Hello! I encountered a problem when revoking a certificate: "IPA Error 4035: HTTPRequestError: Request failed with status 500: Non-2xx response from CA REST API: 500."
First of all, I looked at the Apache logs in /var/log/httpd/accsess.log and found next error:
[08/Dec/2023:13:27:39 +0300] "POST /ca/rest/agent/certs/10/revoke HTTP/1.1" 500 6504
Then, in /var/log/httpd/error_log:
ipa: INFO: [jsonserver_session] admin@TEST.LOCAL: cert_revoke('10', revocation_reason='0', cacn='ipa', version='2.253'): HTTPRequestError
And finally I found traceback, which looks like bug in DogTag logs in /var/log/pki/pki-tomcat/ca/debug.2023-12-08.log:
2023-12-08 13:27:39 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: LDAPSession: Retrieving cn=10,ou=certificateRepository, ou=ca,o=ipaca 2023-12-08 13:27:39 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because "<parameter1>" is null at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at jdk.internal.reflect.GeneratedMethodAccessor42.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at jdk.internal.reflect.GeneratedMethodAccessor41.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:555) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:833) Caused by: java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because "<parameter1>" is null at org.mozilla.jss.netscape.security.x509.RevocationReason.valueOf(RevocationReason.java:91) at org.dogtagpki.server.ca.rest.CertService.revokeCert(CertService.java:180) at org.dogtagpki.server.ca.rest.CertService.revokeCert(CertService.java:162) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) ... 49 more
It looks like internal mechanisms in DogTag can't parse some arguments from LDAP-response. When I'm check similar request to LDAP with ldapsearch I got response with certificate details. Looks like all correct in LDAP.
Additional info for debug: command "ipactl status" shows like everything is good Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Also, I can create new certificates, but can't delete already signed. And also I can't delete Services with signed certs, and can't delete Hosts with that Services
FreeIPA version: VERSION: 4.11.0, API_VERSION: 2.253
Albert Stoune via FreeIPA-users wrote:
Hello! I encountered a problem when revoking a certificate: "IPA Error 4035: HTTPRequestError: Request failed with status 500: Non-2xx response from CA REST API: 500."
First of all, I looked at the Apache logs in /var/log/httpd/accsess.log and found next error:
[08/Dec/2023:13:27:39 +0300] "POST /ca/rest/agent/certs/10/revoke HTTP/1.1" 500 6504
Then, in /var/log/httpd/error_log:
ipa: INFO: [jsonserver_session] admin@TEST.LOCAL: cert_revoke('10', revocation_reason='0', cacn='ipa', version='2.253'): HTTPRequestError
And finally I found traceback, which looks like bug in DogTag logs in /var/log/pki/pki-tomcat/ca/debug.2023-12-08.log:
2023-12-08 13:27:39 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: LDAPSession: Retrieving cn=10,ou=certificateRepository, ou=ca,o=ipaca 2023-12-08 13:27:39 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because "<parameter1>" is null at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at jdk.internal.reflect.GeneratedMethodAccessor42.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at jdk.internal.reflect.GeneratedMethodAccessor41.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:555) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:833) Caused by: java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because "<parameter1>" is null at org.mozilla.jss.netscape.security.x509.RevocationReason.valueOf(RevocationReason.java:91) at org.dogtagpki.server.ca.rest.CertService.revokeCert(CertService.java:180) at org.dogtagpki.server.ca.rest.CertService.revokeCert(CertService.java:162) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) ... 49 more
It looks like internal mechanisms in DogTag can't parse some arguments from LDAP-response. When I'm check similar request to LDAP with ldapsearch I got response with certificate details. Looks like all correct in LDAP.
Additional info for debug: command "ipactl status" shows like everything is good Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Also, I can create new certificates, but can't delete already signed. And also I can't delete Services with signed certs, and can't delete Hosts with that Services
FreeIPA version: VERSION: 4.11.0, API_VERSION: 2.253
This is related to https://pagure.io/freeipa/issue/9345 . PKI for some reason made the API call for revocation case-sensitive. We weren't aware that this code was in the wild yet. What version of PKI are you running and on what distribution?
rob
Rob, hello
How can I check version of PKI installed?
Based on output of command "rpm -q --requires ipa-server" I found:
pki-ca >= 10.10.5 pki-kra >= 10.10.5
Additional info: FreeIPA was installed on CentOS by executing command: yum install ipa-server ipa-server-dns
Albert Stoune via FreeIPA-users wrote:
Rob, hello
How can I check version of PKI installed?
Based on output of command "rpm -q --requires ipa-server" I found:
pki-ca >= 10.10.5 pki-kra >= 10.10.5
Additional info: FreeIPA was installed on CentOS by executing command: yum install ipa-server ipa-server-dns
I need to know exactly what you are running so I can try to reproduce it, including the full CentOS release version and rpm package versions for ipa-server and idm-pki-ca.
rob
OS: CentOS Stream release 9
As I said, FreeIPA was installed like:
- yum install ipa-server ipa-server-dns
Additional info: FreeIPA was configure as Intermediate CA. ipa.csr was signed by extenal RootCA
Dependencies installed with packets of ipa:
Output of "rpm -q --requires ipa-server": (pki-acme >= 10.10.5 if pki-ca >= 10.10.0) 389-ds-base >= 2.0.5-1 389-ds-base >= 2.0.5-1 acl certmonger >= 0.79.7-3 chrony config(ipa-server) = 4.11.0-1.el9 cracklib-dicts cyrus-sasl-gssapi(x86-64) font(fontawesome) gssproxy >= 0.7.0-2 gzip httpd >= 2.4.37-21 ipa-client = 4.11.0-1.el9 ipa-common = 4.11.0-1.el9 ipa-server-common = 4.11.0-1.el9 krb5-kdb-version = 9.0 krb5-server >= 1.20.1-1 krb5-server >= 1.21 libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.25)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.34)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_2.7)(64bit) libc.so.6(GLIBC_2.8)(64bit) libcom_err.so.2()(64bit) libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_3.0.0)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libgssapi_krb5.so.2()(64bit) libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) libjansson.so.4()(64bit) libjansson.so.4(libjansson.so.4)(64bit) libk5crypto.so.3()(64bit) libk5crypto.so.3(k5crypto_3_MIT)(64bit) libkrad.so.0()(64bit) libkrad.so.0(krad_0_MIT)(64bit) libkrb5.so.3()(64bit) libkrb5.so.3(krb5_3_MIT)(64bit) liblber.so.2()(64bit) liblber.so.2(OPENLDAP_2.200)(64bit) libldap.so.2()(64bit) libldap.so.2(OPENLDAP_2.200)(64bit) libndr-krb5pac.so.0()(64bit) libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit) libndr-standard.so.0()(64bit) libndr.so.3()(64bit) libndr.so.3(NDR_0.0.1)(64bit) libpopt.so.0()(64bit) libpopt.so.0(LIBPOPT_0)(64bit) libpwquality libpwquality.so.1()(64bit) libpwquality.so.1(LIBPWQUALITY_1.0)(64bit) libsamba-errors.so.1()(64bit) libsamba-errors.so.1(SAMBA_ERRORS_1.0.0)(64bit) libsamba-util.so.0()(64bit) libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit) libsss_certmap.so.0()(64bit) libsss_certmap.so.0(SSS_CERTMAP_0.0)(64bit) libsss_nss_idmap.so.0()(64bit) libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.1.0)(64bit) libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.4.0)(64bit) libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.6.0)(64bit) libtalloc.so.2()(64bit) libtalloc.so.2(TALLOC_2.0.2)(64bit) libtevent.so.0()(64bit) libunistring.so.2()(64bit) libuuid.so.1()(64bit) libuuid.so.1(UUID_1.0)(64bit) libverto.so.1()(64bit) mod_auth_gssapi >= 1.5.0 mod_lookup_identity >= 0.9.9 mod_session >= 2.4.37-21 mod_ssl >= 2.4.37-21 nss-tools >= 3.44.0-4 oddjob open-sans-fonts openldap-clients > 2.4.35-4 openssl > 1.1.1i p11-kit pki-ca >= 10.10.5 pki-kra >= 10.10.5 policycoreutils >= 2.1.12-5 python3 python3 python3-gssapi >= 1.2.0-5 python3-ipaserver = 4.11.0-1.el9 python3-ldap >= 3.1.0-1 python3-mod_wsgi python3-systemd rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 rpmlib(RichDependencies) <= 4.12.0-1 rtld(GNU_HASH) samba-client-libs >= 4.18.6-100.el9 selinux-policy >= 38.1.1-1 selinux-policy-base >= 38.1.1-1 shadow-utils slapi-nis >= 0.56.4 softhsm >= 2.0.0rc1-1 sssd-dbus >= 2.9.0 systemd-units >= 246.6-3 systemd-units >= 246.6-3 systemd-units >= 246.6-3 systemd-units >= 246.6-3 systemd-units >= 246.6-3 tar
Output of "rpm -q --requires ipa-server-dns": bind >= 9.11.20-6 bind-dnssec-utils >= 9.11.20-6 bind-dyndb-ldap >= 11.2-2 bind-utils >= 9.11.20-6 config(ipa-server-dns) = 4.11.0-1.el9 ipa-server = 4.11.0-1.el9 opendnssec >= 2.1.6-5 openssl-pkcs11 >= 0.4.10-6 rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 softhsm >= 2.5.0-4
As you wrote about idm-pki-ca, output "rpm -q --requires idm-pki-ca" for it: idm-pki-server = 11.4.2-1.el9 rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1
I don't need the requires, I need the installed package versions. I think you may have a strange mix of old and new packages. I installed a fresh CentOS-9-stream and revocation works there.
# rpm -q ipa-server idm-pki-ca ipa-server-4.11.0-3.el9.x86_64 idm-pki-ca-11.4.2-1.el9.noarch
rob
Albert Stoune via FreeIPA-users wrote:
OS: CentOS Stream release 9
As I said, FreeIPA was installed like:
- yum install ipa-server ipa-server-dns
Additional info: FreeIPA was configure as Intermediate CA. ipa.csr was signed by extenal RootCA
Dependencies installed with packets of ipa:
Output of "rpm -q --requires ipa-server": (pki-acme >= 10.10.5 if pki-ca >= 10.10.0) 389-ds-base >= 2.0.5-1 389-ds-base >= 2.0.5-1 acl certmonger >= 0.79.7-3 chrony config(ipa-server) = 4.11.0-1.el9 cracklib-dicts cyrus-sasl-gssapi(x86-64) font(fontawesome) gssproxy >= 0.7.0-2 gzip httpd >= 2.4.37-21 ipa-client = 4.11.0-1.el9 ipa-common = 4.11.0-1.el9 ipa-server-common = 4.11.0-1.el9 krb5-kdb-version = 9.0 krb5-server >= 1.20.1-1 krb5-server >= 1.21 libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.25)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.34)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_2.7)(64bit) libc.so.6(GLIBC_2.8)(64bit) libcom_err.so.2()(64bit) libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_3.0.0)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libgcc_s.so.1(GCC_3.3.1)(64bit) libgssapi_krb5.so.2()(64bit) libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) libjansson.so.4()(64bit) libjansson.so.4(libjansson.so.4)(64bit) libk5crypto.so.3()(64bit) libk5crypto.so.3(k5crypto_3_MIT)(64bit) libkrad.so.0()(64bit) libkrad.so.0(krad_0_MIT)(64bit) libkrb5.so.3()(64bit) libkrb5.so.3(krb5_3_MIT)(64bit) liblber.so.2()(64bit) liblber.so.2(OPENLDAP_2.200)(64bit) libldap.so.2()(64bit) libldap.so.2(OPENLDAP_2.200)(64bit) libndr-krb5pac.so.0()(64bit) libndr-krb5pac.so.0(NDR_KRB5PAC_0.0.1)(64bit) libndr-standard.so.0()(64bit) libndr.so.3()(64bit) libndr.so.3(NDR_0.0.1)(64bit) libpopt.so.0()(64bit) libpopt.so.0(LIBPOPT_0)(64bit) libpwquality libpwquality.so.1()(64bit) libpwquality.so.1(LIBPWQUALITY_1.0)(64bit) libsamba-errors.so.1()(64bit) libsamba-errors.so.1(SAMBA_ERRORS_1.0.0)(64bit) libsamba-util.so.0()(64bit) libsamba-util.so.0(SAMBA_UTIL_0.0.1)(64bit) libsss_certmap.so.0()(64bit) libsss_certmap.so.0(SSS_CERTMAP_0.0)(64bit) libsss_nss_idmap.so.0()(64bit) libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.1.0)(64bit) libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.4.0)(64bit) libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.6.0)(64bit) libtalloc.so.2()(64bit) libtalloc.so.2(TALLOC_2.0.2)(64bit) libtevent.so.0()(64bit) libunistring.so.2()(64bit) libuuid.so.1()(64bit) libuuid.so.1(UUID_1.0)(64bit) libverto.so.1()(64bit) mod_auth_gssapi >= 1.5.0 mod_lookup_identity >= 0.9.9 