search

pki-bot / pki-issues-final

0 stars 0 forks source link

Verify system cert flags in the beginning of Selftest #2614

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #3065. Originally filed by dmoluguw (@SilleBille) on 2018-09-24 17:17:49:

When selftests are executed, if the nssdb doesn't have certs with correct flags, the debug logs will be misleading.

Solution: Verify flags of the certs in the beginning of the SelfTest process before verifying the certificate validity.

To reproduce:

  1. Install CA
  2. Stop server 
systemctl stop pki-tomcatd@pki-tomcat
  1. Remove Trusted Peer flag (P) for ca_audit_signing
certutil -M -t "u,u,u" -n ca_audit_signing -d /var/lib/pki/pki-tomcat/alias/`
  1. Restart server 
systemctl start pki-tomcatd@pki-tomcat
  1. Look at the self test and debug logs.

debug-2018-09-xx.log

2020-08-24 16:04:05 [localhost-startStop-1] FINE: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate ca_audit_signing is invalid: Invalid certificate: (-8101) Certificate type not approved for application.
2020-08-24 16:04:05 [localhost-startStop-1] FINE: SignedAuditLogger: event CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: LogFile: event type not selected: CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: SignedAuditLogger: event CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: LogFile: event type not selected: CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] WARNING: java.lang.Exception: java.lang.Exception: Certificate ca_audit_signing is invalid: Invalid certificate: (-8101) Certificate type not approved for application.
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:845)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:937)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1054)
        at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1692)
        at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1310)
        at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:856)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1802)
        at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1826)

ca_audit_signing should have trust flags of "u,u,Pu"

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2018-09-25 11:34:21

Metadata Update from @mharmsen:

pki-bot commented 4 years ago

Comment from dmoluguw (@SilleBille) at 2018-09-25 13:08:59

Metadata Update from @SilleBille:

pki-bot commented 4 years ago

Comment from dmoluguw (@SilleBille) at 2018-09-25 13:09:11

Metadata Update from @SilleBille:

pki-bot commented 4 years ago

Comment from dmoluguw (@SilleBille) at 2018-09-25 13:09:19

Metadata Update from @SilleBille:

pki-bot commented 4 years ago

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:15

Metadata Update from @SilleBille:

pki-bot commented 4 years ago

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:21

Metadata Update from @SilleBille:

pki-bot commented 4 years ago

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:27

Metadata Update from @SilleBille:

pki-bot commented 4 years ago

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:43

Metadata Update from @SilleBille: