Uploaded image for project: 'Dogtag PKI'
  1. Dogtag PKI
  2. DOGTAG-3879

PKI ca-profile-add operation is failing with PKIException: Bad Request error

XMLWordPrintable

    • None
    • rhel-idm-cs
    • rc
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • 0

      Description of problem:

      PKI ca-profile-add operation for custom profile.xml file is failing with PKIException: Bad Request error

      Version-Release number of selected component (if applicable):

      pki-core-11.0.1-3.el9.src.rpm
      jss-5.0.1-2.el9.src.rpm
      nss-3.71.0-3.el9.src.rpm

      How reproducible:
      Always

      Steps to Reproduce:

      1. Install CA
      2. Create the custom profile as below:

      2.1 # pki -d /opt/pki/certdb -p 20443 -h pki1.example.com -c 'SECret.123' -n 'PKI CA Administrator for Example.Org' ca-profile-show caUserCert --output /tmp/customprofile.xml
      --------------------
      Profile "caUserCert"
      --------------------
      --------------------------------------------------
      Saved profile caUserCert to /tmp/customprofile.xml
      --------------------------------------------------

      2.2 # Replace the caUserCert with caCustomUser in /tmp/customprofile.xml file

      3. Execute PKI ca-profile-add /tmp/customprofile.xml:

      1. pki -d /opt/pki/certdb -p 20443 -h pki1.example.com -c 'SECret.123' -n 'PKI CA Administrator for Example.Org' ca-profile-add /tmp/customprofile.xml

      Actual results:

      The PKI ca-profile-add command is failing with the below error:

      Output when below command executed with --debug:

      1. pki -d /opt/pki/certdb -p 20443 -h pki1.example.com -c 'SECret.123' -n 'PKI CA Administrator for Example.Org' ca-profile-add /tmp/customprofile.xml --debug

      FINE: Response:
      org.apache.catalina.connector.ClientAbortException: java.net.SocketTimeoutException
      SEVERE: WARNING: SSL alert sent: CLOSE_NOTIFY
      com.netscape.certsrv.base.PKIException: Bad Request
      at com.netscape.certsrv.client.PKIClient.handleErrorResponse(PKIClient.java:184)
      at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:204)
      at com.netscape.certsrv.profile.ProfileClient.createProfile(ProfileClient.java:69)
      at com.netscape.cmstools.profile.ProfileAddCLI.execute(ProfileAddCLI.java:69)
      at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
      at org.dogtagpki.cli.CLI.execute(CLI.java:357)
      at org.dogtagpki.cli.CLI.execute(CLI.java:357)
      at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
      at org.dogtagpki.cli.CLI.execute(CLI.java:357)
      at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:656)
      at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:694)

      1. systemctl status pki-tomcatd@topology-02-CA
        ● pki-tomcatd@topology-02-CA.service - PKI Tomcat Server topology-02-CA
        Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
        Active: active (running) since Thu 2021-12-16 05:39:39 EST; 21min ago
        Process: 134452 ExecStartPre=/usr/sbin/pki-server upgrade topology-02-CA (code=exited, status=0/SUCCESS)
        Process: 134454 ExecStartPre=/usr/sbin/pki-server migrate topology-02-CA (code=exited, status=0/SUCCESS)
        Process: 134471 ExecStartPre=/usr/bin/pkidaemon start topology-02-CA (code=exited, status=0/SUCCESS)
        Main PID: 134483 (java)
        Tasks: 95 (limit: 11120)
        Memory: 168.8M
        CPU: 20.542s
        CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@topology-02-CA.service
        └─134483 /usr/lib/jvm/jre-11-openjdk/bin/java -Dcom.redhat.fips=false -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomca>

      Dec 16 05:39:39 pki1.example.com server[134483]: arguments used: start
      Dec 16 05:39:43 pki1.example.com server[134483]: WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv>
      Dec 16 05:39:52 pki1.example.com server[134483]: WARNING: The SHA1 algorithm used in com.netscape.ca.serviceCheckChallenge::<init>:1631 is deprecated. Use a >
      Dec 16 05:39:52 pki1.example.com server[134483]: WARNING: The SHA-1 algorithm used in com.netscape.ca.serviceCheckChallenge::<init>:1631 is deprecated. Use a>
      Dec 16 05:39:53 pki1.example.com server[134483]: WARNING: The SHA-1 algorithm used in com.netscape.cmsutil.crypto.CryptoUtil::generateKeyIdentifier:1552 is d>
      Dec 16 05:39:57 pki1.example.com server[134483]: WARNING: The SHA1 algorithm used in com.netscape.cmscore.authentication.ChallengePhraseAuthentication::init:>
      Dec 16 05:40:00 pki1.example.com server[134483]: WARNING: The SHA algorithm used in org.jboss.resteasy.util.MethodHashing::createHash:33 is deprecated. Use a>
      Dec 16 05:40:00 pki1.example.com server[134483]: WARNING: The SHA algorithm used in org.jboss.resteasy.util.MethodHashing::createHash:33 is deprecated. Use a>
      Dec 16 05:40:00 pki1.example.com server[134483]: WARNING: The SHA algorithm used in org.jboss.resteasy.util.MethodHashing::createHash:33 is deprecated. Use a>
      Dec 16 05:40:00 pki1.example.com server[134483]: WARNING: The SHA algorithm used in org.jboss.resteasy.util.MethodHashing::createHash:33 is deprecated. Use a

      No, debug logs were generated for this error in CA

      Expected results:

      The PKI ca-profile-add command should work successfully.

      Additional info:

      Multiple RHEL9.0 GA sanity role user pipeline jobs are failing due to this issue:
      https://gitlab.cee.redhat.com/idm/pki-pytest-ansible/-/pipelines/1551733

              ckelley@redhat.com Chris Kelley
              prisingh@redhat.com Pritam Singh
              RH Bugzilla Integration RH Bugzilla Integration
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: