← Back to team overview

freeipa team mailing list archive

[Bug 1769545] Re: DerInput.getLength(): lengthTag=9, too big.

 

Launchpad has imported 13 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=1540924.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2018-02-01T10:45:32+00:00 gkapoor wrote:

Description of problem:

Setup:

RootCA --> externalCA(cmc) ---> another externalCA (cmc)
(Level1)       (Level2)           (level3)


Level1 -- worked
Level2 -- worked
Level3 -- failure


Refer : https://bugzilla.redhat.com/show_bug.cgi?id=1535797#4

failure reason:
--------------

[01/Feb/2018:05:32:14][http-bio-29443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
        at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
        at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
        at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2785)
        at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2609)
        at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:484)
        at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166)
        at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)

Version-Release number of selected component (if applicable):

10.5

How reproducible:

always

Steps to Reproduce:
1.Setup a RootCA
2.Setup externalCA1 signed using CMC mechanism with RootCA
3.Setup externalCA2 signed using CMC mechanism with ExternalCA

Actual results:

ExternalCA2 install fails

Expected results:

ExternalCA2 install should work without failures.

Additional info:

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/0

------------------------------------------------------------------------
On 2018-02-01T10:47:39+00:00 gkapoor wrote:

Created attachment 1389444
debug

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/1

------------------------------------------------------------------------
On 2018-02-02T06:24:36+00:00 gkapoor wrote:

This is same in case of non-cmc environment.

Scenario: This is particularly a non cmc scenario.
==================================================

RootCA --signs--> ExternalCA(00) ---signs---> ExternalCA(000)
(level1)          (level2)                     (level3)
port-20080          port-31080                  port-29080


Level2 Installation:
====================

1. Run pkispawn step1 and generate csr.
2. Sign this csr by RootCA
3. 
pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:20080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 63
  Type: enrollment
  Request Status: pending
  Operation Result: success

4. Approve the csr.
pki -p 20080 -d /root/nssdb_75/ -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 63 --action approve
-------------------------------
Approved certificate request 63
-------------------------------
  Request ID: 63
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x34e9448


5. Verify on CA agent page about the certificate 0x34e9448
6. This "0x34e9448" is a signing cert.get external certificate also.
7. Get external.crt and ca_signing.crt.
8. Change ciphers in server.xml to 
sslRangeCiphers="+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
9. Run step2 pkispawn and make sure it works.

Verification:
------------

1. Submit a cert request and approve.

 pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 6 --action approve
WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain'
Import CA certificate (Y/n)? Y
CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080/ca
------------------------------
Approved certificate request 6
------------------------------
  Request ID: 6
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x6


Level3 Installation:
====================

1. generate csr using setp1 installation.
2. Get the csr signed with ExternalCA on port 31080.
3. 
pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr1
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 7
  Type: enrollment
  Request Status: pending
  Operation Result: success

4. Approve csr.

pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 7 --action approve
------------------------------
Approved certificate request 7
------------------------------
  Request ID: 7
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x7

5. Get the ca_siging.crt and external.crt which is pkcs7 chain of
RootCA(level1) and ExternalCA(level2).

6. Get certificates either from cli or from CA EE page.Both ca signing
cert and pkcs7 chain certs can be found there.


[02/Feb/2018:00:56:23][http-bio-29443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
	at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
	at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
	at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539)
	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2785)
	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2609)
	at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:484)
	at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166)
	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)



