-
Bug
-
Resolution: Unresolved
-
Critical
-
rhel-10.0
-
None
-
dogtag-pki-11.6.0-1.el10
-
None
-
Critical
-
rhel-sst-idm-cs
-
ssg_idm
-
0
-
False
-
-
None
-
None
-
Pass
-
-
Automated
-
-
x86_64
-
None
What were you trying to do that didn't work?
- CA is installed on RHEL10
- CA clone is installed
- Created certificate request on clone instance
- Trynig Certificate request approval on clone instance and it failed:
- pki -d /tmp/nssdb -c SECret.123 -n "PKI CA Administrator for Example.Org" -p 30443 ca-cert-request-approve 0x420106c941c35858a68edb64523cd5ad
What is the impact of this issue to you?
Certificate request approval is not working.
Please provide the package NVR for which the bug is seen:
389-ds-base-3.0.4-3.el10.src.rpm
Steps to reproduce
- Run PKI certificate request and approve command on clone instance:
- pki -d /tmp/nssdb -c SECret.123 -n "PKI CA Administrator for Example.Org" -p 30443 client-cert-request uid=test
Request ID: 0x8ade521db2dd7da9a93e0d876bce67bb
Type: enrollment
Request Status: pending
Operation Result: success
Creation Time: Thu Oct 17 11:11:07 EDT 2024
Modification Time: Thu Oct 17 11:11:07 EDT 2024 - pki -d /tmp/nssdb -c SECret.123 -n "PKI CA Administrator for Example.Org" -p 30443 ca-cert-request-approve 0x8ade521db2dd7da9a93e0d876bce67bb
PKIException: Unauthorized
Expected results
It should work fine without any issue.
Actual results
- pki -d /tmp/nssdb -c SECret.123 -n "PKI CA Administrator for Example.Org" -p 30443 ca-cert-request-approve 0x8ade521db2dd7da9a93e0d876bce67bb
PKIException: Unauthorized
Clone CA's debug log:
2024-10-17 11:12:07 [https-jsse-jss-nio-30443-exec-25] INFO: PKIRealm: Subject DN: CN=PKI Administrator, EMAILADDRESS=caadmin@example.com, OU=topology-02-CA, O=topology-02_Foobarmaster.org 2024-10-17 11:12:07 [https-jsse-jss-nio-30443-exec-25] INFO: LDAPSession: Retrieving cn=321690090892119664455700822112772592754,ou=certificateRepository, ou=ca,o=topology-02-CA-CA 2024-10-17 11:12:07 [https-jsse-jss-nio-30443-exec-25] SEVERE: CertUserDBAuthentication: cannot map certificate to any user: User not found User not found at com.netscape.cmscore.usrgrp.UGSubsystem.buildUsers(UGSubsystem.java:402) at com.netscape.cmscore.usrgrp.UGSubsystem.findUsersByCert(UGSubsystem.java:260) at com.netscape.cmscore.usrgrp.ExactMatchCertUserLocator.locateUser(ExactMatchCertUserLocator.java:80) at com.netscape.cmscore.authentication.CertUserDBAuthentication.authenticate(CertUserDBAuthentication.java:194) at com.netscape.cms.realm.PKIRealm.authenticate(PKIRealm.java:139) at com.netscape.cms.tomcat.ProxyRealm.authenticate(ProxyRealm.java:152) at org.apache.catalina.authenticator.SSLAuthenticator.doAuthenticate(SSLAuthenticator.java:91) at org.apache.catalina.authenticator.AuthenticatorBase.authenticate(AuthenticatorBase.java:665) at com.netscape.cms.tomcat.SSLAuthenticatorWithFallback.doSubAuthenticate(SSLAuthenticatorWithFallback.java:37) at com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate(AbstractPKIAuthenticator.java:93) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:562) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:560) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) at java.base/java.lang.Thread.run(Thread.java:1583) 2024-10-17 11:12:07 [https-jsse-jss-nio-30443-exec-25] SEVERE: CertUserDBAuthentication: Cannot authenticate agent with certificate Serial 0xf2034204d41eb1698eeed39443489472 Subject DN CN=PKI Administrator,E=caadmin@example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org. Error: User not found 2024-10-17 11:12:07 [https-jsse-jss-nio-30443-exec-25] WARNING: Unable to authenticate user with certificate CN=PKI Administrator,E=caadmin@example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org: Invalid Credential.