mod_session >= 2.4.37-21 mod_ssl >= 2.4.37-21 nss-tools >= 3.44.0-4 oddjob open-sans-fonts openldap-clients > 2.4.35-4 openssl > 1.1.1i p11-kit pki-ca >= 10.10.5 pki-kra >= 10.10.5 policycoreutils >= 2.1.12-5 python3 python3 python3-gssapi >= 1.2.0-5 python3-ipaserver = 4.11.0-1.el9 python3-ldap >= 3.1.0-1 python3-mod_wsgi python3-systemd rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 rpmlib(RichDependencies) <= 4.12.0-1 rtld(GNU_HASH) samba-client-libs >= 4.18.6-100.el9 selinux-policy >= 38.1.1-1 selinux-policy-base >= 38.1.1-1 shadow-utils slapi-nis >= 0.56.4 softhsm >= 2.0.0rc1-1 sssd-dbus >= 2.9.0 systemd-units >= 246.6-3 systemd-units >= 246.6-3 systemd-units >= 246.6-3 systemd-units >= 246.6-3 systemd-units >= 246.6-3 tar
Output of "rpm -q --requires ipa-server-dns": bind >= 9.11.20-6 bind-dnssec-utils >= 9.11.20-6 bind-dyndb-ldap >= 11.2-2 bind-utils >= 9.11.20-6 config(ipa-server-dns) = 4.11.0-1.el9 ipa-server = 4.11.0-1.el9 opendnssec >= 2.1.6-5 openssl-pkcs11 >= 0.4.10-6 rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 softhsm >= 2.5.0-4
As you wrote about idm-pki-ca, output "rpm -q --requires idm-pki-ca" for it: idm-pki-server = 11.4.2-1.el9 rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsZstd) <= 5.4.18-1 -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hello Rob! Sorry for the delay in response, I checked the installed packages.
Output of command: "rpm -q ipa-server ipa-server-dns idm-pki-ca"
ipa-server-4.11.0-1.el9.x86_64 ipa-server-dns-4.11.0-1.el9.noarch idm-pki-ca-11.4.2-1.el9.noarch
Seems like it's similar to your output...
Perhaps the problem is that FreeIPA is configured as Intermediate CA?
I just tested again on clean installation with this packages:
ipa-server-4.11.0-1.el9.x86_64 ipa-server-dns-4.11.0-1.el9.noarch idm-pki-ca-11.4.2-1.el9.noarch
And I think I am ready to write steps to reproduce the error:
1. Initiate FreeIPA installation by executing command like this:
ipa-server-install --setup-dns --no-forwarders --subject-base='OU = Test, O = TEST.LOCAL, L = SanFrancisco, ST = SanFrancisco C = US' --external-ca --no-ntp --ca-subject='C = US, ST = SanFrancisco , L = SanFrancisco , O = TEST.LOCAL, OU = IT DEPT, CN = EXTERNALROOTCA'
2. Sign the ipa.csr with this extensions at EXTERNALROOTCA with openssl:
[ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
3. Finish installation, import certs like this: "ipa-server-install --external-cert-file=<PATH TO SIGNED IPA CERT> --external-cert-file=<PATH TO CA CERT>"
4. Then add a host, create a service, ask for service certificate: ipa-getcert request -K <SERVICE FULL NAME> -d /etc/pki/nssdb/ -n <SERVICE FULL NAME>
The certificate was successfully created and "ipa-getcert list" shows everything is ok
Then try to revoke certificate, and you got an error
Hi,
ipa-server-4.11.0-1.el9.x86_64 is not the latest version, and has a known issue with cert revocation: RHEL-14842 https://issues.redhat.com/browse/RHEL-14842 / https://pagure.io/freeipa/issue/9345 The fix is available in ipa-server-4.11.0-2.el9.x86_64. flo
On Mon, Dec 11, 2023 at 2:43 PM Albert Stoune via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I just tested again on clean installation with this packages:
ipa-server-4.11.0-1.el9.x86_64 ipa-server-dns-4.11.0-1.el9.noarch idm-pki-ca-11.4.2-1.el9.noarch
And I think I am ready to write steps to reproduce the error:
- Initiate FreeIPA installation by executing command like this:
ipa-server-install --setup-dns --no-forwarders --subject-base='OU = Test, O = TEST.LOCAL, L = SanFrancisco, ST = SanFrancisco C = US' --external-ca --no-ntp --ca-subject='C = US, ST = SanFrancisco , L = SanFrancisco , O = TEST.LOCAL, OU = IT DEPT, CN = EXTERNALROOTCA'
- Sign the ipa.csr with this extensions at EXTERNALROOTCA with openssl:
[ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
- Finish installation, import certs like this: "ipa-server-install
--external-cert-file=<PATH TO SIGNED IPA CERT> --external-cert-file=<PATH TO CA CERT>"
- Then add a host, create a service, ask for service certificate:
ipa-getcert request -K <SERVICE FULL NAME> -d /etc/pki/nssdb/ -n <SERVICE FULL NAME>
The certificate was successfully created and "ipa-getcert list" shows everything is ok
Then try to revoke certificate, and you got an error
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hello Florence!
Thanks for the answer
Yes, I have checked all the steps to reproduce the problem with ipa-server-4.11.0-3.el9.x86_64. Everything is working well, certificate revocation is complete.
There is only one question left: what is the best way to update? When performing a "dnf update", the system reports that the latest versions of packages are already installed
Hi,
On Tue, Dec 12, 2023 at 12:21 PM Albert Stoune via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello Florence!
Thanks for the answer
Yes, I have checked all the steps to reproduce the problem with ipa-server-4.11.0-3.el9.x86_64. Everything is working well, certificate revocation is complete.
There is only one question left: what is the best way to update? When performing a "dnf update", the system reports that the latest versions of packages are already installed
For RHEL customers, we recommend to update everything using "dnf update" or "yum update" (do not limit the update to specific packages as we cannot test all the possible combinations). For CentOS Stream, there are delays between the time a package is built and it gets available in the CentOS Stream 9 repositories, but you may also point to a mirror that isn't up-to-date.
flo
--
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks for the answer Flo!
I think we can close the topic with the status "resolved"
I seem to be hitting this same issue on Fedora 39; I seem to currently be unable to revoke any certifcate in my setup. freeipa-healthcheck indicates no errors, nor does pki-healthcheck.
From the logs:
2023-12-30 19:35:59 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because "<parameter1>" is null
FreeIPA packages:
freeipa-client-common-4.11.0-7.fc39.noarch freeipa-server-common-4.11.0-7.fc39.noarch freeipa-selinux-4.11.0-7.fc39.noarch freeipa-common-4.11.0-7.fc39.noarch freeipa-client-4.11.0-7.fc39.x86_64 freeipa-server-4.11.0-7.fc39.x86_64 freeipa-server-dns-4.11.0-7.fc39.noarch freeipa-healthcheck-core-0.16-2.fc39.noarch freeipa-healthcheck-0.16-2.fc39.noarch
Dogtag packages:
dogtag-pki-theme-11.4.3-2.fc39.1.noarch dogtag-pki-javadoc-11.4.3-2.fc39.1.noarch python3-dogtag-pki-11.4.3-2.fc39.1.noarch dogtag-pki-base-11.4.3-2.fc39.1.noarch pki-resteasy-jackson2-provider-3.0.26-27.fc39.noarch pki-resteasy-core-3.0.26-27.fc39.noarch pki-resteasy-servlet-initializer-3.0.26-27.fc39.noarch pki-resteasy-client-3.0.26-27.fc39.noarch pki-resteasy-3.0.26-27.fc39.noarch dogtag-pki-java-11.4.3-2.fc39.1.noarch dogtag-pki-tools-11.4.3-2.fc39.1.x86_64 dogtag-pki-server-11.4.3-2.fc39.1.noarch dogtag-pki-acme-11.4.3-2.fc39.1.noarch dogtag-pki-ca-11.4.3-2.fc39.1.noarch dogtag-pki-kra-11.4.3-2.fc39.1.noarch dogtag-pki-est-11.4.3-2.fc39.1.noarch dogtag-pki-ocsp-11.4.3-2.fc39.1.noarch dogtag-pki-tks-11.4.3-2.fc39.1.noarch dogtag-pki-tps-11.4.3-2.fc39.1.noarch dogtag-pki-11.4.3-2.fc39.1.x86_64 vi se It has been a while since I tried revoking a cert; not sure how long this has been the case.
Thanks,
Martin Jackson via FreeIPA-users wrote:
I seem to be hitting this same issue on Fedora 39; I seem to currently be unable to revoke any certifcate in my setup. freeipa-healthcheck indicates no errors, nor does pki-healthcheck.
From the logs:
2023-12-30 19:35:59 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because "<parameter1>" is null
FreeIPA packages:
freeipa-client-common-4.11.0-7.fc39.noarch freeipa-server-common-4.11.0-7.fc39.noarch freeipa-selinux-4.11.0-7.fc39.noarch freeipa-common-4.11.0-7.fc39.noarch freeipa-client-4.11.0-7.fc39.x86_64 freeipa-server-4.11.0-7.fc39.x86_64 freeipa-server-dns-4.11.0-7.fc39.noarch freeipa-healthcheck-core-0.16-2.fc39.noarch freeipa-healthcheck-0.16-2.fc39.noarch
Dogtag packages:
dogtag-pki-theme-11.4.3-2.fc39.1.noarch dogtag-pki-javadoc-11.4.3-2.fc39.1.noarch python3-dogtag-pki-11.4.3-2.fc39.1.noarch dogtag-pki-base-11.4.3-2.fc39.1.noarch pki-resteasy-jackson2-provider-3.0.26-27.fc39.noarch pki-resteasy-core-3.0.26-27.fc39.noarch pki-resteasy-servlet-initializer-3.0.26-27.fc39.noarch pki-resteasy-client-3.0.26-27.fc39.noarch pki-resteasy-3.0.26-27.fc39.noarch dogtag-pki-java-11.4.3-2.fc39.1.noarch dogtag-pki-tools-11.4.3-2.fc39.1.x86_64 dogtag-pki-server-11.4.3-2.fc39.1.noarch dogtag-pki-acme-11.4.3-2.fc39.1.noarch dogtag-pki-ca-11.4.3-2.fc39.1.noarch dogtag-pki-kra-11.4.3-2.fc39.1.noarch dogtag-pki-est-11.4.3-2.fc39.1.noarch dogtag-pki-ocsp-11.4.3-2.fc39.1.noarch dogtag-pki-tks-11.4.3-2.fc39.1.noarch dogtag-pki-tps-11.4.3-2.fc39.1.noarch dogtag-pki-11.4.3-2.fc39.1.x86_64 vi se It has been a while since I tried revoking a cert; not sure how long this has been the case.
I am unable to reproduce this will the same versions on Fedora 39.
To see what is being sent you can create /etc/ipa/server.conf with contents:
[global] debug=True
Then restart httpd and try a revocation.
Then look in /var/log/httpd/error_log and look for:
POST https://ipa.example.test:443/ca/rest/agent/certs/<SERIAL>/revoke
You will be able to see the data that is sent. For PKI 11.4.0+ it should look something like {"Reason":"Superseded"}
You may want to consider disabling debug mode after testing as it can be rather chatty.
rob
Ack. Will try this - thanks for the reply!
On Jan 2, 2024, at 10:39 AM, Rob Crittenden rcritten@redhat.com wrote:
Martin Jackson via FreeIPA-users wrote:
I seem to be hitting this same issue on Fedora 39; I seem to currently be unable to revoke any certifcate in my setup. freeipa-healthcheck indicates no errors, nor does pki-healthcheck.
From the logs:
2023-12-30 19:35:59 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException: Cannot invoke "String.toLowerCase()" because "<parameter1>" is null
FreeIPA packages:
freeipa-client-common-4.11.0-7.fc39.noarch freeipa-server-common-4.11.0-7.fc39.noarch freeipa-selinux-4.11.0-7.fc39.noarch freeipa-common-4.11.0-7.fc39.noarch freeipa-client-4.11.0-7.fc39.x86_64 freeipa-server-4.11.0-7.fc39.x86_64 freeipa-server-dns-4.11.0-7.fc39.noarch freeipa-healthcheck-core-0.16-2.fc39.noarch freeipa-healthcheck-0.16-2.fc39.noarch
Dogtag packages:
dogtag-pki-theme-11.4.3-2.fc39.1.noarch dogtag-pki-javadoc-11.4.3-2.fc39.1.noarch python3-dogtag-pki-11.4.3-2.fc39.1.noarch dogtag-pki-base-11.4.3-2.fc39.1.noarch pki-resteasy-jackson2-provider-3.0.26-27.fc39.noarch pki-resteasy-core-3.0.26-27.fc39.noarch pki-resteasy-servlet-initializer-3.0.26-27.fc39.noarch pki-resteasy-client-3.0.26-27.fc39.noarch pki-resteasy-3.0.26-27.fc39.noarch dogtag-pki-java-11.4.3-2.fc39.1.noarch dogtag-pki-tools-11.4.3-2.fc39.1.x86_64 dogtag-pki-server-11.4.3-2.fc39.1.noarch dogtag-pki-acme-11.4.3-2.fc39.1.noarch dogtag-pki-ca-11.4.3-2.fc39.1.noarch dogtag-pki-kra-11.4.3-2.fc39.1.noarch dogtag-pki-est-11.4.3-2.fc39.1.noarch dogtag-pki-ocsp-11.4.3-2.fc39.1.noarch dogtag-pki-tks-11.4.3-2.fc39.1.noarch dogtag-pki-tps-11.4.3-2.fc39.1.noarch dogtag-pki-11.4.3-2.fc39.1.x86_64 vi se It has been a while since I tried revoking a cert; not sure how long this has been the case.
I am unable to reproduce this will the same versions on Fedora 39.
To see what is being sent you can create /etc/ipa/server.conf with contents:
[global] debug=True
Then restart httpd and try a revocation.
Then look in /var/log/httpd/error_log and look for:
POST https://ipa.example.test:443/ca/rest/agent/certs/<SERIAL>/revoke
You will be able to see the data that is sent. For PKI 11.4.0+ it should look something like {"Reason":"Superseded"}
You may want to consider disabling debug mode after testing as it can be rather chatty.
rob
Wound up taking this off-list as I wasn't subscribed and it appears the webservice where I could subscribe was down for a while.
I found my issue: I had a stray /etc/sysconfig/pki-tomcat that had PKI_VERSION=10.7.3; apparently an upgrade that needed to upgrade that file...didn't, somehow.
I updated that file with the tomcat.conf from /etc/pki/pki-tomcat/tomcat.conf (i.e. copied it over, but it's important that it be owned pkiuser:pkiuser and not have world read permissions), and now I can revoke certs again.
Thanks, Rob, for helping me through this!
Martin Jackson via FreeIPA-users wrote:
Wound up taking this off-list as I wasn't subscribed and it appears the webservice where I could subscribe was down for a while.
I found my issue: I had a stray /etc/sysconfig/pki-tomcat that had PKI_VERSION=10.7.3; apparently an upgrade that needed to upgrade that file...didn't, somehow.
I updated that file with the tomcat.conf from /etc/pki/pki-tomcat/tomcat.conf (i.e. copied it over, but it's important that it be owned pkiuser:pkiuser and not have world read permissions), and now I can revoke certs again.
Thanks, Rob, for helping me through this!
The dogtag-pki-base package does upgrades through an rpm post-install script like:
if [ $1 -eq 1 ] then # On RPM installation create system upgrade tracker echo "Configuration-Version: 11.2.0" > /etc/pki/pki.version
else # On RPM upgrade run system upgrade echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-11.2.0.log /sbin/pki-upgrade 2>&1 | tee -a /var/log/pki/pki-upgrade-11.2.0.log echo >> /var/log/pki/pki-upgrade-11.2.0.log fi
So maybe look at the pki upgrade logs to see if one or more have failed. I don't know what else might be lurking.
rob
freeipa-users@lists.fedorahosted.org