor24: masterConn is connected: true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: conn is connected true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: mNumConns now 2 [19/Nov/2013:18:55:22]http-10445-Processor24: LdapAnonConnFactory::getConn [19/Nov/2013:18:55:22]http-10445-Processor24: LdapAnonConnFactory.getConn(): num avail conns now 2 [19/Nov/2013:18:55:22]http-10445-Processor24: returnConn: mNumConns now 3 [19/Nov/2013:18:55:22]http-10445-Processor24: returnConn: mNumConns now 2 [19/Nov/2013:18:55:22]http-10445-Processor24: In LdapBoundConnFactory::getConn() [19/Nov/2013:18:55:22]http-10445-Processor24: masterConn is connected: true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: conn is connected true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: mNumConns now 3 [19/Nov/2013:18:55:22]http-10445-Processor24: returnConn: mNumConns now 4 [19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet: authenticated for servlet: kraserver. [19/Nov/2013:18:55:22]http-10445-Processor24: In LdapBoundConnFactory::getConn() [19/Nov/2013:18:55:22]http-10445-Processor24: masterConn is connected: true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: conn is connected true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: mNumConns now 3 [19/Nov/2013:18:55:22]http-10445-Processor24: returnConn: mNumConns now 4 [19/Nov/2013:18:55:22]http-10445-Processor24: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=testadmin1][Outcome=Succes s][AuthMgr=passwdUserDBAuthMgr] authentication success

[19/Nov/2013:18:55:22]http-10445-Processor24: AdminServlet: About to check AuthzSubsystem authorization for servlet: kraserver. [19/Nov/2013:18:55:22]http-10445-Processor24: checkACLS(): ACLEntry expressions= group="Administrators" [19/Nov/2013:18:55:22]http-10445-Processor24: evaluating expressions: group="Administrators" [19/Nov/2013:18:55:22]http-10445-Processor24: GroupAccessEvaluator: evaluate: uid=testadmin1 value="Administrators" [19/Nov/2013:18:55:22]http-10445-Processor24: GroupAccessEvaluator: evaluate: no gid in authToken [19/Nov/2013:18:55:22]http-10445-Processor24: In LdapBoundConnFactory::getConn() [19/Nov/2013:18:55:22]http-10445-Processor24: masterConn is connected: true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: conn is connected true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: mNumConns now 3 [19/Nov/2013:18:55:22]http-10445-Processor24: returnConn: mNumConns now 4 [19/Nov/2013:18:55:22]http-10445-Processor24: UGSubsystem.isMemberOf() using new lookup code [19/Nov/2013:18:55:22]http-10445-Processor24: In LdapBoundConnFactory::getConn() [19/Nov/2013:18:55:22]http-10445-Processor24: masterConn is connected: true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: conn is connected true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: mNumConns now 3 [19/Nov/2013:18:55:22]http-10445-Processor24: authorization search base: cn=Administrators,ou=groups,dc=nocp3.dsdev.sjc.redhat.com-pki-kra-tpsrec-inst1 [19/Nov/2013:18:55:22]http-10445-Processor24: authorization search filter: (u niquemember=uid=testadmin1,ou=People,dc=nocp3.dsdev.sjc.redhat.com-pki-kra-tpsr ec-inst1) [19/Nov/2013:18:55:22]http-10445-Processor24: authorization result: true [19/Nov/2013:18:55:22]http-10445-Processor24: returnConn: mNumConns now 4 [19/Nov/2013:18:55:22]http-10445-Processor24: evaluated expression: group="Administrators" to be true [19/Nov/2013:18:55:22]http-10445-Processor24: DirAclAuthz: authorization passed [19/Nov/2013:18:55:22]http-10445-Processor24: authorization succeeded for servlet: kraserver [19/Nov/2013:18:55:22]http-10445-Processor24: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=testadmin1][Outcome=Succe ss][aclResource=certServer.general.configuration][Op=modify] authorization success

[19/Nov/2013:18:55:22]http-10445-Processor24: In LdapBoundConnFactory::getConn() [19/Nov/2013:18:55:22]http-10445-Processor24: masterConn is connected: true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: conn is connected true [19/Nov/2013:18:55:22]http-10445-Processor24: getConn: mNumConns now 3 [19/Nov/2013:18:55:22]http-10445-Processor24: returnConn: mNumConns now 4 [19/Nov/2013:18:55:22]http-10445-Processor24: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=testadmin1][Outcome=Success ][Role=Administrators] assume privileged role

