freeipa team mailing list archive

Thread
Date
[Bug 1769545]

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: gkapoor <1769545@xxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Jun 2019 16:01:11 -0000
Reply-to: Bug 1769545 <1769545@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Issue mentioned in
https://bugzilla.redhat.com/show_bug.cgi?id=1540924#c18 happens when
there are certificates not available.During HSM installation especially
migrations , client machines needs to sync correctly.This can be done
using :

ON CS 8:
=======

 /opt/nfast/bin/rfs-sync --setup --no-authenticate <ip of cs9 machine>
 /opt/nfast/bin/rfs-setup --gang-client --write-noauth <ip of cs9 machine>
 /opt/nfast/bin/rfs-sync --commit


on RHEL 7 (CS 9) machine do :

/opt/nfast/bin/rfs-sync --update


After doing this NPE which occurred at at com.netscape.cms.servlet.csadmin.ConfigurationUtils.createPKCS7(ConfigurationUtils.java:3374) should not come.

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to dogtag-pki in Ubuntu.
https://bugs.launchpad.net/bugs/1769545

Title:
  DerInput.getLength(): lengthTag=9, too big.

Status in dogtag-pki package in Ubuntu:
  New
Status in dogtag-pki package in Fedora:
  Confirmed

Bug description:
  When using pkispawn with an external root CA the following error
  occurs.

  2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] FINE: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  2018-05-05 15:00:33 [https-jsse-nio-8443-exec-9] SEVERE: Configuration failed: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  	at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
  	at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
  	at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:542)
  	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2754)
  	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2578)
  	at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:483)
  	at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
  	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:170)
  	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:105)
  	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  	at java.lang.reflect.Method.invoke(Method.java:498)
  	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
  	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
  	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
  	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
  	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
  	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
  	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
  	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
  	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
  	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
  	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
  	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
  	at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
  	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
  	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
  	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
  	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
  	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
  	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
  	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
  	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
  	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1460)
  	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
  	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
  	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
  	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
  	at java.lang.Thread.run(Thread.java:748)
  Caused by: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  	at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1621)
  	at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315)
  	... 45 more
  Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
  	at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:186)
  	at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:160)
  	at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1613)
  	... 46 more

  I'm not sure if the problem is upstream in dogtag or if its an issue
  with this the bionic package. A similar issue has been reported on the
  RedHat bug tracker:
  https://bugzilla.redhat.com/show_bug.cgi?id=1540924

  Attached is the complete debug log.

  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=18.04
  DISTRIB_CODENAME=bionic
  DISTRIB_DESCRIPTION="Ubuntu 18.04 LTS"

  dogtag-pki 10.6.0-1ubuntu2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dogtag-pki/+bug/1769545/+subscriptions
References

[Bug 1769545] [NEW] DerInput.getLength(): lengthTag=9, too big.
From: Jared Szechy, 2018-05-07