Unable to configure KRA subsystem, failed with error Error in creating admin user: java.io.IOException: Invalid Request"

[pki-bot]

This issue was migrated from Pagure Issue #1803. Originally filed by nkarandi on 2016-02-04 19:23:37:

• Closed as Fixed
• Assigned to edewata (@edewata)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1308752
  • https://bugzilla.redhat.com/show_bug.cgi?id=1304609

---

Unable to configure KRA subsystem in separate tomcat instance . Fails with error:

.fc23</Version></XMLResponse>
pkispawn    : INFO     ....... constructing PKI configuration data.
pkispawn    : INFO     ....... executing 'certutil -R -d
/opt/Example1-RootKRA1/kra/alias -s cn=PKI
Administrator,e=kraadmin@example.org,o=example.org Security Domain -k rsa -g
2048 -z /opt/Example1-RootKRA1/kra/alias/noise -f
/opt/Example1-RootKRA1/kra/password.conf -o
/opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin'
pkispawn    : INFO     ....... rm -f /opt/Example1-RootKRA1/kra/alias/noise
pkispawn    : INFO     ....... BtoA
/opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin
/opt/Example1-RootKRA1/kra/alias/admin_pkcs10.bin.asc
pkispawn    : INFO     ....... configuring PKI configuration data.
pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500
Server Error: Internal Server Error for url:
https://pki1.example.org:14443/kra/rest/installer/configure
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token):
line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.cert
srv.base.PKIException","Code":500,"Message":"Error in creating admin user:
java.io.IOException: Invalid Request"}
pkispawn    : DEBUG    ....... Error Type: ParseError
pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token):
line 1, column 0
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 597, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi
guration.py", line 116, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 3872, in configure_pki_data
    root = ET.fromstring(e.response.text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in
_raiseerror
    raise err

How reproducible:

Install and Configure CA
Install and configure KRA  using below config file

<snip>
[DEFAULT]
pki_instance_name=Example1-RootKRA1
pki_https_port=14443
pki_http_port=14080

#NSS DB Token Password
pki_token_password=Secret123

#RootKRA Admin password
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki1.example.org
pki_security_domain_hostname=pki1.example.org
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

#Client Dir
pki_client_dir=/opt/Example1-RootKRA1
pki_client_pkcs12_password=Secret123
pki_client_database_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

#ldap
pki_ds_hostname=pki1.example.org
pki_ds_ldap_port=1901
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret123

[Tomcat]
pki_ajp_port=14009
pki_tomcat_server_port=14005

[KRA]
pki_admin_nickname=PKI KRA Administrator for Example Org
pki_import_admin_cert=False

</snip>

Actual results:

pkispawn fails to configure KRA

Expected results:

pkispawn should successfully configure KRA

Additional info:

CA Debug logs shows this error while creating KRA Admin cert

[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: Start parsePKCS10(): MIICrDCCAZQC
AQAwZzEkMCIGA1UEChMbZXhhbXBsZS5vcmcgU2VjdXJpdHkgRG9t%0DYWluMSMwIQYJKoZIhvcNAQkB
FhRrcmFhZG1pbkBleGFtcGxlLm9yZzEaMBgGA1UE%0DAxMRUEtJIEFkbWluaXN0cmF0b3IwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEK%0DAoIBAQDGssnRrEBAwi03tz7d1cjhzPQuiyrkU8Sb8RBs65fE
iJfqzGWQDQHHnQj%2F%0Do8NCP3IZXGbL%2FUIyPhZVymiCBaGNOEHa0LxkhEIzYGNNs80VJMmti0zo
qvEnNh%2Fq%0DxZWNOcXmb0S3I1gep0TD%2BbUFP3WonrGgaRbwsQJbvUtsZh5aOlBAcNykE6mV2cXd
%0DmUWbHXsRIQn29RRxNqWp7j5oxKdeWY2MMnw63vNNNcZO%2FN%2FveiqyoXdumU2MyPt%2B%0DE1Q
nDaTEvEJHdfupWtPwROVEctNEchXRP4Z3mh09vPLpDZKXEVRDZ8eZIMHcJdGs%0DHUkkmpmS98AN%2F
KOZtFWlP7lFZUXfAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA%0DAtV9uFxaU5PqdXVlmQcoR7wAc
TACxMD%2B6KioXixOEuYVGXs%2Fh88UNCyH0wq89ETv%0D6fW8t%2FRdTIdDKqXNIM9gU17HqQbPAWL
VyoPCmZLH0OjXh3d%2B3RpwIdXduUWAMax1%0Dwry2826%2BeHHCLqglEspym2Iv0LrKi2EXZvCNm6d
5ZXxbnfYuJKJHCNhADrwXrlRs%0DX6LJtu4R%2FAq8FvjCiGqiuELy6T5NiTlWphSGBsfN7HIX5Iy3c
AY8cvdQkrgn745y%0DVFTtlU%2BzflRZnCUe2okn%2FyjY0vR8NCfGLn3UT9W99Sau7fAEQX4PsbmFI
kFKE8XT%0DikbCEi%2FxsKYeVVwZOmfNtw%3D%3D%0D
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10:
signature verification enabled
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10: use
internal token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10
setting thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10
java.io.IOException: DerInput.getLength(): lengthTag=25, too big.
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: EnrollProfile: parsePKCS10
restoring thread token
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: ProfileSubmitServlet: error in
processing request: Invalid Request
[04/Feb/2016:13:03:15][http-bio-8443-exec-9]: CMSServlet: curDate=Thu Feb 04
13:03:15 IST 2016 id=caProfileSubmit time=58

