Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-25712

pki 'ca-user-cert-show' command fails on unsecure port

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.4
    • pki-core
    • None
    • None
    • None
    • rhel-sst-idm-cs
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      pki 'ca-user-cert-show' command fails on unsecure port. Where as pki ca-user-cert-find works.

      Please provide the package NVR for which bug is seen:

      idm-pki-server-11.5.0-0.1.alpha8.el9.noarch
      idm-pki-ca-11.5.0-0.1.alpha8.el9.noarch
      RHEL 9.4 latests bits

      How reproducible:

      Always

      Steps to reproduce

      1. pki -d /opt/pki/certdb -P http -p 20080 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" ca-user-add testuser09 --fullName "Test User09"
      2. pki -d /opt/pki/certdb -P http -p 20080 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" client-cert-request 'UID=Test User09,CN=Test User09'
      3. pki -d /opt/pki/certdb -P http -p 20080 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" ca-cert-request-approve 0x65cd5a6f9d13ba8f4b690729b6a2f357
      4. pki -d /opt/pki/certdb -P http -p 20080 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" ca-user-cert-show testuser09 "2;244010469757714350594829097783504845935;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;UID=Test User09,CN=Test User09" --output /tmp/cert_0xfd4a1db8cae8956badfe2f861c60c14b.pem
      5. pki -d /opt/pki/certdb -P http -p 20080 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" ca-user-find testuser09
      6. pki -d /opt/pki/certdb -P https -p 20443 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" ca-user-cert-show testuser09 "2;244010469757714350594829097783504845935;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;UID=Test User09,CN=Test User09" --output /tmp/cert_0xfd4a1db8cae8956badfe2f861c60c14b.pem

      Expected results

      pki -d /opt/pki/certdb -P http -p 20080 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" ca-user-cert-show testuser09 "2;244010469757714350594829097783504845935;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;UID=Test User09,CN=Test User09" --output /tmp/cert_0xfd4a1db8cae8956badfe2f861c60c14b.pem

      Should work

      Actual results

      It failed with following output
      :

      [root@pki1 ~]# pki -d /opt/pki/certdb -P http -p 20080 -h pki1.example.com -c SECret.123 -n "PKI CA Administrator for Example.Org" ca-user-cert-show testuser09 "2;244010469757714350594829097783504845935;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;UID=Test User09,CN=Test User09" --output /tmp/cert_0xfd4a1db8cae8956badfe2f861c60c14b.pem --debug
      SEVERE: WARNING: SSL alert sent: CLOSE_NOTIFY
      INFO: HTTP request: GET /ca/rest/admin/users/testuser09/certs/2%3B244010469757714350594829097783504845935%3BCN%3DCA+Signing+Certificate%2COU%3Dtopology-02-CA%2CO%3Dtopology-02_Foobarmaster.org%3BUID%3DTest+User09%2CCN%3DTest+User09 HTTP/1.1
      FINE: - Authorization: ********
      FINE: - Host: pki1.example.com:20080
      FINE: - Connection: Keep-Alive
      FINE: - User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.10)
      FINE: Request:

      INFO: HTTP response: HTTP/1.1 302
      FINE: - Cache-Control: private
      FINE: - Location: https://pki1.example.com:20443/ca/rest/admin/users/testuser09/certs/2%3B244010469757714350594829097783504845935%3BCN%3DCA+Signing+Certificate%2COU%3Dtopology-02-CA%2CO%3Dtopology-02_Foobarmaster.org%3BUID%3DTest+User09%2CCN%3DTest+User09
      FINE: - Content-Length: 0
      FINE: - Date: Thu, 15 Feb 2024 10:48:50 GMT
      FINE: - Keep-Alive: timeout=80
      FINE: - Connection: keep-alive
      FINE: Response:

      FINE: Redirect requested to location 'https://pki1.example.com:20443/ca/rest/admin/users/testuser09/certs/2%3B244010469757714350594829097783504845935%3BCN%3DCA+Signing+Certificate%2COU%3Dtopology-02-CA%2CO%3Dtopology-02_Foobarmaster.org%3BUID%3DTest+User09%2CCN%3DTest+User09'
      INFO: HTTP redirect: https://pki1.example.com:20443/ca/rest/admin/users/testuser09/certs/2;244010469757714350594829097783504845935;CN=CA+Signing+Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;UID=Test+User09,CN=Test+User09
      INFO: Client certificate: PKI CA Administrator for Example.Org
      INFO: HTTP request: GET /ca/rest/admin/users/testuser09/certs/2;244010469757714350594829097783504845935;CN=CA+Signing+Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;UID=Test+User09,CN=Test+User09 HTTP/1.1
      FINE: - Authorization: ********
      FINE: - Host: pki1.example.com:20443
      FINE: - Connection: Keep-Alive
      FINE: - User-Agent: Apache-HttpClient/4.5.13 (Java/17.0.10)
      FINE: - Cookie: JSESSIONID=3A0523DEC6275349318E31CDAC12CC01
      FINE: Request:

      INFO: Server certificate: CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org
      INFO: HTTP response: HTTP/1.1 404
      FINE: - Cache-Control: private
      FINE: - Content-Type: application/xml;charset=UTF-8
      FINE: - Content-Length: 264
      FINE: - Date: Thu, 15 Feb 2024 10:48:50 GMT
      FINE: - Keep-Alive: timeout=300
      FINE: - Connection: keep-alive
      FINE: Response:
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <PKIException>
      <ClassName>com.netscape.certsrv.base.ResourceNotFoundException</ClassName>
      <Attributes/>
      <Code>404</Code>
      <Message>No certificates found for testuser09</Message>
      </PKIException>

      com.netscape.certsrv.base.ResourceNotFoundException: No certificates found for testuser09
      at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77)
      at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
      at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
      at com.netscape.certsrv.client.PKIClient.handleErrorResponse(PKIClient.java:185)
      at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:197)
      at com.netscape.certsrv.client.PKIClient.get(PKIClient.java:267)
      at com.netscape.certsrv.client.Client.get(Client.java:111)
      at com.netscape.certsrv.client.Client.get(Client.java:106)
      at com.netscape.certsrv.user.UserClient.getUserCert(UserClient.java:76)
      at com.netscape.cmstools.user.UserCertShowCLI.execute(UserCertShowCLI.java:82)
      at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
      at org.dogtagpki.cli.CLI.execute(CLI.java:353)
      at org.dogtagpki.cli.CLI.execute(CLI.java:353)
      at org.dogtagpki.cli.CLI.execute(CLI.java:353)
      at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:79)
      at org.dogtagpki.cli.CLI.execute(CLI.java:353)
      at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
      at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)

      Note : Its a regression test and is failing in RHEL 9.4 pipelines. This test was working earlier.
      Failure logs : https://idm-artifacts.psi.redhat.com/idm-ci/dogtag/Signoff-Tier2-discrete/RHEL9.4/2024-02-09_10-20/tier-2-discrete/pki_ca_user_cli_topo_02/1/user_cert_report.html?sort=result

              Unassigned Unassigned
              skhande shalini khandelwal
              RHCS Maintenance RHCS Maintenance
              no-user-match-found no-user-match-found
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: