From pgb205 at yahoo.com Tue Aug 29 15:56:37 2017 From: pgb205 at yahoo.com (pgb205) Date: Tue, 29 Aug 2017 15:56:37 +0000 (UTC) Subject: [Pki-users] Unable to retrieve CA chain: request failed with HTTP status 500 References: <359286600.4771134.1504022197025.ref@mail.yahoo.com> Message-ID: <359286600.4771134.1504022197025@mail.yahoo.com> I have an install that fails at the following stage:importing CA chain to RA certificate database? [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500 the logs are not showing anything obvious22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: error result (68)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20)[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown true[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown false[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is true[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown true[22/Aug/2017:17:03:07][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - caDirUserRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - caDirUserRenewal[22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile[22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - IECUserRoles[22/Aug/2017:17:03:08][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: init: before makeConnection errorIfDown is false[22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: errorIfDown false[22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68)[22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68) and [23/Aug/2017:15:24:09][CertStatusUpdateTask]: returnConn: mNumConns now 5[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: searching for entry 20170823152409Z[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList.getEntries()[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: entries: 1[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: top: 0[23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: size: 640[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpiredCertificates: list size: 640[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpiredCertificates: ltSize 1[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpired: curRec: 0 CertRecord: ? ? 76[23/Aug/2017:15:24:09][CertStatusUpdateTask]: Record does not qualify,notAfter Mon Aug 28 16:47:53 UTC 2017 date Wed Aug 23 15:24:09 UTC 2017[23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitCertList REVOKED_EXPIRED[23/Aug/2017:15:24:09][CertStatusUpdateTask]: updateCertStatus done I have full logs if necessary. but I'm unable to determine the ?cause for the failure. Asking on freeipa forums this is a problem on the CA server but thats as far as I got with this. -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Tue Aug 29 20:14:06 2017 From: msauton at redhat.com (Marc Sauton) Date: Tue, 29 Aug 2017 13:14:06 -0700 Subject: [Pki-users] Unable to retrieve CA chain: request failed with HTTP status 500 In-Reply-To: <359286600.4771134.1504022197025@mail.yahoo.com> References: <359286600.4771134.1504022197025.ref@mail.yahoo.com> <359286600.4771134.1504022197025@mail.yahoo.com> Message-ID: it seem this may be in the context of IPA, which versions on replica that fails to install and on master? cat /etc/redhat-release ; rpm -q ipa-server pki-ca ; ls -l /etc/alternatives/java there are several LDAP error 68 and 20 about existing entries, try to first uninstall the IPA replica before re-installing I will add some more notes, but it really seem an IPA replica install/configuration failed, and it should be removed before trying again. Thanks, M. extra notes: the CA debug log seem to show other errors that are unrelated to the the ipa-replica-install command with "RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500" try to get more lines before that error in the log file /var/log/ipareplica-install.log and if there are any matching entries in /var/log/httpd/error_log otherwise, on the system with the error [22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: getNextRange. Unable to provide next range :netscape.ldap.LDAPException: error result (68) try to match the LDAP messages related to that time stamp and with err=68, find the conn=xx and match the corresponding search that generated the "already exist" error, it would be interesting to see the fileter and base DN in that search it should be one of the LDAP connections bound for example, as "TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca " and, it should , for example, have LDAP searches in "ou=certificateRepository,ou=ranges,o=ipaca" and "ou=requests,ou=ranges,o=ipaca" on the master, try to list the DNA ranges that are available: ipa-replica-manage dnarange-show it should list for example ipaserver1.example.com: aaaaaa-bbbbb ipaserver2.example.com: cccccc-dddddd and there should be no common ranges see: 14.3. Displaying Currently Assigned ID Rangess https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/display-id-range.html and 14.5. Manual ID Range Extension and Assigning a New ID Range https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/man-set-extend-id-ranges.html example of what we should see in /var/log/pki/pki-tomcat/ca/debug for getNextRange [09/Mar/2017:02:49:31][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 10000001 - 20000000 On Tue, Aug 29, 2017 at 8:56 AM, pgb205 wrote: > I have an install that fails at the following stage: > importing CA chain to RA certificate database > [error] RuntimeError: Unable to retrieve CA chain: request failed with > HTTP status 500 > > the logs are not showing anything obvious > 22/Aug/2017:17:02:52][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors > in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > exception in adding entry ou=csusers,cn=config:netscape.ldap.LDAPException: > error result (68) > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: LDAPUtil:importLDIF: > exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error > result (20) > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:52][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is true > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown > true > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:57][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: init: before makeConnection > errorIfDown is false > [22/Aug/2017:17:02:58][http-bio-8443-exec-3]: makeConnection: errorIfDown > false > [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before > makeConnection errorIfDown is true > [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: > errorIfDown true > [22/Aug/2017:17:03:07][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:07][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - > caDirUserRenewal caEnrollImpl com.netscape.cms.profile. > common.CAEnrollProfile > [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - > caDirUserRenewal > [22/Aug/2017:17:03:08][profileChangeMonitor]: Start Profile Creation - > IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile > [22/Aug/2017:17:03:08][profileChangeMonitor]: Done Profile Creation - > IECUserRoles > [22/Aug/2017:17:03:08][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:08][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:09][localhost-startStop-1]: init: before > makeConnection errorIfDown is false > [22/Aug/2017:17:03:09][localhost-startStop-1]: makeConnection: > errorIfDown false > [22/Aug/2017:17:03:09][localhost-startStop-1]: DBSubsystem: getNextRange. > Unable to provide next range :netscape.ldap.LDAPException: error result (68) > [22/Aug/2017:17:13:08][SerialNumberUpdateTask]: DBSubsystem: > getNextRange. Unable to provide next range :netscape.ldap.LDAPException: > error result (68) > > and > > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: returnConn: mNumConns now 5 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: searching > for entry 20170823152409Z > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList.getEntries() > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: entries: 1 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: top: 0 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: DBVirtualList: size: 640 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: > transitRevokedExpiredCertificates: list size: 640 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: > transitRevokedExpiredCertificates: ltSize 1 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitRevokedExpired: > curRec: 0 CertRecord: 76 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: Record does not > qualify,notAfter Mon Aug 28 16:47:53 UTC 2017 date Wed Aug 23 15:24:09 UTC > 2017 > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: transitCertList > REVOKED_EXPIRED > [23/Aug/2017:15:24:09][CertStatusUpdateTask]: updateCertStatus done > > I have full logs if necessary. but I'm unable to determine the cause for > the failure. Asking on freeipa forums this is a problem on the CA server > but thats as far as I got with this. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michal at kaspar.in Tue Aug 29 21:18:12 2017 From: michal at kaspar.in (Michal =?UTF-8?Q?Ka=C5=A1par?=) Date: Tue, 29 Aug 2017 21:18:12 -0000 Subject: [Pki-users] Spawn KRA subsystem to existing CA instance fails with Error in setting certificate names and key sizes Message-ID: <1504041479.4261.28.camel@kaspar.in> Hello. I've got a problem with spawning kra subsystem on existing Dogtag instance which was created as part of IPA installation. When i run ipa- kra-install or pkispawn -s KRA, the result is the same error in /var/lib/pki/pki-tomcat/kra/logs/debug (see bellow). The pki version is 10.4.1, the ca component works without problem. I've tried turning off SELinux, checked file permissions on the pki- tomcat componets but haven't found anything wrong. Has anyone an idea, how to debug or solve this problem? The debug level is set to 0 for KRA component and still no hint what might be the problem. Thank you for any hint. The last lines in the debug log are: 29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: getting public key for certificate transport [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: getting private key for certificate transport [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: private key ID: 76c3a8268120fe025d [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: generating generic extensions [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: createGenericExtensions: begins [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: generating PKCS #10 request [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: generateCertRequest: storing cert request [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: configCert: caType is remote [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: updateConfig() for certTag storage [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: updateConfig() done [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: configCert: remote CA [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: CertRequestPanel: got public key [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: CertRequestPanel: got private key [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: injectSAN=false [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: CertUtil: content: {xmlOutput=[true], cert_request_type=[pkcs10], profil eId=[caInternalAuthDRMstorageCert], cert_request=[MIICfjCCAWYCAQAwOTEV... [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: ConfigurationUtils: POST https://server:443/ca/ee/ca/profileSubmit [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: Server certificate: [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: - subject: CN=server,O=REALM [29/Aug/2017:13:21:54][http-bio-8443-exec-25]: - issuer: CN=Certificate Authority,O=REALM [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: CertUtil: status: 0 [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: CertUtil: cert: MMIIDdjC... [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: getting public key for certificate storage [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: getting private key for certificate storage [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: private key ID: 74c90cb1bb054bd06d9e8b6013 [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: generating generic extensions [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: ConfigurationUtils: createGenericExtensions: begins [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: generating PKCS #10 request [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: generateCertRequest: storing cert request java.lang.NullPointerException at java.util.Hashtable.put(Hashtable.java:459) at com.netscape.cmscore.base.SourceConfigStore.put(SourceConfigStore.java:57) at com.netscape.cmscore.base.PropConfigStore.put(PropConfigStore.java:157) at com.netscape.cmscore.base.PropConfigStore.putString(PropConfigStore.java:306) at org.dogtagpki.server.rest.SystemConfigService.updateConfiguration(SystemConfigService.java:593) at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:359) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:176) at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:110) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) ... [29/Aug/2017:13:21:55][http-bio-8443-exec-25]: Error in setting certificate names and key sizes: java.lang.NullPointerException -- Michal Ka?par From ryan.trinder at warbyparker.com Thu Aug 31 14:36:41 2017 From: ryan.trinder at warbyparker.com (Ryan Trinder) Date: Thu, 31 Aug 2017 14:36:41 -0000 Subject: [Pki-users] Mac OS SCEP request failure: "Could not decode the request" Message-ID: Hello PKI users! I am looking to