-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0.z, rhel-10.1, rhel-9.7.z
-
None
-
Yes
-
Important
-
rhel-idm-pki
-
0
-
Dev ack
-
False
-
False
-
-
No
-
None
-
Requested
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
With an IPA server configured with a subca, the user tries to obtain a certificate using the subca. The issuance fails with Server Internal Error
What is the impact of this issue to you?
subca functionality is not working
Please provide the package NVR for which the bug is seen:
# rpm -qa idm-pki-server idm-jss idm-jss-5.7.0-2.el10.x86_64 idm-pki-server-11.7.0-2.el10.noarch
How reproducible is this bug?:
Always.
Reproduced as part of the Tier1 test suite for IPA.
Steps to reproduce
- install ipa server
- create a subca with ipa ca-add subcaname
- try to issue a cert with ipa-getcert request ... -X subcaname
Expected results
The cert should be issued
Actual results
ipa getcert-list shows that the cert was not issued:
DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 Request ID '20250807164905': DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 status: CA_UNREACHABLE DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 ca-error: Server at https://hostname1.testrealm.test/ipa/json failed request, will retry: 4301 (Certificate operation cannot be completed: Request 296634107290624139828378328123686980040 - Server Internal Error). DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 stuck: no DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 key pair storage: type=FILE,location='/tmp/temp_test_0006_subca1/test_0006_subca1_file.key' DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 certificate: type=FILE,location='/tmp/temp_test_0006_subca1/test_0006_subca1_file.pem' DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 CA: IPA DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 issuer: DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 subject: DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 issued: unknown DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 expires: unknown DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 issuer template: test_0006_subca1 DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 pre-save command: DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 post-save command: DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 track: yes DEBUG ipa_pytests.qe_class.QeHost.hostname1.cmd92:transport.py:563 auto-renew: yes
and pki/ca/debug.log shows the failure to issue the cert with the subca:
2025-08-07 16:49:06 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: CAService: Signing cert 0xab54497aff4f00f72b10f62245a84a7b 2025-08-07 16:49:06 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] SEVERE: Signing Unit signing operation failed. Error java.security.SignatureException: Signing operation failed: (-8152) The key does not support the requested operation. java.security.SignatureException: Signing operation failed: (-8152) The key does not support the requested operation. at org.mozilla.jss.pkcs11.PK11Signature.engineSignNative(Native Method) at org.mozilla.jss.pkcs11.PK11Signature.engineSign(PK11Signature.java:269) at org.mozilla.jss.crypto.Signature.sign(Signature.java:95) at com.netscape.ca.CASigningUnit.sign(CASigningUnit.java:196) at com.netscape.ca.CertificateAuthority.sign(CertificateAuthority.java:862) at org.dogtagpki.server.ca.CAEngine.sign(CAEngine.java:2021) at com.netscape.ca.CAService.issueX509Cert(CAService.java:863) at com.netscape.ca.CAService.issueX509Cert(CAService.java:548) at com.netscape.cms.profile.common.CAEnrollProfile.execute(CAEnrollProfile.java:410) at com.netscape.cms.profile.common.EnrollProfile.submit(EnrollProfile.java:688) at com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:253) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:205) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:95) at org.dogtagpki.server.ca.rest.v1.CertRequestDAO.submitRequest(CertRequestDAO.java:225) at org.dogtagpki.server.ca.rest.v1.CertRequestService.enrollCert(CertRequestService.java:172) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:623) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222) at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:670) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:142) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138) at java.base/java.security.AccessController.doPrivileged(AccessController.java:571) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222) at java.base/java.security.AccessController.doPrivileged(AccessController.java:714) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:670) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138) at java.base/java.security.AccessController.doPrivileged(AccessController.java:571) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:297) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:549) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:424) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) at java.base/java.lang.Thread.run(Thread.java:1583)
- is duplicated by
-
RHEL-119630 Fix Tier-1 upstream-xmlrpc tests
-
- Closed
-