CA database indextasks.ldif file has:
# cat /usr/share/pki/ca/database/ds/indextasks.ldif
dn: cn=index1160589770, cn=index, cn=tasks, cn=config
objectclass: top
objectclass: extensibleObject
cn: index1160589770
ttl: 10
nsinstance: {database}
nsIndexAttribute: revokedby:eq
nsIndexAttribute: issuedby:eq
nsIndexAttribute: publicKeyData:eq
nsIndexAttribute: clientId:eq
nsIndexAttribute: dataType:eq
nsIndexAttribute: status:eq
nsIndexAttribute: description:eq,pres
nsIndexAttribute: serialno:eq,pres
nsIndexAttribute: metaInfo:eq,pres
nsIndexAttribute: certstatus:eq,pres
nsIndexAttribute: requestid:eq,pres
nsIndexAttribute: requesttype:eq,pres
nsIndexAttribute: requeststate:eq,pres
nsIndexAttribute: requestowner:eq,pres
nsIndexAttribute: notbefore:eq,pres
nsIndexAttribute: notafter:eq,pres
nsIndexAttribute: duration:eq,pres
nsIndexAttribute: dateOfCreate:eq,pres
nsIndexAttribute: revokedOn:eq,pres
nsIndexAttribute: archivedBy:eq,pres
nsIndexAttribute: ownername:eq,pres,sub
nsIndexAttribute: subjectname:eq,pres,sub
nsIndexAttribute: issuername:eq,pres,sub
nsIndexAttribute: requestsourceid:eq,pres,sub
nsIndexAttribute: revInfo:eq,pres,sub
nsIndexAttribute: extension:eq,pres,sub
nsIndexAttribute: acmeExpires:eq
nsIndexAttribute: acmeAccountId:eq
nsIndexAttribute: acmeStatus:eq
nsIndexAttribute: acmeAuthorizationId:eq
nsIndexAttribute: acmeIdentifier:eq
nsIndexAttribute: acmeCertificateId:eq
nsIndexAttribute: acmeAuthorizationWildcard:eq,pres
Workaround:
Remove eq and other values from IndexAttribute from indextasks.ldif file:
sed -i 's/:e.*//' /usr/share/pki/ca/database/ds/indextasks.ldif
Now contents file looks like:
# cat /usr/share/pki/ca/database/ds/indextasks.ldif
dn: cn=index1160589770, cn=index, cn=tasks, cn=config
objectclass: top
objectclass: extensibleObject
cn: index1160589770
ttl: 10
nsinstance: {database}
nsIndexAttribute: revokedby
nsIndexAttribute: issuedby
nsIndexAttribute: publicKeyData
nsIndexAttribute: clientId
nsIndexAttribute: dataType
nsIndexAttribute: status
nsIndexAttribute: description
nsIndexAttribute: serialno
nsIndexAttribute: metaInfo
nsIndexAttribute: certstatus
nsIndexAttribute: requestid
nsIndexAttribute: requesttype
nsIndexAttribute: requeststate
nsIndexAttribute: requestowner
nsIndexAttribute: notbefore
nsIndexAttribute: notafter
nsIndexAttribute: duration
nsIndexAttribute: dateOfCreate
nsIndexAttribute: revokedOn
nsIndexAttribute: archivedBy
nsIndexAttribute: ownername
nsIndexAttribute: subjectname
nsIndexAttribute: issuername
nsIndexAttribute: requestsourceid
nsIndexAttribute: revInfo
nsIndexAttribute: extension
nsIndexAttribute: acmeExpires
nsIndexAttribute: acmeAccountId
nsIndexAttribute: acmeStatus
nsIndexAttribute: acmeAuthorizationId
nsIndexAttribute: acmeIdentifier
nsIndexAttribute: acmeCertificateId
nsIndexAttribute: acmeAuthorizationWildcard
Then rebuild the ca database index using:
pki-server ca-db-index-rebuild -i clone-CA
Check the clone DS errors log:
[17/Oct/2024:11:21:22.482817598 -0400] - INFO - dbmdb_public_dbmdb_import_main - reindex topology-02-CA-CA-clone: Reindexing complete. Processed 84 entries in 0 seconds. (0.00 entries/sec) [17/Oct/2024:11:21:22.507747662 -0400] - INFO - dbmdb_import_all_done - Backend topology-02-CA-CA-clone is now online.
