KRA installation failed against externally-signed CA with partial certificate chain

[pki-bot]

This issue was migrated from Pagure Issue #2497. Originally filed by rpattath (@rpattath) on 2016-10-04 02:27:26:

• Closed as Fixed
• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1381084

---

KRA installation with externally-signed CA fails if the CA only has partial certificate chain (i.e. no root CA).

Steps to Reproduce:

1. Root CA config
[DEFAULT]
pki_instance_name = pki-rootCA
pki_admin_password = Secret123
pki_hostname = beast.idmqe.lab.eng.bos.redhat.com
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-CA
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 389
pki_token_password=Secret123

[CA]
pki_import_admin_cert = False
pki_ds_hostname = beast.idmqe.lab.eng.bos.redhat.com
pki_admin_nickname = PKI CA Administrator for Example.Org

2. First externally signed CA in the chain (topCA)
Step 1
[DEFAULT]
pki_instance_name = pki-topCA
pki_admin_password = Secret123
pki_hostname = spider.idmqe.lab.eng.bos.redhat.com
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-CA
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 389
pki_token_password=Secret123
pki_client_database_password=Secret123

[CA]
pki_import_admin_cert = False
pki_ds_hostname = spider.idmqe.lab.eng.bos.redhat.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_external=True
pki_external_csr_path=/tmp/ca_signing.csr

Step 2

[DEFAULT]
pki_instance_name = pki-topCA
pki_admin_password = Secret123
pki_hostname = spider.idmqe.lab.eng.bos.redhat.com
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-CA
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 389
pki_token_password=Secret123
pki_client_database_password=Secret123

[CA]
pki_import_admin_cert = False
pki_ds_hostname = spider.idmqe.lab.eng.bos.redhat.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_external=True
pki_external_ca_cert_path=/tmp/ca_signing.crt
pki_external_ca_cert_chain_path=/tmp/ca_cert_chain.cert
pki_external_step_two=True

3. second externally signed CA

Step 1:

[root@cisco-b200m1-04 ~]# cat ca.cfg
[DEFAULT]
pki_instance_name = pki-sdCA
pki_admin_password = Secret123
pki_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-CA
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 389
pki_token_password=Secret123

[CA]
pki_import_admin_cert = False
pki_ds_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_external=True
pki_external_csr_path=/tmp/ca_signing.csr
[root@cisco-b200m1-04 ~]# cat ca-step2.cfg

Step 2
[DEFAULT]
pki_instance_name = pki-sdCA
pki_admin_password = Secret123
pki_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-CA
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 389
pki_token_password=Secret123
pki_client_database_password=Secret123

[CA]
pki_import_admin_cert = False
pki_ds_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_external=True
pki_external_ca_cert_path=/tmp/ca_signing.crt
pki_external_ca_cert_chain_path=/tmp/ca_cert_chain.cert
pki_external_step_two=True

KRA config

[root@cisco-b200m1-04 ~]# cat kra.cfg
[DEFAULT]
pki_instance_name = pki-kra
pki_https_port = 21443
pki_http_port = 21080
pki_admin_password = Secret123
pki_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com
pki_security_domain_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com
pki_security_domain_https_port = 8443
pki_security_domain_password = Secret123
pki_client_dir = /opt/topology-KRA
pki_client_pkcs12_password = Secret123
pki_ds_password = Secret123
pki_ds_ldap_port = 5389
pki_client_database_password = Secret123
pki_token_password=Secret123

[Tomcat]
pki_ajp_port = 21009
pki_tomcat_server_port = 21005

[KRA]
pki_import_admin_cert = False
pki_ds_hostname = cisco-b200m1-04.rhts.eng.bos.redhat.com
pki_admin_nickname = PKI KRA Administrator for Example.Org

[root@cisco-b200m1-04 ~]# certutil -L -d /var/lib/pki/pki-sdCA/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert External CA                                    CT,C,C
ocspSigningCert cert-pki-sdCA CA                             u,u,u
subsystemCert cert-pki-sdCA                                  u,u,u
caSigningCert cert-pki-sdCA CA                               CTu,Cu,Cu
Server-Cert cert-pki-sdCA                                    u,u,u
auditSigningCert cert-pki-sdCA CA                            u,u,Pu

Actual results:

KRA installation fails

Expected results:

KRA installation should succeed

Additional info:

KRA installation was succesful after executing the following commands on rootCA

pki-server ca-cert-chain-export --pkcs12-file pki-server.p12 --pkcs12-password
Secret123

and adding the following to KRA's config file

pki_server_pkcs12_path=pki-server.p12
pki_server_pkcs12_password=Secret123

The following is the error in the log messages

[30/Sep/2016:13:51:53][http-bio-21443-exec-3]: SystemConfigService: request:
ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token,
tokenPassword=XXXX, securityDomainType=existingdomain,
securityDomainUri=https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443,
securityDomainName=null, securityDomainUser=caadmin,
securityDomainPassword=XXXX, isClone=false, cloneUri=null, subsystemName=KRA
cisco-b200m1-04.rhts.eng.bos.redhat.com 21443, p12File=null, p12Password=XXXX,
hierarchy=null, dsHost=cisco-b200m1-04.rhts.eng.bos.redhat.com, dsPort=5389,
baseDN=o=pki-kra-KRA, bindDN=cn=Directory Manager, bindpwd=XXXX,
database=pki-kra-KRA, secureConn=false, removeData=true, replicateSchema=null,
masterReplicationPort=null, cloneReplicationPort=null,
replicationSecurity=null, systemCertsImported=false,
systemCerts=[com.netscape.certsrv.system.SystemCertData@75339348,
com.netscape.certsrv.system.SystemCertData@15e02ca6,
com.netscape.certsrv.system.SystemCertData@42b0c9be,
com.netscape.certsrv.system.SystemCertData@22b5d29f,
com.netscape.certsrv.system.SystemCertData@4b75ac52],
issuingCA=https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443,
backupKeys=false, backupPassword=XXXX, adminCertRequestType=pkcs10,
adminSubjectDN=cn=PKI Administrator,e=kraadmin@rhts.eng.bos.redhat.com,ou=pki-k
ra,o=rhts.eng.bos.redhat.com Security Domain, adminName=kraadmin,
adminProfileID=caAdminCert, adminCert=null, importAdminCert=false,
generateServerCert=true, external=false, standAlone=false, stepTwo=false,
authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null,
caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null,
importSharedSecret=null, generateSubsystemCert=true, sharedDB=true,
sharedDBUserDN=uid=pkidbuser,ou=people,o=pki-kra-CA, createNewDB=true,
setupReplication=null, subordinateSecurityDomainName=null, reindexData=null,
startingCrlNumber=null]
[30/Sep/2016:13:51:53][http-bio-21443-exec-3]: === Token Authentication ===
[30/Sep/2016:13:51:53][http-bio-21443-exec-3]: === Security Domain
Configuration ===
[30/Sep/2016:13:51:53][http-bio-21443-exec-3]: Joining existing security domain
[30/Sep/2016:13:51:53][http-bio-21443-exec-3]: Resolving security domain URL
https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443
[30/Sep/2016:13:51:53][http-bio-21443-exec-3]: Getting security domain cert
chain
[30/Sep/2016:13:51:53][http-bio-21443-exec-3]:
ConfigurationUtils.importCertChain()
[30/Sep/2016:13:51:53][http-bio-21443-exec-3]: ConfigurationUtils: GET
https://cisco-b200m1-04.rhts.eng.bos.redhat.com:8443/ca/admin/ca/getCertChain
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]: Server certificate:
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]:  - subject: CN=cisco-b200m1-04.r
hts.eng.bos.redhat.com,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]:  - issuer: CN=CA Signing
Certificate,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]: ERROR: UNKNOWN_ISSUER
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]: Server certificate:
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]:  - subject: CN=cisco-b200m1-04.r
hts.eng.bos.redhat.com,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]:  - issuer: CN=CA Signing
Certificate,OU=pki-sdCA,O=rhts.eng.bos.redhat.com Security Domain
[30/Sep/2016:13:51:54][http-bio-21443-exec-3]: ERROR: UNKNOWN_ISSUER
javax.ws.rs.ProcessingException: Unable to invoke request
        at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invo
ke(ApacheHttpClient4Engine.java:287)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(Cli
entInvocation.java:407)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(Cli
entInvocation.java:442)
        at org.jboss.resteasy.client.jaxrs.internal.ClientInvocationBuilder.get
(ClientInvocationBuilder.java:165)
        at
com.netscape.certsrv.client.PKIConnection.get(PKIConnection.java:467)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.get(Configuratio
nUtils.java:237)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.importCertChain(
ConfigurationUtils.java:266)
        at org.dogtagpki.server.rest.SystemConfigService.logIntoSecurityDomain(
SystemConfigService.java:965)
        at org.dogtagpki.server.rest.SystemConfigService.configureSecurityDomai
n(SystemConfigService.java:922)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig
Service.java:160)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfig
Service.java:121)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
ssorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc
eMethodInvoker.java:280)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
nvoker.java:234)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI
nvoker.java:221)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
atcher.java:356)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp
atcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher
.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
ice(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv
ice(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
ssorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App
licationFilterChain.java:297)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati
onFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil
terChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil
terChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application
FilterChain.java:186)
        at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
ssorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App
licationFilterChain.java:237)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicati
onFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil
terChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil
terChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Application
FilterChain.java:186)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper
Valve.java:220)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContext
Valve.java:122)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentic
atorBase.java:505)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa
lve.java:116)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHtt
p11Processor.java:1078)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process
(AbstractProtocol.java:625)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoi
nt.java:316)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT
hread.java:61)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: SocketException cannot write on socket
        at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1099)
        at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:56)
        at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(Abst
ractSessionOutputBuffer.java:147)
        at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSe
ssionOutputBuffer.java:154)
        at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHt
tpClientConnection.java:278)
        at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttp
ClientConnection.java:283)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedC
lientConnectionImpl.java:175)
        at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpReque
stExecutor.java:260)
        at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExec
utor.java:125)
        at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(Defaul
tRequestDirector.java:715)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRe
questDirector.java:520)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpC
lient.java:906)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpC
lient.java:805)
        at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invo
ke(ApacheHttpClient4Engine.java:283)
        ... 72 more

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-10-04 02:47:03

Per CS/DS Meeting of 10/03/2016: 10.4.0

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-10-04 23:10:56

Per PKI Bug Council Meeting of 10/04/2016: 10.4

[pki-bot]

Comment from edewata (@edewata) at 2016-10-06 23:01:51

Fixed in master:

• 10b21dd71e8384d9fa0d12053278d8192eb29d00 (was 343a756bb93abf057f2999858ba9e170fa84f143)

[pki-bot]

Comment from rpattath (@rpattath) at 2017-02-27 13:58:42

Metadata Update from @rpattath:

• Issue set to the milestone: 10.3.7