[Pki-devel] ACME Support: Error issuing certificate

Tue May 5 20:02:22 UTC 2020

Hi -

My team is adding ACME 2.0 client support to the Open Liberty  application
server and wanted to test against Dogtag PKI's ACME server. My intention is
to containerize the ACME server and drive it through the same functional
tests we run against other ACME CA servers (i.e. - Pebble and Boulder for
instance) to verify compatibility.

The first error I hit was an issue with using JSS 4.7 and I understand that
will be fixed by PR https://github.com/dogtagpki/jss/pull/532 .

      2020-05-04 22:15:53 [http-nio-8080-exec-5] SEVERE: Unable to validate
      HTTP-01 challenge: Unable to get SunJSSE provider for TLS:
      SSLContextImpl is not initialized
      java.lang.RuntimeException: Unable to get SunJSSE provider for TLS:
      SSLContextImpl is not initialized
      	at
      org.mozilla.jss.provider.javax.net.JSSContextSpi.engineGetSocketFactory
(JSSContextSpi.java:118)
      	at javax.net.ssl.SSLContext.getSocketFactory
      (SSLContext.java:294)
      	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.<init>
      (SSLConnectionSocketFactory.java:292)
      	at org.apache.http.impl.client.HttpClientBuilder.build
      (HttpClientBuilder.java:978)
      	at org.apache.http.impl.client.HttpClients.createDefault
      (HttpClients.java:56)
      	at org.dogtagpki.acme.validator.HTTP01Validator.getResponse
      (HTTP01Validator.java:112)
      	at
      org.dogtagpki.acme.validator.HTTP01Validator.validateChallenge
      (HTTP01Validator.java:63)
      	at org.dogtagpki.acme.server.ACMEChallengeService.handlePOST
      (ACMEChallengeService.java:99)
      	...

To move past this error, I was advised to move down to JSS 4.6.2. Upon
doing so, I made it past the initial error but now hit the following error:

      2020-05-05 18:36:08 [http-nio-8080-exec-7] SEVERE: Servlet.service()
      for servlet [Resteasy] in context with path [/acme] threw exception
      org.jboss.resteasy.spi.UnhandledException:
      org.apache.commons.lang.NotImplementedException: Code is not
      implemented
      	at
      org.jboss.resteasy.core.ExceptionHandler.handleApplicationException
      (ExceptionHandler.java:78)
      	at org.jboss.resteasy.core.ExceptionHandler.handleException
      (ExceptionHandler.java:222)
      	...
      Caused by: org.apache.commons.lang.NotImplementedException: Code is
      not implemented
      	at org.dogtagpki.acme.issuer.ACMEIssuer.generateCertificate
      (ACMEIssuer.java:61)
      	at org.dogtagpki.acme.issuer.ACMEIssuer.issueCertificate
      (ACMEIssuer.java:73)
      	at
      org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST
      (ACMEFinalizeOrderService.java:79)
      	...

I can see in the ACME server's trace that it does indeed authorize my
ownership of the domain and then try to issue the certificate. Examining
the AcmeIssuer class shows that this class has several methods that are not
implemented.

      https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61

Is this expected or is it possible I have a misconfiguration? I assume I am
testing too early and need to wait until the implementation is further
along, but I wanted to test early enough that if there were issues I could
detect them earlier rather than later.

If it matters, I am testing the with the image from @pki/master on a Fedora
30 docker container.

Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/
507-513-6234             jlvanhil at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20200505/ceac2415/attachment.htm>