Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify system cert flags in the beginning of Selftest #3183

Open
pki-bot opened this issue Oct 3, 2020 · 9 comments
Open

Verify system cert flags in the beginning of Selftest #3183

pki-bot opened this issue Oct 3, 2020 · 9 comments

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #3065. Originally filed by dmoluguw (@SilleBille) on 2018-09-24 17:17:49:

  • Assigned to nobody

When selftests are executed, if the nssdb doesn't have certs with correct flags, the debug logs will be misleading.

Solution:
Verify flags of the certs in the beginning of the SelfTest process before verifying the certificate validity.

To reproduce:

  1. Install CA
  2. Stop server
systemctl stop pki-tomcatd@pki-tomcat
  1. Remove Trusted Peer flag (P) for ca_audit_signing
certutil -M -t "u,u,u" -n ca_audit_signing -d /var/lib/pki/pki-tomcat/alias/`
  1. Restart server
systemctl start pki-tomcatd@pki-tomcat
  1. Look at the self test and debug logs.

debug-2018-09-xx.log

2020-08-24 16:04:05 [localhost-startStop-1] FINE: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate ca_audit_signing is invalid: Invalid certificate: (-8101) Certificate type not approved for application.
2020-08-24 16:04:05 [localhost-startStop-1] FINE: SignedAuditLogger: event CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: LogFile: event type not selected: CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: SignedAuditLogger: event CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] FINE: LogFile: event type not selected: CIMC_CERT_VERIFICATION
2020-08-24 16:04:05 [localhost-startStop-1] WARNING: java.lang.Exception: java.lang.Exception: Certificate ca_audit_signing is invalid: Invalid certificate: (-8101) Certificate type not approved for application.
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:845)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:937)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1054)
        at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1692)
        at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1310)
        at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:856)
        at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1802)
        at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1826)

ca_audit_signing should have trust flags of "u,u,Pu"
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2018-09-25 11:34:21

Metadata Update from @mharmsen:

  • Custom field component adjusted to None
  • Custom field feature adjusted to None
  • Custom field origin adjusted to None
  • Custom field proposedmilestone adjusted to None
  • Custom field proposedpriority adjusted to None
  • Custom field reviewer adjusted to None
  • Custom field type adjusted to None
  • Custom field version adjusted to None
  • Issue set to the milestone: 0.0 NEEDS_TRIAGE

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2018-09-25 13:08:59

Metadata Update from @SilleBille:

  • Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2018-09-25 13:09:11

Metadata Update from @SilleBille:

  • Issue set to the milestone: 0.0 NEEDS_TRIAGE

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2018-09-25 13:09:19

Metadata Update from @SilleBille:

  • Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:15

Metadata Update from @SilleBille:

  • Issue set to the milestone: 0.0 NEEDS_TRIAGE

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:21

Metadata Update from @SilleBille:

  • Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:27

Metadata Update from @SilleBille:

  • Issue set to the milestone: 0.0 NEEDS_TRIAGE

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2018-09-25 16:14:43

Metadata Update from @SilleBille:

  • Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

@SilleBille
Copy link
Member

@edewata @cipherboy

This issue is addressed (not fixed) by trust flags healthcheck. IOW, when you run the pki-healthcheck it will report an ERROR.

I'll let you guys decide if we want to close this issue OR if we want to keep this issue and include a test in the self-check, that runs during the start of the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SilleBille @pki-bot