Attaching ca_signing cert:
=========================


-----BEGIN CERTIFICATE-----
MIIELjCCAxagAwIBAgIBBzANBgkqhkiG9w0BAQ0FADB5MTMwMQYDVQQKEyppZG0u
bGFiLmVuZy5yZHUucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xITAfBgNVBAsT
GHBraS1FeHRlcm5hbENBLWdrYXBvb3IwMDEfMB0GA1UEAxMWQ0EgU2lnbmluZyBD
ZXJ0aWZpY2F0ZTAeFw0xODAyMDIwNTQzMDRaFw0zODAxMjMwNjIwNTlaMHoxMzAx
BgNVBAoTKmlkbS5sYWIuZW5nLnJkdS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFp
bjEiMCAGA1UECxMZcGtpLUV4dGVybmFsQ0EtZ2thcG9vcjAwMDEfMB0GA1UEAxMW
Q0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKHRwy8b4VBY/PHlkn/4UmhnRebf6lLuzGmTs5DY2yE+wMnEByUjRjGM
E6Lw9PXymhSfUL/5HE5T1w3QBYfLxkR3TYTG+4pg9MeQavZc1MP2vi7yzaG6MRel
CjngwKvY/Wpwc/a+h/aAQ0n5fsNfvgcnpctEPwLaQVuOaszDhz6CKBXN4E/Dj5lB
8kH5ApJa69dZxvBnMkxXDPm0S+JaiCpvJzccBC+dZL6l6GR3fljeEX030RznjXGt
u46pv83rte3AR7BKVB5moSFPAsdrjEHcFnk+mtTz3uf+6MVc2c91yeiG69boAq9j
V4jh60mGP7QvYANoe741YMiageuaG8cCAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBSc
cEl/3XQiAhUDZAQ8zn2OQ/6vgjAdBgNVHQ4EFgQUwLeDFw4n+OjcNvySsMCqmECv
dYcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwWQYIKwYBBQUHAQEE
TTBLMEkGCCsGAQUFBzABhj1odHRwOi8vY3NxYTQtZ3Vlc3QwNC5pZG0ubGFiLmVu
Zy5yZHUucmVkaGF0LmNvbTozMTA4MC9jYS9vY3NwMA0GCSqGSIb3DQEBDQUAA4IB
AQC4h4XRkpjE4qpixW83xtF0JWEIYywPO1YKbSb6tswEPMLu8IxHBSTaIyIXjoJe
Cz1fRCvYF0m71YIBWuzpWgFJCseC0m8ey0WgXoBWJAYMA3ViB3L0oaHtjI6AIIsY
th5c3mTw8zc2FZfOcNbToS/XTD18HqW6/pizfuCJbt892e+WwbwpEX1HPlq4XSDb
AgCve/nlPZHNlACHsT6TR2jyy1UrflTLRX0jAF8s+jnqraysD2FBxykK87WchjzT
B19JMsBfdKAB1EhkkTqJVw/wBrINSZ35UXYrO6IHxMb/6eGjw1QNcPhYDUVx3jQ/
alrANpALt+7z1KHObELZQPWx
-----END CERTIFICATE-----



External.crt pkcs7 file:
-----------------------

-----BEGIN PKCS7-----
MIIMYwYJKoZIhvcNAQcCoIIMVDCCDFACAQExADAPBgkqhkiG9w0BBwGgAgQAoIIM
NDCCBC4wggMWoAMCAQICAQcwDQYJKoZIhvcNAQENBQAweTEzMDEGA1UEChMqaWRt
LmxhYi5lbmcucmR1LnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMSEwHwYDVQQL
Exhwa2ktRXh0ZXJuYWxDQS1na2Fwb29yMDAxHzAdBgNVBAMTFkNBIFNpZ25pbmcg
Q2VydGlmaWNhdGUwHhcNMTgwMjAyMDU0MzA0WhcNMzgwMTIzMDYyMDU5WjB6MTMw
MQYDVQQKEyppZG0ubGFiLmVuZy5yZHUucmVkaGF0LmNvbSBTZWN1cml0eSBEb21h
aW4xIjAgBgNVBAsTGXBraS1FeHRlcm5hbENBLWdrYXBvb3IwMDAxHzAdBgNVBAMT
FkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCh0cMvG+FQWPzx5ZJ/+FJoZ0Xm3+pS7sxpk7OQ2NshPsDJxAclI0Yx
jBOi8PT18poUn1C/+RxOU9cN0AWHy8ZEd02ExvuKYPTHkGr2XNTD9r4u8s2hujEX
pQo54MCr2P1qcHP2vof2gENJ+X7DX74HJ6XLRD8C2kFbjmrMw4c+gigVzeBPw4+Z
QfJB+QKSWuvXWcbwZzJMVwz5tEviWogqbyc3HAQvnWS+pehkd35Y3hF9N9Ec541x
rbuOqb/N67XtwEewSlQeZqEhTwLHa4xB3BZ5PprU897n/ujFXNnPdcnohuvW6AKv
Y1eI4etJhj+0L2ADaHu+NWDImoHrmhvHAgMBAAGjgb8wgbwwHwYDVR0jBBgwFoAU
nHBJf910IgIVA2QEPM59jkP+r4IwHQYDVR0OBBYEFMC3gxcOJ/jo3Db8krDAqphA
r3WHMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMFkGCCsGAQUFBwEB
BE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL2NzcWE0LWd1ZXN0MDQuaWRtLmxhYi5l
bmcucmR1LnJlZGhhdC5jb206MzEwODAvY2Evb2NzcDANBgkqhkiG9w0BAQ0FAAOC
AQEAuIeF0ZKYxOKqYsVvN8bRdCVhCGMsDztWCm0m+rbMBDzC7vCMRwUk2iMiF46C
Xgs9X0Qr2BdJu9WCAVrs6VoBSQrHgtJvHstFoF6AViQGDAN1Ygdy9KGh7YyOgCCL
GLYeXN5k8PM3NhWXznDW06Ev10w9fB6luv6Ys37giW7fPdnvlsG8KRF9Rz5auF0g
2wIAr3v55T2RzZQAh7E+k0do8stVK35Uy0V9IwBfLPo56q2srA9hQccpCvO1nIY8
0wdfSTLAX3SgAdRIZJE6iVcP8AayDUmd+VF2KzuiB8TG/+nho8NUDXD4WA1Fcd40
P2pawDaQC7fu89ShzmxC2UD1sTCCBA4wggL2oAMCAQICBANOlEgwDQYJKoZIhvcN
AQENBQAwVzEaMBgGA1UECgwRRXhhbXBsZS1yaGNzOTItQ0ExGDAWBgNVBAsMD2dr
YXBvb3JfUkhDU183NTEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAe
Fw0xODAyMDIwNTAxNTVaFw0zODAxMjMwNjIwNTlaMHkxMzAxBgNVBAoTKmlkbS5s
YWIuZW5nLnJkdS5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEhMB8GA1UECxMY
cGtpLUV4dGVybmFsQ0EtZ2thcG9vcjAwMR8wHQYDVQQDExZDQSBTaWduaW5nIENl
cnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwn8parcQ
uuODJGY2KTLoaaOMgxHtwE1P4loTLgRh94Bo+R/kwbQenLfzkCLjzlo0ZdnXvppG
OaUD5Jb2F9O09zPgIsAnZszn9Vj/WMwLrr9klKHT91vPxkzGpKNXlJNcvmED+611
pe46rwDosdXlCor9aeEnxStpGjp0JC7/tua2T7fasw3W2sNz7Ri0bNUGImtdMMKj
e99RQ6JNtxqv7KMLKR8NaP66eKExugl3SXsWHiDIKrNaVN6xfo3y/gMVcmSLQ28S
PwNj3isiVGTQvRlg0bcGMI8LXAGMIi7tqKtofIaqUrGXx1UCVqvAKtdIR5xmQiCK
dRda8ykg1SswqwIDAQABo4G/MIG8MB8GA1UdIwQYMBaAFMlus01K+zt1TdjJDJJk
1JGu216/MB0GA1UdDgQWBBSccEl/3XQiAhUDZAQ8zn2OQ/6vgjAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwIBxjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUH
MAGGPWh0dHA6Ly9jc3FhNC1ndWVzdDA0LmlkbS5sYWIuZW5nLnJkdS5yZWRoYXQu
Y29tOjIwMDgwL2NhL29jc3AwDQYJKoZIhvcNAQENBQADggEBAD4V3+VtPWTPqJii
ndcP9KLxZPhKd7ie5ddiOdFL3+FtPHbokL+PTLlNpUbMfao6O+69PzawfyikkE1+
rxsK+NL5X0P++/VtHmHPT5KKaDsqoxqVktZJE22bSQOP//F6Jjfwz9TavryFyXll
zvTUrThcM84uBl2rYzlnQxpl8bW7NmHqcIAD/6TVkzDnw8FczCzTGauYXjrCUQU6
kn1eBDwjh0oDilKowEELvIC2XrVFw8rGMIopmeJ3YJ9AGwYOZXRD3UVyAAtfAKUH
tVZS52pogMrTHcmHDaUwv+ZcNZ7N4P7RxsFG5oe6LYo80JexHncAvrbzLslB5Wgr
Dvj5qJcwggPsMIIC1KADAgECAgQJ+4/tMA0GCSqGSIb3DQEBDQUAMFcxGjAYBgNV
BAoMEUV4YW1wbGUtcmhjczkyLUNBMRgwFgYDVQQLDA9na2Fwb29yX1JIQ1NfNzUx
HzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTgwMTIzMDYyMDU5
WhcNMzgwMTIzMDYyMDU5WjBXMRowGAYDVQQKDBFFeGFtcGxlLXJoY3M5Mi1DQTEY
MBYGA1UECwwPZ2thcG9vcl9SSENTXzc1MR8wHQYDVQQDDBZDQSBTaWduaW5nIENl
cnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqC61zM1a
nDUBsOPigfWreofK8+vH1vBSx9MK071dACmorAEvPUTdFrPZUrIQg/lXJoSWmdmE
M+zDu7xgKcmXyf6S0uPHm+1SyRTpCot4+zadhtPEFFJ6aGvonFzdP/7c2wkRAizi
x8ptYxmzHB9+xHTnTfP1Lf23rMW5DnU7mZe+quCjLlFtd+fp6ROXvBuKforFrmEe
sP4p9i8fb02nVGsjXPFsq9vB7Jla/2eVJFcn8dQTUadskk1KroEg0b9Xxuluimth
lfOxQigVbvhjD9bwjtxBdEnXBrsQ+qIsQGehb/4YCupRVQQjGaiWu+ereAbIGuQh
Ik+b2jiazGGt+QIDAQABo4G/MIG8MB8GA1UdIwQYMBaAFMlus01K+zt1TdjJDJJk
1JGu216/MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQW
BBTJbrNNSvs7dU3YyQySZNSRrttevzBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUH
MAGGPWh0dHA6Ly9jc3FhNC1ndWVzdDA0LmlkbS5sYWIuZW5nLnJkdS5yZWRoYXQu
Y29tOjIwMDgwL2NhL29jc3AwDQYJKoZIhvcNAQENBQADggEBAJpnxPmOcIvKtgBx
VKzojsrBGrZR1r2jP59WDmPMWQxn2hR5PwV0rsXXxbR5zCNWLoCyoTGxU5vFx0or
LtQjpi9SfYKwkB5STG2qZ0D8xLyyXm384ZZ2a5phwAYLg6YYgtEf34P4RSKFTOd6
IKu6wBZcl6nhDevOWHluI3quG1qnM6Q11uk4Co0P+eh8weiQRIqTY25NwKpNDTEM
lLP8cQCPkxmhxIT3ig80NlnWv/5C9HGWm5ZzMjEr2La/UKCiMx0szcRs5I0jSxLR
YTHX/Sycdi3SkS9S7n6bsU74olGC7lGjkDE6o9+iQNK6h4w1uKjW7gv0VbuQxqbc
vtWKjGcxAA==
-----END PKCS7-----

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/2

------------------------------------------------------------------------
On 2018-04-23T17:41:21+00:00 evan.hisey wrote:

I am seeing the same error using an openssl rootCA and the ca-external
pki setup. This is on a clean 7.5 minimal install with PKI subsystem.

RPMS:
pki-kra-10.5.1-9.el7.noarch
jss-4.4.0-11.el7.x86_64
nss-pem-1.0.3-4.el7.x86_64
pki-tools-10.5.1-9.el7.x86_64
pki-usgov-dod-cacerts-0.0.6-4.el7.noarch
nss-util-3.34.0-2.el7.x86_64
nss-sysinit-3.34.0-4.el7.x86_64
pki-ca-10.5.1-9.el7.noarch
pki-server-10.5.1-9.el7.noarch
pki-base-10.5.1-9.el7.noarch
nss-3.34.0-4.el7.x86_64
pki-base-java-10.5.1-9.el7.noarch
pki-symkey-10.5.1-9.el7.x86_64
nss-softokn-3.34.0-2.el7.x86_64
nss-tools-3.34.0-4.el7.x86_64
nss-softokn-freebl-3.34.0-2.el7.x86_64

When running pkispawn -f /root/ca-setup/ca-external-step2.cfg -s CA I
get almost through the set up and then error out as above though it
claims to successfully import the rootca prior to bombing out.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/3

------------------------------------------------------------------------
On 2018-04-25T16:55:15+00:00 mharmsen wrote:

Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

edewata: seems to be a common scenario.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/4

------------------------------------------------------------------------
On 2018-04-30T23:08:59+00:00 gkapoor wrote:

Hi Evan,

Could you please share the procedure that you have followed and also if
you could please share/check the certificates and see if there are
duplicate certificate in ca_signing cert and external certificate
chain(pkcs7 certificate).

Thanks
Geetika

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/5

------------------------------------------------------------------------
On 2018-05-06T13:33:00+00:00 jared.szechy wrote:

I too am having the same problem using an external openssl signing CA
with pkispawn.

pkispawn    : INFO     ....... loading caSigningCert External CA certificate
pki.nssdb   : DEBUG    Command: certutil -L -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpFIAhfd/password.txt -n caSigningCert External CA -a
pkispawn    : INFO     ....... configuring PKI configuration data.

Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
	org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
	org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
	org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
	com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
	com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
	com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542)
	com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754)
	com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578)
	org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483)
	org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
	org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170)
	org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
	org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
	org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
	org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
	com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1621)
	com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315)
	com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
	com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542)
	com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754)
	com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578)
	org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483)
	org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
	org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170)
	org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
	org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
	org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
	org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/6

------------------------------------------------------------------------
On 2018-05-07T13:18:24+00:00 gkapoor wrote:

Hi Jared,

Could you please share the procedure that you have followed and also if you could please share/check the certificates and see if there are duplicate certificate in ca_signing cert and external certificate chain(pkcs7 certificate).
Trying to understand if this is same use case or any other use case for which I have created this Bugzilla.

Thanks
Geetika

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/9

------------------------------------------------------------------------
On 2018-05-07T23:23:39+00:00 jared.szechy wrote:

Geetika,

I used the steps outlined on
http://www.dogtagpki.org/wiki/Installing_CA_with_External_CA_Signing_Certificate

ca-step1.cfg
=========

[DEFAULT]
pki_admin_email=jared@xxxxxxxxxxx
pki_client_pkcs12_password=[password_here]
pki_admin_password=[password_here]
pki_admin_uid=caadmin
pki_ds_bind_dn=cn=Directory Manager
pki_ds_hostname=ca.company.com
pki_ds_password=[password_here]
pki_security_domain_name=Company

[CA]
pki_ds_base_dn=o=pki-tomcat-CA

pki_ca_signing_subject_dn=cn=Company Root CA2,o=Company,c=US
pki_ca_signing_csr_path=/home/jared/ca_signing.csr

pki_external=True
pki_external_step_two=False

ca-step2.cfg
=========

[DEFAULT]
pki_admin_email=jared@xxxxxxxxxxx
pki_client_pkcs12_password=[password_here]
pki_admin_password=[password_here]
pki_admin_uid=caadmin
pki_ds_bind_dn=cn=Directory Manager
pki_ds_hostname=ca.company.com
pki_ds_password=[password_here]
pki_security_domain_name=Company