Retry the failing command again and now it works:
# pki -d /tmp/nssdb -c SECret.123 -n "PKI CA Administrator for Example.Org" -p 30443 ca-cert-request-approve 0x8ade521db2dd7da9a93e0d876bce67bb
Request ID: 0x8ade521db2dd7da9a93e0d876bce67bb
Profile: Manual User Dual-Use Certificate Enrollment
Type: enrollment
Status: pending
Key Generation:
cert_request_type: pkcs10
cert_request: -----BEGIN CERTIFICATE REQUEST-----
MIICWzCCAUMCAQAwFjEUMBIGCgmSJomT8ixkAQEMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCnQ1Nh+Hk2exf8CrqZl4cAdXJBa2vpyq8HtZXlC/iQ0DYDOGrs+Dt5yOw6agfo
HavP0drOs9rZ5aimy0Zo76TbGQeverJNFKNG8a7kdBM7D2H4T8IybzSpSdxh6eO2YmLsGq9Ux7sj
ichAyW7arHTDZ1bgS6fumMzvkgLKg6gCaExB3ptaqlMQKwEzjbwQUq2PENTCpLemHJVEamPKhqUv
mOXhjy9xuRxdWMza4MrPD2gh2RvNRcD27LRwDzh1caomKu4Z5Qky9svG/fH7SiaxMuEUxdkGB/Ny
/AZoIMwdHP6pHJTzVlrJNU2M1D5yUWBda8OfUOSOI+dRpImiBiv3AgMBAAGgADANBgkqhkiG9w0B
AQsFAAOCAQEAOBuojGkeDfyET+OuNBXR0YqH2UiD+CEUN4pALF11d+qhr9hHLMA0wk4VfWmq4ZEm
H11XAEukg3d74eXVWjXdVaX5JZfg/N3LbyuO88khbXYTFuRMveCkfjDEzVZ8jrL67fXFOce4OJjg
OpZvmqYik3vT7xwiyV326puLo0IaeqA1oG6x4B1btBwPNgN8R3CvBLvZ2Sif2n0TvhELvQVG2Up1
Up+M2X4oEP/ndNX9w7+rgj1Ex0OBMfcyweHVVO5LfwW19nHM3x8Pd1TNmG0ZtoX4t953wS4QcgRD
lQMklvwYKI9mfwipIHBbfUhNe/26FrqVnNw2LM/HZjdCoY6pkQ==
-----END CERTIFICATE REQUEST-----
Subject Name:
sn_uid: test
Requestor Information:
none
Are you sure (y/N)? y
---------------------------------------------------------------
Approved certificate request 0x8ade521db2dd7da9a93e0d876bce67bb
---------------------------------------------------------------
Request ID: 0x8ade521db2dd7da9a93e0d876bce67bb
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x56d388dd40abc5d44fb75aa5daff7e5d
Creation Time: Thu Oct 17 11:11:07 EDT 2024
Modification Time: Thu Oct 17 11:23:33 EDT 2024
- links to