[19/Nov/2013:18:55:22]http-10445-Processor24: CMSAdminServlet.installCert(): About to try jssSubSystem.importCert: [19/Nov/2013:18:55:22]http-10445-Processor24: CertUtils: verifySystemCertByNickname(): calling isCertValid() [19/Nov/2013:18:55:22]http-10445-Processor24: CertUtils: verifySystemCertByNickname() failed: org.mozilla.jss.crypto.ObjectNotFoundException [19/Nov/2013:18:55:22]http-10445-Processor24: CMSAdminServlet: installCert(): verifySystemCertByNickname() failed: [19/Nov/2013:18:55:22]http-10445-Processor24: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=testadmin1][Outc ome=Failure][CertNickName=] CIMC certificate verification

[19/Nov/2013:18:55:22]http-10445-Processor24: SignedAuditEventFactory: create() message=[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=testadmin1][O utcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resou rce;;serverCertChain+pkcs10;;-----BEGIN CERTIFICATE----- MIID2DCCAsCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBSMR8wHQYDVQQKExZJZG1M YWJCb3NSZWRoYXQgRG9tYWluMQ8wDQYDVQQLEwZwa2ktY2ExHjAcBgNVBAMTFUNl cnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMzExMDExNTU4MzFaFw0yMTExMDExNTU4 MzFaMFIxHzAdBgNVBAoTFklkbUxhYkJvc1JlZGhhdCBEb21haW4xDzANBgNVBAsT BnBraS1jYTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz2o/oIcSORMF7fWNLjjqFd5eSaCI8tzy BxUfM5tMwIRyugGWN/nuQY4g02XJpIqPK2NWpslrbw4Wx1BGlZTI/N/mqsC+l3GW HSqWbh2rehSEWngEetijUxHLX8Iw+dhDLOGecmylJvV/YoT0olLmHNF1stNWTHpr jE6Iuefwq1/xqziP6Aw3gnNWezousZts0flG/IZCzVAbvkF/LCSDyoRJ467mLSnR A5MW+LjhAZEd1eBbqfSMonbARHugbhgpDhFM6sHW1O9QlhbgiQdfcJ5XQK6h4Eq0 PriNYfWL6PnyNuQDrP3ZNrRa8NNUOqc5ydgqB/EASInkVCEuHMvkUQIDAQABo4G4 MIG1MB8GA1UdIwQYMBaAFFB4YnXz5UwxeszAd9LeHb1N79jNMA8GA1UdEwEB/wQF MAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBRQeGJ18+VMMXrMwHfS3h29 Te/YzTBSBggrBgEFBQcBAQRGMEQwQgYIKwYBBQUHMAGGNmh0dHA6Ly9xZS1ibGFk ZS0wMi5pZG0ubGFiLmJvcy5yZWRoYXQuY29tOjkxODAvY2Evb2NzcDANBgkqhkiG 9w0BAQsFAAOCAQEAS3w8bTmfQ4VTV6l3v/bsvylkOB0+EIhukyoVZBEGKEhsNjkM 4G/Rwb1kfBt4DJHD68zKoVH6EmcfRoMbboRcSPz1GSj2cLQ9oKI15fszAj0F2wsP w4Z0EFodORZCACAvsDNcuTatRmLezwtEzqvCWlRXg0tSobse3rPFpebdHTvG0sjp 2wuZj7X+r+7K6et0s11DxxDioPQlNSIMUfhgrgW7rEbTcA6pBCj/ht8mFAgq761U Q3sZtUXtIh3pOI5fsf7Q5seM+SROSdtiG8P5cvh+V8BIeKEo7lNYobmmRyAbHciz ewMwvh1mlSFNcdSBOsjloywqXHzscAr2gWH+3w== -----END CERTIFICATE-----+nickname;;+serverID;;instanceID+serverRoot;;<nu ll>+pathname;;] certificate database configuration

[pki-bot]

Comment from nkinder (@nkinder) at 2017-02-27 14:12:35

Metadata Update from @nkinder:

• Issue set to the milestone: UNTRIAGED