use Dogtag for my org as the full PKI solution. Initially, Ill be using it for certificate issuance for an EAP-TLS rollout. In the beginning to get certificates issued throughout the org, I would like utilize the SCEP server across multiple devices including Mac OS, iOS, Linux, Windows, Chromebooks. So far, I have tested with the *sscep* utility on linux and with Mac OS through the mobileconfig xml configuration. Using *sscep *works great on linux, however any testing from Mac OS resides in a 500 from the server declaring that the request could not be decoded. I initially thought the requests were using the wrong CA, however intentionally using a wrong CA with the *sscep *utility shows a completely different response in the logs. Here is an excerpt from the *ca/debug* log for a failed request: ==> ca/debug <== [31/Aug/2017:14:20:38][http-bio-8080-exec-5]: operation=GetCACert [31/Aug/2017:14:20:38][http-bio-8080-exec-5]: message=CAIdentifier [31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert message=CAIdentifier [31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert selected chain=0 [31/Aug/2017:14:20:38][http-bio-8080-exec-5]: Output certificate chain: 30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66 69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31 35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35 32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27 e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21 40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c 34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33 d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d 6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9 a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c 43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9 bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57 08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72 4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46 0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41 d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc 58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66 7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f 92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00 01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18 30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e 04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e 04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e 04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05 05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05 05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67 74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38 30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44 f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72 c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61 d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71 62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6 60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c 69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf 81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77 e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96 16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06 ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07 99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2 b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95 [31/Aug/2017:14:20:39][http-bio-8080-exec-6]: operation=PKIOperation [31/Aug/2017:14:20:39][http-bio-8080-exec-6]: message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO/LkUf0nTArx4JSLCmm3efFVznb8rJOEI/9gbdLVpGLlRDcCLsjK//mJxO/nsDwmnrsGcQ/zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY ayN8HdLHvYHJkHW3F0d5/NF9BD6fY7UjGwqjD3PrmP91rrBWk/QpTdnRg/IRUshxRm4TeWQWQOOtrlRU7XUTm/ALZlr9DXN3r/YoWMdrasD8AXsyzQpcyU Y2OPpFIwpFaXXV/kxf9sc7OG BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f/ECa7B0y/ahhtmGPvfP9QbQ/lOybhca83jg6dUOmfXmEZn/HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo/qq3VN cAh2E95SgRE5ae1dje/490cmZY5aYniFr/ZfFVHHyyOODc fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2/p6OeuiNP8YtN65suiavlFDkCINt2 GyXVow9IG7/ol GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe/gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2 QfVITkfpkarKw9buDo/B 1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq IpOdkr8TmsQygFqpfB6 gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8/GtYpwiqOn0H2Y8XpQnVX gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75 AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b/g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3/WKTkHrzk5 WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA/tnVhx a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg/3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S 8w0 EiqsakAO1 LfyToBz8atr/FXxJ45cKAOcPMk/sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG/m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg/86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc/KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW/3K41/QpDFy6H7vwoEVVibK7QXGgZI6xFY0T dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis java.io.EOFException at org.mozilla.jss.asn1.ASN1Util.readFully(ASN1Util.java:114) at org.mozilla.jss.asn1.ANY$Template.decode(ANY.java:274) at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:157) at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:146) at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:400) at org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:254) at org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:247) at com.netscape.cmsutil.scep.CRSPKIMessage.decodeCRSPKIMessage(CRSPKIMessage.java:701) at com.netscape.cmsutil.scep.CRSPKIMessage.(CRSPKIMessage.java:723) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:832) at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:370) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [31/Aug/2017:14:20:39][http-bio-8080-exec-6]: ServletException javax.servlet.ServletException: Could not decode the request. And the failure from localhost.log ==> localhost.2017-08-31.log <== Aug 31, 2017 2:20:39 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [caSCEP] in context with path [/ca] threw exception [Could not decode the request.] with root cause javax.servlet.ServletException: Could not decode the request. at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:381) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) This seems like a MacOS specific difference in the requests, but I cannot determine exactly what it is. Would anyone have any experience with this? For reference, this is dogtag-pki 10.2.6+git20160317-1 installed via apt on Ubuntu 16.04. -- -------------- next part -------------- An HTML attachment was scrubbed... URL: