From cfu at redhat.com Tue Sep 3 15:54:40 2019 From: cfu at redhat.com (Christina Fu) Date: Tue, 3 Sep 2019 08:54:40 -0700 Subject: [Pki-users] Installation failed: import_pkcs7 In-Reply-To: <12090714d87513f7dd718e18ae10ca3e2a591f09.camel@postmet.com> References: <12090714d87513f7dd718e18ae10ca3e2a591f09.camel@postmet.com> Message-ID: Hi, Could you provide the following information? - platform and Dogtag version - debug log (can be found in /var/lib/pki/pki-tomcat/ca/logs/debug) thanks, Christina On Mon, Aug 19, 2019 at 6:27 AM Pavel Ryabikh wrote: > Hello dear Dogtag PKI users! > > > I am trying to install the system already for some days - it fails: > > There is a description: > [root at ca ~]# pkispawn -f ca-external-step2.cfg -s CA > Installation log: /var/log/pki/pki-ca-spawn.20190819144510.log > Loading deployment configuration from ca-external-step2.cfg. > Installing CA into /var/lib/pki/pki-tomcat. > ParsingException: IOException: Sequence tag error 9 > ERROR : pkispawn CalledProcessError: Command '['pki', '-d', > '/var/lib/pki/pki-tomcat/alias', 'pkcs7-cert-export', '--pkcs7-file', > '/tmp/tmpgx3puk6p/cert_chain.p7b', '--output-prefix', > '/tmp/tmptc7rw5h0/cert', '--output-suffix', '.crt']' returned non-zero > exit status 255. > File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line > 546, in main > scriptlet.spawn(deployer) > File "/usr/lib/python3.7/site- > packages/pki/server/deployment/scriptlets/configuration.py", line 643, > in spawn > self.import_system_certs(deployer, nssdb, subsystem) > File "/usr/lib/python3.7/site- > packages/pki/server/deployment/scriptlets/configuration.py", line 199, > in import_system_certs > self.import_system_cert(deployer, nssdb, subsystem, 'signing', > 'CT,C,C') > File "/usr/lib/python3.7/site- > packages/pki/server/deployment/scriptlets/configuration.py", line 144, > in import_system_cert > trust_attributes=trust_attributes) > File "/usr/lib/python3.7/site-packages/pki/nssdb.py", line 1295, in > import_cert_chain > trust_attributes=trust_attributes) > File "/usr/lib/python3.7/site-packages/pki/nssdb.py", line 1327, in > import_pkcs7 > subprocess.check_call(cmd) > File "/usr/lib64/python3.7/subprocess.py", line 347, in check_call > raise CalledProcessError(retcode, cmd) > > > Installation failed: Command failed: pki -d /var/lib/pki/pki- > tomcat/alias pkcs7-cert-export --pkcs7-file > /tmp/tmpgx3puk6p/cert_chain.p7b --output-prefix /tmp/tmptc7rw5h0/cert > --output-suffix .crt > > Please check pkispawn logs in /var/log/pki/pki-ca- > spawn.20190819144510.log > > > And these are configs: > STEP1: > [DEFAULT] > pki_server_database_password=121212 > > [CA] > pki_admin_email=admin at postmet.com > pki_admin_name=caadmin > pki_admin_nickname=caadmin > pki_admin_password=121212 > pki_admin_uid=caadmin > > pki_client_database_password=121212 > pki_client_database_purge=False > pki_client_pkcs12_password=121212 > > pki_ds_base_dn=dc=ca,dc=lvm,dc=postmet,dc=com > pki_ds_database=ca > pki_ds_password=121212 > > pki_security_domain_name=lvm.postmet.com Security Domain > > pki_ca_signing_nickname=ca_signing > pki_ocsp_signing_nickname=ca_ocsp_signing > pki_audit_signing_nickname=ca_audit_signing > pki_sslserver_nickname=sslserver > pki_subsystem_nickname=subsystem > > pki_external=True > pki_external_step_two=False > > pki_ca_signing_csr_path=ca_signing.csr > > STEP2: > [DEFAULT] > pki_instance_name = pki-tomcat > pki_admin_password = 121212 > pki_backup_password = 121212 > pki_client_database_password = 121212 > pki_client_pin = 121212 > pki_client_pkcs12_password = 121212 > pki_clone_pkcs12_password = 121212 > pki_ds_password = 121212 > pki_external_pkcs12_password = 121212 > pki_pkcs12_password = 121212 > pki_replication_password = 121212 > pki_security_domain_password = 121212 > pki_server_database_password = 121212 > pki_server_pkcs12_password = 121212 > pki_token_password = 121212 > > [CA] > pki_admin_email=admin at postmet.com > pki_admin_name=caadmin > pki_admin_nickname=caadmin > pki_admin_password=121212 > pki_admin_uid=caadmin > > pki_client_database_password=121212 > pki_client_database_purge=False > pki_client_pkcs12_password=121212 > > pki_ds_base_dn=dc=ca,dc=lvm,dc=postmet,dc=com > pki_ds_database=ca > pki_ds_password=121212 > > pki_security_domain_name=lvm.postmet.com Security Domain > > pki_ca_signing_nickname=ca_signing > pki_ocsp_signing_nickname=ca_ocsp_signing > pki_audit_signing_nickname=ca_audit_signing > pki_sslserver_nickname=sslserver > pki_subsystem_nickname=subsystem > > pki_external=True > pki_external_step_two=True > > pki_ca_signing_csr_path=ca_signing.csr > > pki_ca_signing_cert_path=ca_signing.crt > pki_cert_chain_nickname=external > pki_cert_chain_path=cert_chain.p7b > > pki_import_admin_cert = False > pki_client_admin_cert = ca_admin.cert > pki_admin_subject_dn=cn=PKI > Administrator,o=%(pki_security_domain_name)s > > > > Please help > > -- > Pavel Ryabih > > PostMet Corporation > http://www.postmet.com > > Call to sip:pr at postmet.com > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From pr at postmet.com Wed Sep 4 06:24:00 2019 From: pr at postmet.com (Pavel Ryabikh) Date: Wed, 04 Sep 2019 09:24:00 +0300 Subject: [Pki-users] Installation failed: import_pkcs7 In-Reply-To: References: <12090714d87513f7dd718e18ae10ca3e2a591f09.camel@postmet.com> Message-ID: <6b87c54f590bb92f4c7508fab10f2a7cf821ec06.camel@postmet.com> Thank you, Cristina, for trying to help. I have sorted out an issue - it was incorrect certificate format. Thanks again. On Tue, 2019-09-03 at 08:54 -0700, Christina Fu wrote: > Hi, > Could you provide the following information? > platform and Dogtag version > debug log (can be found in /var/lib/pki/pki-tomcat/ca/logs/debug) > thanks, > Christina > > On Mon, Aug 19, 2019 at 6:27 AM Pavel Ryabikh wrote: > > Hello dear Dogtag PKI users! > > > > > > I am trying to install the system already for some days - it fails: > > > > There is a description: > > [root at ca ~]# pkispawn -f ca-external-step2.cfg -s CA > > Installation log: /var/log/pki/pki-ca-spawn.20190819144510.log > > Loading deployment configuration from ca-external-step2.cfg. > > Installing CA into /var/lib/pki/pki-tomcat. > > ParsingException: IOException: Sequence tag error 9 > > ERROR : pkispawn CalledProcessError: Command '['pki', '-d', > > '/var/lib/pki/pki-tomcat/alias', 'pkcs7-cert-export', '--pkcs7- > > file', > > '/tmp/tmpgx3puk6p/cert_chain.p7b', '--output-prefix', > > '/tmp/tmptc7rw5h0/cert', '--output-suffix', '.crt']' returned non- > > zero > > exit status 255. > > File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", > > line > > 546, in main > > scriptlet.spawn(deployer) > > File "/usr/lib/python3.7/site- > > packages/pki/server/deployment/scriptlets/configuration.py", line > > 643, > > in spawn > > self.import_system_certs(deployer, nssdb, subsystem) > > File "/usr/lib/python3.7/site- > > packages/pki/server/deployment/scriptlets/configuration.py", line > > 199, > > in import_system_certs > > self.import_system_cert(deployer, nssdb, subsystem, 'signing', > > 'CT,C,C') > > File "/usr/lib/python3.7/site- > > packages/pki/server/deployment/scriptlets/configuration.py", line > > 144, > > in import_system_cert > > trust_attributes=trust_attributes) > > File "/usr/lib/python3.7/site-packages/pki/nssdb.py", line 