[CA]
pki_ds_base_dn=o=pki-tomcat-CA

pki_ca_signing_subject_dn=cn=Company Root CA2,o=Company,c=US
pki_ca_signing_csr_path=/home/jared/ca_signing.csr
pki_ca_signing_cert_path=/home/jared/ca.pem
pki_cert_chain_path=/home/jared/root.pem

pki_external=True
pki_external_step_two=True


Procedure
=========
Generate the CSR using step1 config
$ sudo pkispawn -f ca-step1.cfg -s CA

Sign the CSR using external Root CA (OpenSSL).

Complete setup process using step2 config
$ sudo pkispawn -f ca-step2.cfg -s CA

Step 2 of pkispawn is what fails with the previously posted exceptions.

I've tried several cases when it comes to providing the certificate
chain. In the above scenario the ca_signing cert is a single pem (signed
cert) and the cert_chain is a single pem (self-signed root cert). I've
also tried using a pkcs7 chain as the ca_signing cert, and no chain, as
well as a pem ca_signing cert and a pkcs7 chain. All of the cases failed
in the same way.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/10

------------------------------------------------------------------------
On 2018-05-09T20:30:47+00:00 mharmsen wrote:

Per RHEL 7.5.z/7.6/8.0 Triage:  7.5.z

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/11

------------------------------------------------------------------------
On 2018-06-07T17:13:07+00:00 edewata wrote:

FYI, some of the issues discussed here were probably caused by invalid
path in pki_ca_signing_cert_path. It will be addressed in bug #1588655
by adding input validation.

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/12

------------------------------------------------------------------------
On 2018-06-22T17:31:39+00:00 jwooten wrote:

debug logs from test package pki-10.5.tar.xz

it is an sosreport: sosreport-nwcal-
subca1.nwc.nws.noaa.gov.02085383-20180620203058.tar.xz

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/13

------------------------------------------------------------------------
On 2018-06-22T17:33:13+00:00 jwooten wrote:

Created attachment 1453796
sosreport-nwcal-subca1.nwc.nws.noaa.gov.02085383-20180620203058.tar.xz

Reply at: https://bugs.launchpad.net/ubuntu/+source/dogtag-
pki/+bug/1769545/comments/14


** Bug watch added: Red Hat Bugzilla #1535797
   https://bugzilla.redhat.com/show_bug.cgi?id=1535797

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1769545

Title:
  DerInput.getLength(): lengthTag=9, too big.

Status in dogtag-pki package in Ubuntu:
  New
Status in dogtag-pki package in Fedora:
  Confirmed

Bug description:
  When using pkispawn with an external root CA the following error
  occurs.

  2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] FINE: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] SEVERE: Configuration failed: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  	at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
  	at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
  	at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542)
  	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754)
  	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578)
  	at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483)
  	at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
  	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170)
  	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105)
  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  	at java.lang.reflect.Method.invoke(Method.java:498)
  	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
  	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
  	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
  	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
  	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
  	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
  	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
  	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
  	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
  	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
  	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
  	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
  	at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
  	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
  	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
  	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
  	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
  	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
  	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
  	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
  	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
  	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1460)
  	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
  	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
  	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
  	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
  	at java.lang.Thread.run(Thread.java:748)
  Caused by: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  	at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1621)
  	at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315)
  	... 45 more
  Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  	at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:186)
  	at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:160)
  	at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1613)
  	... 46 more

  I'm not sure if the problem is upstream in dogtag or if its an issue
  with this the bionic package. A similar issue has been reported on the
  RedHat bug tracker:
  https://bugzilla.redhat.com/show_bug.cgi?id=1540924

  Attached is the complete debug log.

  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=18.04
  DISTRIB_CODENAME=bionic
  DISTRIB_DESCRIPTION="Ubuntu 18.04 LTS"

  dogtag-pki 10.6.0-1ubuntu2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1769545/+subscriptions


References