[pki-bot]

Comment from cfu (@cfu) at 2016-02-16 01:11:41

I was able to reproduce with latest Dogtag master on F22 with exact same error:

[15/Feb/2016:15:03:48]http-bio-30042-exec-24: Start parsePKCS10(): MIICrjCCAZYCAQAwaTEjMCEGA1UEChMacGtpLWluLWNhMS1zZWN1cml0eS1kb21h%0DaW4xJjAkBgkqhkiG9w0BCQEWF2tyYWFkbWluQHNqYy5yZWRoYXQuY29tMRowGAYD%0DVQQDExFQS0kgQWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC%0DAQoCggEBAMA9i070BlcEUDOFPDqG1GizqIZG%2Byadu4hMLrdA7q%2B3PweGX6fRiKlf%0Dn6JkCGljpF1Cnmo3RmOMtUiB%2FsgvJ9%2F0SUYJUrHAPx5iJGnAmJTrIAKUXsdDfpJ5%0D7%2BXMvagdHTRJ5Sw9AAY8MDQ7IfBDQ9D0M9D6vLuskExwxuK107GQ%2BcVjKlzolFFq%0DWRVH0Bs3u%2Fev72j3uG%2B%2BwFLNPg%2BFK1jKdwous84Fz35YtvcSA9xSfNYl26HOfn1l%0DAG0lt2DEgPqZ7mPmm8CuUtZQx%2BRT6gRfUWngJLk%2BJFleX%2Fk04Kfi8rSjMeNoJjEG%0D2hJ4DHyn6VZnM9HxB%2BXxr0q0Y78MMhkCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB%0DAQANnStPgikEE%2FVMrMZO7Uc2L5BM4PLzdlk5hbLqj7ZCgca7uHX%2FJYh4x23Fp9c4%0DniFYSJUP148owVc32d3M0u4kwa%2BSDSasA4EyPXi8El7CI2h8XkN17SI8xxOta1%2Fx%0DNTOyyZBTrEFdqtDgbTZLDwUJL4vecyw9M%2FwzkNfezmKc5RWzxqo%2F9J0rGdkBjLan%0DezDpjuhzjKof5ZgvIDW02uSGHdo2HUoy6tL%2Fyvabooss0b1ZU%2FxPcP%2BTAXzeKrwL%0DW5XGZevNRP81fhn15K96JCBEzi9OyKwb%2FF5HEiwlzvXUjG2jvbhPW6b9ajiqD6wj%0DHdNNK1P4X7o53T%2FVa5yxsoIe%0D [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10: signature verification enabled [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10: use internal token [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10 setting thread token [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10 java.io.IOException: DerInput.getLength(): lengthTag=79, too big. [15/Feb/2016:15:03:48]http-bio-30042-exec-24: EnrollProfile: parsePKCS10 restoring thread token [15/Feb/2016:15:03:48]http-bio-30042-exec-24: ProfileSubmitServlet: error in processing request: Invalid Request

Looking at the PKCS10 blob, I believe it needs to be URL decoded. Did something change in this area lately?

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-02-16 01:21:01

Per previous comment: 10.3 - major

[pki-bot]

Comment from edewata (@edewata) at 2016-03-21 17:39:59

The problem seems to happen only when pki_import_admin_cert is set to False. Apparently the code has always been tested with the default value (i.e. True).

[pki-bot]

Comment from edewata (@edewata) at 2016-03-21 22:50:48

Fixed in master:

• baa64ee50a0d3c851cea791e01ce80de9edb040c

[pki-bot]

Comment from nkarandi at 2017-02-27 14:09:02

Metadata Update from @nkarandi:

• Issue assigned to edewata
• Issue set to the milestone: 10.3.0.a2