1295, > > in > > import_cert_chain > > trust_attributes=trust_attributes) > > File "/usr/lib/python3.7/site-packages/pki/nssdb.py", line 1327, > > in > > import_pkcs7 > > subprocess.check_call(cmd) > > File "/usr/lib64/python3.7/subprocess.py", line 347, in > > check_call > > raise CalledProcessError(retcode, cmd) > > > > > > Installation failed: Command failed: pki -d /var/lib/pki/pki- > > tomcat/alias pkcs7-cert-export --pkcs7-file > > /tmp/tmpgx3puk6p/cert_chain.p7b --output-prefix > > /tmp/tmptc7rw5h0/cert > > --output-suffix .crt > > > > Please check pkispawn logs in /var/log/pki/pki-ca- > > spawn.20190819144510.log > > > > > > And these are configs: > > STEP1: > > [DEFAULT] > > pki_server_database_password=121212 > > > > [CA] > > pki_admin_email=admin at postmet.com > > pki_admin_name=caadmin > > pki_admin_nickname=caadmin > > pki_admin_password=121212 > > pki_admin_uid=caadmin > > > > pki_client_database_password=121212 > > pki_client_database_purge=False > > pki_client_pkcs12_password=121212 > > > > pki_ds_base_dn=dc=ca,dc=lvm,dc=postmet,dc=com > > pki_ds_database=ca > > pki_ds_password=121212 > > > > pki_security_domain_name=lvm.postmet.com Security Domain > > > > pki_ca_signing_nickname=ca_signing > > pki_ocsp_signing_nickname=ca_ocsp_signing > > pki_audit_signing_nickname=ca_audit_signing > > pki_sslserver_nickname=sslserver > > pki_subsystem_nickname=subsystem > > > > pki_external=True > > pki_external_step_two=False > > > > pki_ca_signing_csr_path=ca_signing.csr > > > > STEP2: > > [DEFAULT] > > pki_instance_name = pki-tomcat > > pki_admin_password = 121212 > > pki_backup_password = 121212 > > pki_client_database_password = 121212 > > pki_client_pin = 121212 > > pki_client_pkcs12_password = 121212 > > pki_clone_pkcs12_password = 121212 > > pki_ds_password = 121212 > > pki_external_pkcs12_password = 121212 > > pki_pkcs12_password = 121212 > > pki_replication_password = 121212 > > pki_security_domain_password = 121212 > > pki_server_database_password = 121212 > > pki_server_pkcs12_password = 121212 > > pki_token_password = 121212 > > > > [CA] > > pki_admin_email=admin at postmet.com > > pki_admin_name=caadmin > > pki_admin_nickname=caadmin > > pki_admin_password=121212 > > pki_admin_uid=caadmin > > > > pki_client_database_password=121212 > > pki_client_database_purge=False > > pki_client_pkcs12_password=121212 > > > > pki_ds_base_dn=dc=ca,dc=lvm,dc=postmet,dc=com > > pki_ds_database=ca > > pki_ds_password=121212 > > > > pki_security_domain_name=lvm.postmet.com Security Domain > > > > pki_ca_signing_nickname=ca_signing > > pki_ocsp_signing_nickname=ca_ocsp_signing > > pki_audit_signing_nickname=ca_audit_signing > > pki_sslserver_nickname=sslserver > > pki_subsystem_nickname=subsystem > > > > pki_external=True > > pki_external_step_two=True > > > > pki_ca_signing_csr_path=ca_signing.csr > > > > pki_ca_signing_cert_path=ca_signing.crt > > pki_cert_chain_nickname=external > > pki_cert_chain_path=cert_chain.p7b > > > > pki_import_admin_cert = False > > pki_client_admin_cert = ca_admin.cert > > pki_admin_subject_dn=cn=PKI > > Administrator,o=%(pki_security_domain_name)s > > > > > > > > Please help > > -- Pavel Ryabih PostMet Corporation http://www.postmet.com Call to sip:pr at postmet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3869 bytes Desc: not available URL: From pr at postmet.com Mon Sep 9 07:32:01 2019 From: pr at postmet.com (Pavel Ryabikh) Date: Mon, 09 Sep 2019 10:32:01 +0300 Subject: [Pki-users] sscep enroll error Message-ID: <4aaa38b598ca9529d5061f0dd2686cbdd7f47451.camel@postmet.com> Hello dear PKI-users! Our pki system version is: Fedora 29. pki-server-10.8.0-0.1.fc30.noarch We are configured SCEP following: https://www.dogtagpki.org/wiki/SCEP_Setup CS.cfg: ... ca.scep.allowedEncryptionAlgorithms=DES,DES3 ca.scep.allowedHashAlgorithms=MD5,SHA1,SHA256,SHA512 ca.scep.enable=true ca.scep.encryptionAlgorithm=DES ca.scep.hashAlgorithm=MD5 ca.scep.nonceSizeLimit=16 ... we also - installed SSCEP client - generated CA certificate $ sscep getca -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c ca.crt it is checked by $ openssl x509 -in ca.crt -text and it is correct - generated CSR request and a key $ /usr/bin/mkrequest -ip 172.16.24.238 Uojs93wkfd0IS and when trying to test enroll we are getting the followng error: (Could not unwrap PKCS10 blob: java.security.cert.CertificateException: Error instantiating class for challenge_password java.lang.ClassNotFoundException): # sscep enroll -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c ca.crt -k local.key -r local.csr -l cert.crt -d sscep: starting sscep, version 0.6.1 sscep: new transaction sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E sscep: hostname: ca.lvm.postmet.com sscep: directory: ca/cgi-bin/pkiclient.exe sscep: port: 8080 sscep: Read request with transaction id: 9A6C3918C54DB994E7E951505983A181 sscep: generating selfsigned certificate sscep: SCEP_OPERATION_ENROLL sscep: sending certificate request sscep: creating inner PKCS#7 sscep: inner PKCS#7 in mem BIO sscep: request data dump -----BEGIN CERTIFICATE REQUEST----- MIIBmz..........GDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAsfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39M ACJqfgxU6os8Kh6sElQcjXn5lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQ Kr9c6oZIcvUc0mBWpDbv3jcqdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ ckUCAwEAAaBDMBwGCSqGSIb3DQEJBzEPDA1Vb2pzOTN3a2ZkMElTMCMGCSqGSIb3 DQEJDjEWMBQwEgYDVR0RAQH/BAgwBocErBAY7jANBgkqhkiG9w0BAQsFAAOBgQA5 URuLsrH0bKtBqrNiaPT1nMQ+fRAJ6Ckjfj/pQsyXO0Nll7blBdbErOtSzDR5yV91 g6/oin5LPn/RwT1hATfjCniF4UVfotLnFjKQe7icsS82gl2FNT+pG1CjTAqxJqZO oBe+ZWzs4cx7wHerjk5u8baz79XFfkQyCdL6QRVlTA== -----END CERTIFICATE REQUEST----- sscep: data payload size: 415 bytes sscep: hexdump request payload 3082019b3082010402010030183116301406035504030c0d3137322e31362e32342e323 33830819f300d06092a864886f70d010101050003818d0030818902818100b1f7a86c4d d44eab7849df6f3e7c86fae8336d6f6e1b59d7966f15bf7f4c00226a7e0c54ea8b3c2a1 eac12541c8d79f994d8b2f0bed5017fceab2a7648471be2a02820c0813132cded4cd11c 8a502abf5cea864872f51cd26056a436efde372a7537c5d4ca08b36feac8054f8367f9b 19e36575c3c20367a4ccdc964aebf72450203010001a043301c06092a864886f70d0109 07310f0c0d556f6a733933776b6664304953302306092a864886f70d01090e311630143 0120603551d110101ff040830068704ac1018ee300d06092a864886f70d01010b050003 81810039511b8bb2b1f46cab41aab36268f4f59cc43e7d1009e829237e3fe942cc973b4 36597b6e505d6c4aceb52cc3479c95f7583afe88a7e4b3e7fd1c13d610137e30a7885e1 455fa2d2e71632907bb89cb12f36825d85353fa91b50a34c0ab126a64ea017be656cece 1cc7bc077ab8e4e6ef1b6b3efd5c57e443209d2fa4115654c sscep: hexdump payload 415 sscep: successfully encrypted payload sscep: envelope size: 956 bytes sscep: printing PEM fomatted PKCS#7 -----BEGIN PKCS7----- MIIDu..........NAQcDoIIDqTCCA6UCAQAxggHYMIIB1AIBADCBuzCBpTELMAkG A1UEBhMCU0MxGTAXBgNVBAgTEE1haGUsIFNleWNoZWxsZXMxHDAaBgNVBAoTE1Bv c3RNZXQgQ29ycG9yYXRpb24xGTAXBgNVBAsTEFNTTCBrZXkgZGl2aXNpb24xIDAe BgNVBAMTF1Bvc3RNZXQgUm9vdCBDQSBDbGFzcyAxMSAwHgYJKoZIhvcNAQkBFhFh ZG1pbkBwb3N0bWV0LmNvbQIRE0hlg2RXY0h1Y0doMWQ1h8EwDQYJKoZIhvcNAQEB BQAEggEAgHq5KowCLbOAX/E3YRrheGwmQqHHHCf2mPHEAx835nifRSd1pPbU9587 8zOFihn+BY76caLss0eJyjTmh68mksh9Qzgc8sewyPWWgq2ilnE3eZtiiGpjf6Gj e7AN38gY4y6MU0NU04r/E16tcPAuP+/7mmrr+Lh4PYxSn/LkXFy9GOdnGaTmaphv L0qwxb1pS4OO765cumy5IFyJHAn3O5EyNJYuxNPuoXu8azxACKb19SVnEuay0Z2W L0/WCYMNpN6kdX/1KceTlg6Gu8oxqVwBvHUewLvn91Lyy8d+EgPMJOPTXRnZSC49 U4AUes2yA9Idbt4ZLNNIktdsK6MhgjCCAcIGCSqGSIb3DQEHATARBgUrDgMCBwQI +d5X8SPX45KAggGg1CRRmVhAwHcj2zE7uScsfMUzyDiuw3c7fdy3W653pYswYVel CpqQbK6chMv6ya1OCi3G1dMY3+M1sa21nc30tpAeF1MonFD9YSTuvTJVYHo5gAob mjnhNsYL+7H0VGWiRzmDNG+HzgUzQbrdk5vFd/4Wbc5UMTy++7PdXO8e+e300FTl iM96uijNS6QoZruM8vp2eNn1IymLwFv8xfwibJnzAz0SYXpbRJK9I+39g5rGA1/s uTRAa7W2Bc4lp71ROdsHBH3aJDYkzcrffd9nGy+b5icnRZa2S6TJTOEQkWpQos5k YQMi8+/3Chb8IBeH8HQ6/23PjjqIFVAHxj+pPlpiN4psx/10i9WAHzMBfUnodpPE +yqKLTFmo037A/LNEH4NorN9E/yPDsHVp3gwjMG60cLO9ipQHCMMjpCxQF4jwaTC 5W0fZd8uVZyayBXR0qLKBAhhtz6Y6k3zcXUBNjqKO1tyCUemndxLbuMPBMB1JZ7c Km7TipKk+LCMNBwVbLFIPCGQUchzGnJD+fzaQKLTca9fKieLpca8Ui/Ur8o= -----END PKCS7----- sscep: creating outer PKCS#7 sscep: signature added successfully sscep: adding signed attributes sscep: adding string attribute transId sscep: adding string attribute messageType sscep: adding octet attribute senderNonce sscep: PKCS#7 data written successfully sscep: printing PEM fomatted PKCS#7 -----BEGIN PKCS7----- MIIHc..........NAQcCoIIHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ KoZIhvcNAQcBoIIDwASCA7wwggO4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw ggHUAgEAMIG7MIGlMQswCQYDVQQGEwJTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl bGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM IGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE1ldCBSb290IENBIENsYXNzIDEx IDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY29tAhETSGWDZFdjSHVjR2gx ZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8TdhGuF4bCZCocccJ/aY 8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHryaSyH1DOBzyx7DI 9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/uaauv4uHg9 jFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li7E0+6h e7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7Au+f3 UvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKoZI hvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI OK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X UyicUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt zlQxPL77s91c7x757fTQVOWIz3q6KM1LpChmu4zy+nZ42fUjKYvAW/zF/CJsmfMD PRJheltEkr0j7f2DmsYDX+y5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm JydFlrZLpMlM4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc+OOogVUAfGP6k+WmI3 imzH/XSL1YAfMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR ws72KlAcIwyOkLFAXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7 W3IJR6ad3Etu4w8EwHUlntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx r18qJ4ulxrxSL9SvyqCCAccwggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0 RTdFOTUxNTA1OTgzQTE4MTANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu MTYuMjQuMjM4MB4XDTE5MDkwOTA3MTIzMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG A1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA sfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39MACJqfgxU6os8Kh6sElQcjXn5 lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQKr9c6oZIcvUc0mBWpDbv3jcq dTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCAwEAATANBgkqhkiG9w0B AQQFAAOBgQATop2OWQJzY3Axds0+9PGPAc0xGtlUQ462teCwgkm6bbrBr7eYhQeL gsT07aesE+37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHglt8nUUESy9ooF490 TZDBIIQ5yBbMk+AYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyELXxDGCAakwggGl AgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MThDNTREQjk5 NEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQkC MQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG+EUBCQcx IhMgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB BQAEgYBThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu Ax/ohg2CAU8+g+k914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb zMp1TGXlKryeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg== -----END PKCS7----- sscep: applying base64 encoding sscep: base64 encoded payload size: 2588 bytes sscep: scep msg: GET /ca/cgi- bin/pkiclient.exe?operation=PKIOperation&message=MIIHc..........NAQcCoI IHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ%0AKoZIhvcNAQcBoIIDwASCA7wwgg O4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw%0AggHUAgEAMIG7MIGlMQswCQYDVQQGEw JTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl%0AbGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3 Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM%0AIGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE 1ldCBSb290IENBIENsYXNzIDEx%0AIDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY2 9tAhETSGWDZFdjSHVjR2gx%0AZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8T dhGuF4bCZCocccJ/aY%0A8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHry aSyH1DOBzyx7DI%0A9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/ uaauv4uHg9%0AjFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li 7E0%2B6h%0Ae7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7A u%2Bf3%0AUvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKo ZI%0AhvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI%0 AOK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X%0AUyi cUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt%0AzlQxPL7 7s91c7x757fTQVOWIz3q6KM1LpChmu4zy%2BnZ42fUjKYvAW/zF/CJsmfMD%0APRJheltEk r0j7f2DmsYDX%2By5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm%0AJydFlrZLpMl M4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc%2BOOogVUAfGP6k%2BWmI3%0AimzH/XSL1YA fMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR%0Aws72KlAcIwyOkLF AXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7%0AW3IJR6ad3Etu4w8EwHU lntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx%0Ar18qJ4ulxrxSL9SvyqCCAcc wggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0%0ARTdFOTUxNTA1OTgzQTE4MTANBgk qhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu%0AMTYuMjQuMjM4MB4XDTE5MDkwOTA3MTI zMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG%0AA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgk qhkiG9w0BAQEFAAOBjQAwgYkCgYEA%0AsfeobE3UTqt4Sd9vPnyG%2BugzbW9uG1nXlm8Vv 39MACJqfgxU6os8Kh6sElQcjXn5%0AlNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQK r9c6oZIcvUc0mBWpDbv3jcq%0AdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCA wEAATANBgkqhkiG9w0B%0AAQQFAAOBgQATop2OWQJzY3Axds0%2B9PGPAc0xGtlUQ462teC wgkm6bbrBr7eYhQeL%0AgsT07aesE%2B37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHgl t8nUUESy9ooF490%0ATZDBIIQ5yBbMk%2BAYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyEL XxDGCAakwggGl%0AAgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MTh DNTREQjk5%0ANEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvh FAQkC%0AMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8 X%0ADTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw%0A IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG%2BEUBCQcx%0AIh MgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB%0ABQAEgY BThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu%0AAx/ohg2CAU 8%2Bg%2Bk914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb%0AzMp1TGXlKr yeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg%3D%3D%0A HTTP/1.0 sscep: server returned status code 500 sscep: mime_err: HTTP/1.1 500 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 3234 Date: Mon, 09 Sep 2019 07:12:32 GMT Connection: close HTTP Status 500 ? Internal Server Error

HTTP Status 500 ? Internal Server Error


Type Exception Report

Message Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: java.security.cert.CertificateException: Error instantiating class for challenge_password java.lang.ClassNotFoundException: com.netscape.cms.servlet.cert.scep.ChallengePassword

Descripti on The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

javax.servlet.ServletException:
Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10
blob: java.security.cert.CertificateException: Error instantiating
class for challenge_password java.lang.ClassNotFoundException:
com.netscape.cms.servlet.cert.scep.ChallengePassword
        com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnr
ollment.java:397)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        sun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMetho
dAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:498)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:282)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:279)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.
java:314)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(Securit
yUtil.java:170)
        java.security.AccessController.doPrivileged(Native Method)
        org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.j
ava:53)
        sun.reflect.GeneratedMethodAccessor47.invoke(Unknown Source)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMetho
dAccessorImpl.java:43)
        java.lang.reflect.Method.invoke(Method.java:498)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:282)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.ja
va:279)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.
java:314)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(Securit
yUtil.java:253)

Note The full stack trace of the root cause is available in the server logs.


Apache Tomcat/9.0.21

sscep: wrong (or missing) MIME content type sscep: error while sending message Why it is trying to unwrap PKCS10 if we are sending PKCS7 ? How it can be fixed ? I am sure you know it. Please help. -- Pavel Ryabih PostMet Corporation http://www.postmet.com Call to sip:pr at postmet.com From dmoluguw at redhat.com Tue Sep 10 16:16:22 2019 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Tue, 10 Sep 2019 12:16:22 -0400 Subject: [Pki-users] sscep enroll error In-Reply-To: <4aaa38b598ca9529d5061f0dd2686cbdd7f47451.camel@postmet.com> References: <4aaa38b598ca9529d5061f0dd2686cbdd7f47451.camel@postmet.com> Message-ID: <579d7458101fa73047785be465ca799437405f98.camel@redhat.com> Hi Pavel, There was a recent merger of pki-cmscore.jar into pki-cms.jar [1]. As a consequence, `com.netscape.cms.servlet.cert.scep.ChallengePassword` was also affected. I suspect there is some mismatch in the installed version of the packages. Can you post the result of: `rpm -qa | grep pki` ? [1] https://github.com/dogtagpki/pki/commits/master/base/server/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java Regards, --Dinesh On Mon, 2019-09-09 at 10:32 +0300, Pavel Ryabikh wrote: > Hello dear PKI-users! > > Our pki system version is: > Fedora 29. > pki-server-10.8.0-0.1.fc30.noarch > > We are configured SCEP following: > https://www.dogtagpki.org/wiki/SCEP_Setup > > CS.cfg: > ... > ca.scep.allowedEncryptionAlgorithms=DES,DES3 > ca.scep.allowedHashAlgorithms=MD5,SHA1,SHA256,SHA512 > ca.scep.enable=true > ca.scep.encryptionAlgorithm=DES > ca.scep.hashAlgorithm=MD5 > ca.scep.nonceSizeLimit=16 > ... > > we also > - installed SSCEP client > - generated CA certificate > $ sscep getca -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c > ca.crt > it is checked by > $ openssl x509 -in ca.crt -text > and it is correct > - generated CSR request and a key > $ /usr/bin/mkrequest -ip 172.16.24.238 Uojs93wkfd0IS > > and when trying to test enroll we are getting the followng error: > (Could not unwrap PKCS10 blob: > java.security.cert.CertificateException: > Error instantiating class for challenge_password > java.lang.ClassNotFoundException): > > # sscep enroll -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c > ca.crt -k local.key -r local.csr -l cert.crt -d > > sscep: starting sscep, version 0.6.1 > sscep: new transaction > sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E > sscep: hostname: ca.lvm.postmet.com > sscep: directory: ca/cgi-bin/pkiclient.exe > sscep: port: 8080 > sscep: Read request with transaction id: > 9A6C3918C54DB994E7E951505983A181 > sscep: generating selfsigned certificate > sscep: SCEP_OPERATION_ENROLL > sscep: sending certificate request > sscep: creating inner PKCS#7 > sscep: inner PKCS#7 in mem BIO > sscep: request data dump > -----BEGIN CERTIFICATE REQUEST----- > MIIBmz..........GDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG > 9w0BAQEFAAOBjQAwgYkCgYEAsfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39M > ACJqfgxU6os8Kh6sElQcjXn5lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQ > Kr9c6oZIcvUc0mBWpDbv3jcqdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ > ckUCAwEAAaBDMBwGCSqGSIb3DQEJBzEPDA1Vb2pzOTN3a2ZkMElTMCMGCSqGSIb3 > DQEJDjEWMBQwEgYDVR0RAQH/BAgwBocErBAY7jANBgkqhkiG9w0BAQsFAAOBgQA5 > URuLsrH0bKtBqrNiaPT1nMQ+fRAJ6Ckjfj/pQsyXO0Nll7blBdbErOtSzDR5yV91 > g6/oin5LPn/RwT1hATfjCniF4UVfotLnFjKQe7icsS82gl2FNT+pG1CjTAqxJqZO > oBe+ZWzs4cx7wHerjk5u8baz79XFfkQyCdL6QRVlTA== > -----END CERTIFICATE REQUEST----- > sscep: data payload size: 415 bytes > > sscep: hexdump request payload > 3082019b3082010402010030183116301406035504030c0d3137322e31362e32342e3 > 23 > 33830819f300d06092a864886f70d010101050003818d0030818902818100b1f7a86c > 4d > d44eab7849df6f3e7c86fae8336d6f6e1b59d7966f15bf7f4c00226a7e0c54ea8b3c2 > a1 > eac12541c8d79f994d8b2f0bed5017fceab2a7648471be2a02820c0813132cded4cd1 > 1c > 8a502abf5cea864872f51cd26056a436efde372a7537c5d4ca08b36feac8054f8367f > 9b > 19e36575c3c20367a4ccdc964aebf72450203010001a043301c06092a864886f70d01 > 09 > 07310f0c0d556f6a733933776b6664304953302306092a864886f70d01090e3116301 > 43 > 0120603551d110101ff040830068704ac1018ee300d06092a864886f70d01010b0500 > 03 > 81810039511b8bb2b1f46cab41aab36268f4f59cc43e7d1009e829237e3fe942cc973 > b4 > 36597b6e505d6c4aceb52cc3479c95f7583afe88a7e4b3e7fd1c13d610137e30a7885 > e1 > 455fa2d2e71632907bb89cb12f36825d85353fa91b50a34c0ab126a64ea017be656ce > ce > 1cc7bc077ab8e4e6ef1b6b3efd5c57e443209d2fa4115654c > sscep: hexdump payload 415 > sscep: successfully encrypted payload > sscep: envelope size: 956 bytes > sscep: printing PEM fomatted PKCS#7 > -----BEGIN PKCS7----- > MIIDu..........NAQcDoIIDqTCCA6UCAQAxggHYMIIB1AIBADCBuzCBpTELMAkG > A1UEBhMCU0MxGTAXBgNVBAgTEE1haGUsIFNleWNoZWxsZXMxHDAaBgNVBAoTE1Bv > c3RNZXQgQ29ycG9yYXRpb24xGTAXBgNVBAsTEFNTTCBrZXkgZGl2aXNpb24xIDAe > BgNVBAMTF1Bvc3RNZXQgUm9vdCBDQSBDbGFzcyAxMSAwHgYJKoZIhvcNAQkBFhFh > ZG1pbkBwb3N0bWV0LmNvbQIRE0hlg2RXY0h1Y0doMWQ1h8EwDQYJKoZIhvcNAQEB > BQAEggEAgHq5KowCLbOAX/E3YRrheGwmQqHHHCf2mPHEAx835nifRSd1pPbU9587 > 8zOFihn+BY76caLss0eJyjTmh68mksh9Qzgc8sewyPWWgq2ilnE3eZtiiGpjf6Gj > e7AN38gY4y6MU0NU04r/E16tcPAuP+/7mmrr+Lh4PYxSn/LkXFy9GOdnGaTmaphv > L0qwxb1pS4OO765cumy5IFyJHAn3O5EyNJYuxNPuoXu8azxACKb19SVnEuay0Z2W > L0/WCYMNpN6kdX/1KceTlg6Gu8oxqVwBvHUewLvn91Lyy8d+EgPMJOPTXRnZSC49 > U4AUes2yA9Idbt4ZLNNIktdsK6MhgjCCAcIGCSqGSIb3DQEHATARBgUrDgMCBwQI > +d5X8SPX45KAggGg1CRRmVhAwHcj2zE7uScsfMUzyDiuw3c7fdy3W653pYswYVel > CpqQbK6chMv6ya1OCi3G1dMY3+M1sa21nc30tpAeF1MonFD9YSTuvTJVYHo5gAob > mjnhNsYL+7H0VGWiRzmDNG+HzgUzQbrdk5vFd/4Wbc5UMTy++7PdXO8e+e300FTl > iM96uijNS6QoZruM8vp2eNn1IymLwFv8xfwibJnzAz0SYXpbRJK9I+39g5rGA1/s > uTRAa7W2Bc4lp71ROdsHBH3aJDYkzcrffd9nGy+b5icnRZa2S6TJTOEQkWpQos5k > YQMi8+/3Chb8IBeH8HQ6/23PjjqIFVAHxj+pPlpiN4psx/10i9WAHzMBfUnodpPE > +yqKLTFmo037A/LNEH4NorN9E/yPDsHVp3gwjMG60cLO9ipQHCMMjpCxQF4jwaTC > 5W0fZd8uVZyayBXR0qLKBAhhtz6Y6k3zcXUBNjqKO1tyCUemndxLbuMPBMB1JZ7c > Km7TipKk+LCMNBwVbLFIPCGQUchzGnJD+fzaQKLTca9fKieLpca8Ui/Ur8o= > -----END PKCS7----- > sscep: creating outer PKCS#7 > sscep: signature added successfully > sscep: adding signed attributes > sscep: adding string attribute transId > sscep: adding string attribute messageType > sscep: adding octet attribute senderNonce > sscep: PKCS#7 data written successfully > sscep: printing PEM fomatted PKCS#7 > -----BEGIN PKCS7----- > MIIHc..........NAQcCoIIHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ > KoZIhvcNAQcBoIIDwASCA7wwggO4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw > ggHUAgEAMIG7MIGlMQswCQYDVQQGEwJTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl > bGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM > IGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE1ldCBSb290IENBIENsYXNzIDEx > IDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY29tAhETSGWDZFdjSHVjR2gx > ZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8TdhGuF4bCZCocccJ/aY > 8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHryaSyH1DOBzyx7DI > 9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/uaauv4uHg9 > jFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li7E0+6h > e7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7Au+f3 > UvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKoZI > hvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI > OK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X > UyicUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt > zlQxPL77s91c7x757fTQVOWIz3q6KM1LpChmu4zy+nZ42fUjKYvAW/zF/CJsmfMD > PRJheltEkr0j7f2DmsYDX+y5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm > JydFlrZLpMlM4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc+OOogVUAfGP6k+WmI3 > imzH/XSL1YAfMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR > ws72KlAcIwyOkLFAXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7 > W3IJR6ad3Etu4w8EwHUlntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx > r18qJ4ulxrxSL9SvyqCCAccwggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0 > RTdFOTUxNTA1OTgzQTE4MTANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu > MTYuMjQuMjM4MB4XDTE5MDkwOTA3MTIzMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG > A1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA > sfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39MACJqfgxU6os8Kh6sElQcjXn5 > lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQKr9c6oZIcvUc0mBWpDbv3jcq > dTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCAwEAATANBgkqhkiG9w0B > AQQFAAOBgQATop2OWQJzY3Axds0+9PGPAc0xGtlUQ462teCwgkm6bbrBr7eYhQeL > gsT07aesE+37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHglt8nUUESy9ooF490 > TZDBIIQ5yBbMk+AYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyELXxDGCAakwggGl > AgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MThDNTREQjk5 > NEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQkC > MQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X > DTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG+EUBCQcx > IhMgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB > BQAEgYBThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu > Ax/ohg2CAU8+g+k914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb > zMp1TGXlKryeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg== > -----END PKCS7----- > sscep: applying base64 encoding > sscep: base64 encoded payload size: 2588 bytes > sscep: scep msg: GET /ca/cgi- > bin/pkiclient.exe?operation=PKIOperation&message=MIIHc..........NAQcC > oI > IHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ%0AKoZIhvcNAQcBoIIDwASCA7ww > gg > O4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw%0AggHUAgEAMIG7MIGlMQswCQYDVQQG > Ew > JTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl%0AbGxlczEcMBoGA1UEChMTUG9zdE1ldCBD > b3 > Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM%0AIGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9z > dE > 1ldCBSb290IENBIENsYXNzIDEx%0AIDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQu > Y2 > 9tAhETSGWDZFdjSHVjR2gx%0AZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf > 8T > dhGuF4bCZCocccJ/aY%0A8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaH > ry > aSyH1DOBzyx7DI%0A9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/ > 7/ > uaauv4uHg9%0AjFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0 > li > 7E0%2B6h%0Ae7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR > 7A > u%2Bf3%0AUvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJ > Ko > ZI%0AhvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI > %0 > AOK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X%0AU > yi > cUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt%0AzlQxP > L7 > 7s91c7x757fTQVOWIz3q6KM1LpChmu4zy%2BnZ42fUjKYvAW/zF/CJsmfMD%0APRJhelt > Ek > r0j7f2DmsYDX%2By5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm%0AJydFlrZLp > Ml > M4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc%2BOOogVUAfGP6k%2BWmI3%0AimzH/XSL1 > YA > fMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR%0Aws72KlAcIwyOk > LF > AXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7%0AW3IJR6ad3Etu4w8Ew > HU > lntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx%0Ar18qJ4ulxrxSL9SvyqCCA > cc > wggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0%0ARTdFOTUxNTA1OTgzQTE4MTANB > gk > qhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu%0AMTYuMjQuMjM4MB4XDTE5MDkwOTA3M > TI > zMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG%0AA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANB > gk > qhkiG9w0BAQEFAAOBjQAwgYkCgYEA%0AsfeobE3UTqt4Sd9vPnyG%2BugzbW9uG1nXlm8 > Vv > 39MACJqfgxU6os8Kh6sElQcjXn5%0AlNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIp > QK > r9c6oZIcvUc0mBWpDbv3jcq%0AdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckU > CA > wEAATANBgkqhkiG9w0B%0AAQQFAAOBgQATop2OWQJzY3Axds0%2B9PGPAc0xGtlUQ462t > eC > wgkm6bbrBr7eYhQeL%0AgsT07aesE%2B37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXH > gl > t8nUUESy9ooF490%0ATZDBIIQ5yBbMk%2BAYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGy > EL > XxDGCAakwggGl%0AAgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5M > Th > DNTREQjk5%0ANEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBh > vh > FAQkC%0AMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFM > Q8 > X%0ADTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw% > 0A > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG%2BEUBCQcx%0A > Ih > MgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB%0ABQAE > gY > BThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu%0AAx/ohg2C > AU > 8%2Bg%2Bk914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb%0AzMp1TGXl > Kr > yeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg%3D%3D%0A HTTP/1.0 > > sscep: server returned status code 500 > sscep: mime_err: HTTP/1.1 500 > Content-Type: text/html;charset=utf-8 > Content-Language: en > Content-Length: 3234 > Date: Mon, 09 Sep 2019 07:12:32 GMT > Connection: close > > HTTP Status 500 ? > Internal > Server Error

HTTP Status 500 ? > Internal Server Error


Type Exception > Report

Message Couldn't handle CEP request (PKCSReq) > - > Could not unwrap PKCS10 blob: > java.security.cert.CertificateException: > Error instantiating class for challenge_password > java.lang.ClassNotFoundException: > com.netscape.cms.servlet.cert.scep.ChallengePassword

Descrip > ti > on The server encountered an unexpected condition that prevented > it > from fulfilling the > request.

Exception

javax.servlet.ServletExceptio
> n:
> Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10
> blob: java.security.cert.CertificateException: Error instantiating
> class for challenge_password java.lang.ClassNotFoundException:
> com.netscape.cms.servlet.cert.scep.ChallengePassword
>         com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSE
> nr
> ollment.java:397)
>         javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
>         sun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source)
>         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMet
> ho
> dAccessorImpl.java:43)
>         java.lang.reflect.Method.invoke(Method.java:498)
>         org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.
> ja
> va:282)
>         org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.
> ja
> va:279)
>         java.security.AccessController.doPrivileged(Native Method)
>         javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         org.apache.catalina.security.SecurityUtil.execute(SecurityUti
> l.
> java:314)
>         org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secur
> it
> yUtil.java:170)
>         java.security.AccessController.doPrivileged(Native Method)
>         org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter
> .j
> ava:53)
>         sun.reflect.GeneratedMethodAccessor47.invoke(Unknown Source)
>         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMet
> ho
> dAccessorImpl.java:43)
>         java.lang.reflect.Method.invoke(Method.java:498)
>         org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.
> ja
> va:282)
>         org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.
> ja
> va:279)
>         java.security.AccessController.doPrivileged(Native Method)
>         javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>         org.apache.catalina.security.SecurityUtil.execute(SecurityUti
> l.
> java:314)
>         org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secur
> it
> yUtil.java:253)
> 

Note The full stack trace of the root cause is > available in the server logs.


Apache > Tomcat/9.0.21

> sscep: wrong (or missing) MIME content type > sscep: error while sending message > > > Why it is trying to unwrap PKCS10 if we are sending PKCS7 ? > How it can be fixed ? > I am sure you know it. > Please help. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From pr at postmet.com Wed Sep 11 06:20:36 2019 From: pr at postmet.com (Pavel Ryabikh) Date: Wed, 11 Sep 2019 09:20:36 +0300 Subject: [Pki-users] sscep enroll error In-Reply-To: <579d7458101fa73047785be465ca799437405f98.camel@redhat.com> References: <4aaa38b598ca9529d5061f0dd2686cbdd7f47451.camel@postmet.com> <579d7458101fa73047785be465ca799437405f98.camel@redhat.com> Message-ID: This is the result of "rpm -qa | grep pki": pki-tools-10.8.0-0.1.fc30.x86_64 pki-javadoc-10.8.0-0.1.fc30.noarch python3-pki-10.8.0-0.1.fc30.noarch pki-ca-10.8.0-0.1.fc30.noarch dogtag-pki-console-theme-10.8.0-0.1.fc30.noarch pki-server-10.8.0-0.1.fc30.noarch pki-tks-10.8.0-0.1.fc30.noarch dogtag-pki-10.8.0-0.1.fc30.x86_64 pki-base-java-10.8.0-0.1.fc30.noarch pki-symkey-10.8.0-0.1.fc30.x86_64 pki-ocsp-10.8.0-0.1.fc30.noarch dogtag-pki-server-theme-10.8.0-0.1.fc30.noarch pki-base-10.8.0-0.1.fc30.noarch pki-kra-10.8.0-0.1.fc30.noarch pki-console-10.8.0-0.1.fc30.noarch pki-tps-10.8.0-0.1.fc30.x86_64 Does it help to fix the problem ? On Tue, 2019-09-10 at 12:16 -0400, Dinesh Prasanth Moluguwan Krishnamoorthy wrote: > Hi Pavel, > > There was a recent merger of pki-cmscore.jar into pki-cms.jar [1]. As > a > consequence, `com.netscape.cms.servlet.cert.scep.ChallengePassword` > was > also affected. I suspect there is some mismatch in the installed > version of the packages. > > Can you post the result of: > > `rpm -qa | grep pki` ? > > [1] > https://github.com/dogtagpki/pki/commits/master/base/server/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java > > Regards, > --Dinesh > > On Mon, 2019-09-09 at 10:32 +0300, Pavel Ryabikh wrote: > > Hello dear PKI-users! > > > > Our pki system version is: > > Fedora 29. > > pki-server-10.8.0-0.1.fc30.noarch > > > > We are configured SCEP following: > > https://www.dogtagpki.org/wiki/SCEP_Setup > > > > CS.cfg: > > ... > > ca.scep.allowedEncryptionAlgorithms=DES,DES3 > > ca.scep.allowedHashAlgorithms=MD5,SHA1,SHA256,SHA512 > > ca.scep.enable=true > > ca.scep.encryptionAlgorithm=DES > > ca.scep.hashAlgorithm=MD5 > > ca.scep.nonceSizeLimit=16 > > ... > > > > we also > > - installed SSCEP client > > - generated CA certificate > > $ sscep getca -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c > > ca.crt > > it is checked by > > $ openssl x509 -in ca.crt -text > > and it is correct > > - generated CSR request and a key > > $ /usr/bin/mkrequest -ip 172.16.24.238 Uojs93wkfd0IS > > > > and when trying to test enroll we are getting the followng error: > > (Could not unwrap PKCS10 blob: > > java.security.cert.CertificateException: > > Error instantiating class for challenge_password > > java.lang.ClassNotFoundException): > > > > # sscep enroll -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe -c > > ca.crt -k local.key -r local.csr -l cert.crt -d > > > > sscep: starting sscep, version 0.6.1 > > sscep: new transaction > > sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E > > sscep: hostname: ca.lvm.postmet.com > > sscep: directory: ca/cgi-bin/pkiclient.exe > > sscep: port: 8080 > > sscep: Read request with transaction id: > > 9A6C3918C54DB994E7E951505983A181 > > sscep: generating selfsigned certificate > > sscep: SCEP_OPERATION_ENROLL > > sscep: sending certificate request > > sscep: creating inner PKCS#7 > > sscep: inner PKCS#7 in mem BIO > > sscep: request data dump > > -----BEGIN CERTIFICATE REQUEST----- > > MIIBmz..........GDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG > > 9w0BAQEFAAOBjQAwgYkCgYEAsfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39M > > ACJqfgxU6os8Kh6sElQcjXn5lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQ > > Kr9c6oZIcvUc0mBWpDbv3jcqdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ > > ckUCAwEAAaBDMBwGCSqGSIb3DQEJBzEPDA1Vb2pzOTN3a2ZkMElTMCMGCSqGSIb3 > > DQEJDjEWMBQwEgYDVR0RAQH/BAgwBocErBAY7jANBgkqhkiG9w0BAQsFAAOBgQA5 > > URuLsrH0bKtBqrNiaPT1nMQ+fRAJ6Ckjfj/pQsyXO0Nll7blBdbErOtSzDR5yV91 > > g6/oin5LPn/RwT1hATfjCniF4UVfotLnFjKQe7icsS82gl2FNT+pG1CjTAqxJqZO > > oBe+ZWzs4cx7wHerjk5u8baz79XFfkQyCdL6QRVlTA== > > -----END CERTIFICATE REQUEST----- > > sscep: data payload size: 415 bytes > > > > sscep: hexdump request payload > > 3082019b3082010402010030183116301406035504030c0d3137322e31362e32342 > > e3 > > 23 > > 33830819f300d06092a864886f70d010101050003818d0030818902818100b1f7a8 > > 6c > > 4d > > d44eab7849df6f3e7c86fae8336d6f6e1b59d7966f15bf7f4c00226a7e0c54ea8b3 > > c2 > > a1 > > eac12541c8d79f994d8b2f0bed5017fceab2a7648471be2a02820c0813132cded4c > > d1 > > 1c > > 8a502abf5cea864872f51cd26056a436efde372a7537c5d4ca08b36feac8054f836 > > 7f > > 9b > > 19e36575c3c20367a4ccdc964aebf72450203010001a043301c06092a864886f70d > > 01 > > 09 > > 07310f0c0d556f6a733933776b6664304953302306092a864886f70d01090e31163 > > 01 > > 43 > > 0120603551d110101ff040830068704ac1018ee300d06092a864886f70d01010b05 > > 00 > > 03 > > 81810039511b8bb2b1f46cab41aab36268f4f59cc43e7d1009e829237e3fe942cc9 > > 73 > > b4 > > 36597b6e505d6c4aceb52cc3479c95f7583afe88a7e4b3e7fd1c13d610137e30a78 > > 85 > > e1 > > 455fa2d2e71632907bb89cb12f36825d85353fa91b50a34c0ab126a64ea017be656 > > ce > > ce > > 1cc7bc077ab8e4e6ef1b6b3efd5c57e443209d2fa4115654c > > sscep: hexdump payload 415 > > sscep: successfully encrypted payload > > sscep: envelope size: 956 bytes > > sscep: printing PEM fomatted PKCS#7 > > -----BEGIN PKCS7----- > > MIIDu..........NAQcDoIIDqTCCA6UCAQAxggHYMIIB1AIBADCBuzCBpTELMAkG > > A1UEBhMCU0MxGTAXBgNVBAgTEE1haGUsIFNleWNoZWxsZXMxHDAaBgNVBAoTE1Bv > > c3RNZXQgQ29ycG9yYXRpb24xGTAXBgNVBAsTEFNTTCBrZXkgZGl2aXNpb24xIDAe > > BgNVBAMTF1Bvc3RNZXQgUm9vdCBDQSBDbGFzcyAxMSAwHgYJKoZIhvcNAQkBFhFh > > ZG1pbkBwb3N0bWV0LmNvbQIRE0hlg2RXY0h1Y0doMWQ1h8EwDQYJKoZIhvcNAQEB > > BQAEggEAgHq5KowCLbOAX/E3YRrheGwmQqHHHCf2mPHEAx835nifRSd1pPbU9587 > > 8zOFihn+BY76caLss0eJyjTmh68mksh9Qzgc8sewyPWWgq2ilnE3eZtiiGpjf6Gj > > e7AN38gY4y6MU0NU04r/E16tcPAuP+/7mmrr+Lh4PYxSn/LkXFy9GOdnGaTmaphv > > L0qwxb1pS4OO765cumy5IFyJHAn3O5EyNJYuxNPuoXu8azxACKb19SVnEuay0Z2W > > L0/WCYMNpN6kdX/1KceTlg6Gu8oxqVwBvHUewLvn91Lyy8d+EgPMJOPTXRnZSC49 > > U4AUes2yA9Idbt4ZLNNIktdsK6MhgjCCAcIGCSqGSIb3DQEHATARBgUrDgMCBwQI > > +d5X8SPX45KAggGg1CRRmVhAwHcj2zE7uScsfMUzyDiuw3c7fdy3W653pYswYVel > > CpqQbK6chMv6ya1OCi3G1dMY3+M1sa21nc30tpAeF1MonFD9YSTuvTJVYHo5gAob > > mjnhNsYL+7H0VGWiRzmDNG+HzgUzQbrdk5vFd/4Wbc5UMTy++7PdXO8e+e300FTl > > iM96uijNS6QoZruM8vp2eNn1IymLwFv8xfwibJnzAz0SYXpbRJK9I+39g5rGA1/s > > uTRAa7W2Bc4lp71ROdsHBH3aJDYkzcrffd9nGy+b5icnRZa2S6TJTOEQkWpQos5k > > YQMi8+/3Chb8IBeH8HQ6/23PjjqIFVAHxj+pPlpiN4psx/10i9WAHzMBfUnodpPE > > +yqKLTFmo037A/LNEH4NorN9E/yPDsHVp3gwjMG60cLO9ipQHCMMjpCxQF4jwaTC > > 5W0fZd8uVZyayBXR0qLKBAhhtz6Y6k3zcXUBNjqKO1tyCUemndxLbuMPBMB1JZ7c > > Km7TipKk+LCMNBwVbLFIPCGQUchzGnJD+fzaQKLTca9fKieLpca8Ui/Ur8o= > > -----END PKCS7----- > > sscep: creating outer PKCS#7 > > sscep: signature added successfully > > sscep: adding signed attributes > > sscep: adding string attribute transId > > sscep: adding string attribute messageType > > sscep: adding octet attribute senderNonce > > sscep: PKCS#7 data written successfully > > sscep: printing PEM fomatted PKCS#7 > > -----BEGIN PKCS7----- > > MIIHc..........NAQcCoIIHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ > > KoZIhvcNAQcBoIIDwASCA7wwggO4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw > > ggHUAgEAMIG7MIGlMQswCQYDVQQGEwJTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl > > bGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM > > IGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE1ldCBSb290IENBIENsYXNzIDEx > > IDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY29tAhETSGWDZFdjSHVjR2gx > > ZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8TdhGuF4bCZCocccJ/aY > > 8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHryaSyH1DOBzyx7DI > > 9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/uaauv4uHg9 > > jFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li7E0+6h > > e7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7Au+f3 > > UvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKoZI > > hvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI > > OK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X > > UyicUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt > > zlQxPL77s91c7x757fTQVOWIz3q6KM1LpChmu4zy+nZ42fUjKYvAW/zF/CJsmfMD > > PRJheltEkr0j7f2DmsYDX+y5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm > > JydFlrZLpMlM4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc+OOogVUAfGP6k+WmI3 > > imzH/XSL1YAfMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR > > ws72KlAcIwyOkLFAXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7 > > W3IJR6ad3Etu4w8EwHUlntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx > > r18qJ4ulxrxSL9SvyqCCAccwggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0 > > RTdFOTUxNTA1OTgzQTE4MTANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu > > MTYuMjQuMjM4MB4XDTE5MDkwOTA3MTIzMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG > > A1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA > > sfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39MACJqfgxU6os8Kh6sElQcjXn5 > > lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQKr9c6oZIcvUc0mBWpDbv3jcq > > dTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCAwEAATANBgkqhkiG9w0B > > AQQFAAOBgQATop2OWQJzY3Axds0+9PGPAc0xGtlUQ462teCwgkm6bbrBr7eYhQeL > > gsT07aesE+37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHglt8nUUESy9ooF490 > > TZDBIIQ5yBbMk+AYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyELXxDGCAakwggGl > > AgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MThDNTREQjk5 > > NEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQkC > > MQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X > > DTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG+EUBCQcx > > IhMgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB > > BQAEgYBThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu > > Ax/ohg2CAU8+g+k914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb > > zMp1TGXlKryeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg== > > -----END PKCS7----- > > sscep: applying base64 encoding > > sscep: base64 encoded payload size: 2588 bytes > > sscep: scep msg: GET /ca/cgi- > > bin/pkiclient.exe?operation=PKIOperation&message=MIIHc..........NAQ > > cC > > oI > > IHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ%0AKoZIhvcNAQcBoIIDwASCA7 > > ww > > gg > > O4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw%0AggHUAgEAMIG7MIGlMQswCQYDVQ > > QG > > Ew > > JTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl%0AbGxlczEcMBoGA1UEChMTUG9zdE1ldC > > BD > > b3 > > Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM%0AIGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG > > 9z > > dE > > 1ldCBSb290IENBIENsYXNzIDEx%0AIDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZX > > Qu > > Y2 > > 9tAhETSGWDZFdjSHVjR2gx%0AZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4 > > Bf > > 8T > > dhGuF4bCZCocccJ/aY%0A8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNO > > aH > > ry > > aSyH1DOBzyx7DI%0A9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C > > 4/ > > 7/ > > uaauv4uHg9%0AjFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kT > > I0 > > li > > 7E0%2B6h%0Ae7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8 > > dR > > 7A > > u%2Bf3%0AUvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwg > > YJ > > Ko > > ZI%0AhvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xT > > PI > > %0 > > AOK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X%0 > > AU > > yi > > cUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt%0AzlQ > > xP > > L7 > > 7s91c7x757fTQVOWIz3q6KM1LpChmu4zy%2BnZ42fUjKYvAW/zF/CJsmfMD%0APRJhe > > lt > > Ek > > r0j7f2DmsYDX%2By5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm%0AJydFlrZ > > Lp > > Ml > > M4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc%2BOOogVUAfGP6k%2BWmI3%0AimzH/XS > > L1 > > YA > > fMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR%0Aws72KlAcIwy > > Ok > > LF > > AXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7%0AW3IJR6ad3Etu4w8 > > Ew > > HU > > lntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx%0Ar18qJ4ulxrxSL9SvyqC > > CA > > cc > > wggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0%0ARTdFOTUxNTA1OTgzQTE4MTA > > NB > > gk > > qhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu%0AMTYuMjQuMjM4MB4XDTE5MDkwOTA > > 3M > > TI > > zMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG%0AA1UEAwwNMTcyLjE2LjI0LjIzODCBnzA > > NB > > gk > > qhkiG9w0BAQEFAAOBjQAwgYkCgYEA%0AsfeobE3UTqt4Sd9vPnyG%2BugzbW9uG1nXl > > m8 > > Vv > > 39MACJqfgxU6os8Kh6sElQcjXn5%0AlNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRH > > Ip > > QK > > r9c6oZIcvUc0mBWpDbv3jcq%0AdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/c > > kU > > CA > > wEAATANBgkqhkiG9w0B%0AAQQFAAOBgQATop2OWQJzY3Axds0%2B9PGPAc0xGtlUQ46 > > 2t > > eC > > wgkm6bbrBr7eYhQeL%0AgsT07aesE%2B37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yP > > XH > > gl > > t8nUUESy9ooF490%0ATZDBIIQ5yBbMk%2BAYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLG > > Gy > > EL > > XxDGCAakwggGl%0AAgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM > > 5M > > Th > > DNTREQjk5%0ANEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkg > > Bh > > vh > > FAQkC%0AMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQk > > FM > > Q8 > > X%0ADTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQ > > w% > > 0A > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG%2BEUBCQcx% > > 0A > > Ih > > MgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB%0ABQ > > AE > > gY > > BThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu%0AAx/ohg > > 2C > > AU > > 8%2Bg%2Bk914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb%0AzMp1TG > > Xl > > Kr > > yeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg%3D%3D%0A HTTP/1.0 > > > > sscep: server returned status code 500 > > sscep: mime_err: HTTP/1.1 500 > > Content-Type: text/html;charset=utf-8 > > Content-Language: en > > Content-Length: 3234 > > Date: Mon, 09 Sep 2019 07:12:32 GMT > > Connection: close > > > > HTTP Status 500 ? > > Internal > > Server Error

HTTP Status 500 > > ? > > Internal Server Error


Type > > Exception > > Report

Message Couldn't handle CEP request > > (PKCSReq) > > - > > Could not unwrap PKCS10 blob: > > java.security.cert.CertificateException: > > Error instantiating class for challenge_password > > java.lang.ClassNotFoundException: > > com.netscape.cms.servlet.cert.scep.ChallengePassword

Descr > > ip > > ti > > on The server encountered an unexpected condition that > > prevented > > it > > from fulfilling the > > request.

Exception

javax.servlet.ServletExcept
> > io
> > n:
> > Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10
> > blob: java.security.cert.CertificateException: Error instantiating
> > class for challenge_password java.lang.ClassNotFoundException:
> > com.netscape.cms.servlet.cert.scep.ChallengePassword
> >         com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CR
> > SE
> > nr
> > ollment.java:397)
> >         javax.servlet.http.HttpServlet.service(HttpServlet.java:741
> > )
> >         sun.reflect.GeneratedMethodAccessor48.invoke(Unknown
> > Source)
> >         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingM
> > et
> > ho
> > dAccessorImpl.java:43)
> >         java.lang.reflect.Method.invoke(Method.java:498)
> >         org.apache.catalina.security.SecurityUtil$1.run(SecurityUti
> > l.
> > ja
> > va:282)
> >         org.apache.catalina.security.SecurityUtil$1.run(SecurityUti
> > l.
> > ja
> > va:279)
> >         java.security.AccessController.doPrivileged(Native Method)
> >         javax.security.auth.Subject.doAsPrivileged(Subject.java:549
> > )
> >         org.apache.catalina.security.SecurityUtil.execute(SecurityU
> > ti
> > l.
> > java:314)
> >         org.apache.catalina.security.SecurityUtil.doAsPrivilege(Sec
> > ur
> > it
> > yUtil.java:170)
> >         java.security.AccessController.doPrivileged(Native Method)
> >         org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilt
> > er
> > .j
> > ava:53)
> >         sun.reflect.GeneratedMethodAccessor47.invoke(Unknown
> > Source)
> >         sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingM
> > et
> > ho
> > dAccessorImpl.java:43)
> >         java.lang.reflect.Method.invoke(Method.java:498)
> >         org.apache.catalina.security.SecurityUtil$1.run(SecurityUti
> > l.
> > ja
> > va:282)
> >         org.apache.catalina.security.SecurityUtil$1.run(SecurityUti
> > l.
> > ja
> > va:279)
> >         java.security.AccessController.doPrivileged(Native Method)
> >         javax.security.auth.Subject.doAsPrivileged(Subject.java:549
> > )
> >         org.apache.catalina.security.SecurityUtil.execute(SecurityU
> > ti
> > l.
> > java:314)
> >         org.apache.catalina.security.SecurityUtil.doAsPrivilege(Sec
> > ur
> > it
> > yUtil.java:253)
> > 

Note The full stack trace of the root cause is > > available in the server logs.


Apache > > Tomcat/9.0.21

> > sscep: wrong (or missing) MIME content type > > sscep: error while sending message > > > > > > Why it is trying to unwrap PKCS10 if we are sending PKCS7 ? > > How it can be fixed ? > > I am sure you know it. > > Please help. > > > > > > -- Pavel Ryabih PostMet Corporation http://www.postmet.com Call to sip:pr at postmet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6468 bytes Desc: not available URL: From dmoluguw at redhat.com Fri Sep 13 19:14:08 2019 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Fri, 13 Sep 2019 15:14:08 -0400 Subject: [Pki-users] sscep enroll error In-Reply-To: References: <4aaa38b598ca9529d5061f0dd2686cbdd7f47451.camel@postmet.com> <579d7458101fa73047785be465ca799437405f98.camel@redhat.com> Message-ID: <8a415b307d6729c802bb37c03039fa082f3c8f83.camel@redhat.com> On Wed, 2019-09-11 at 09:20 +0300, Pavel Ryabikh wrote: > This is the result of "rpm -qa | grep pki": > > pki-tools-10.8.0-0.1.fc30.x86_64 > pki-javadoc-10.8.0-0.1.fc30.noarch > python3-pki-10.8.0-0.1.fc30.noarch > pki-ca-10.8.0-0.1.fc30.noarch > dogtag-pki-console-theme-10.8.0-0.1.fc30.noarch > pki-server-10.8.0-0.1.fc30.noarch > pki-tks-10.8.0-0.1.fc30.noarch > dogtag-pki-10.8.0-0.1.fc30.x86_64 > pki-base-java-10.8.0-0.1.fc30.noarch > pki-symkey-10.8.0-0.1.fc30.x86_64 > pki-ocsp-10.8.0-0.1.fc30.noarch > dogtag-pki-server-theme-10.8.0-0.1.fc30.noarch > pki-base-10.8.0-0.1.fc30.noarch > pki-kra-10.8.0-0.1.fc30.noarch > pki-console-10.8.0-0.1.fc30.noarch > pki-tps-10.8.0-0.1.fc30.x86_64 > > Does it help to fix the problem ? Pavel, No, it does not. But, helps to identify the issue. As per your original email, you are using Fedora 29 system. But, the packages installed seem to be built on **Fedora 30**. We don't support installing Fedora 30 packages on Fedora 29. Also, I see that you are using PKI 10.8.0 version. We haven't officially released it on Fedora. The latest official release is pki- core-10.7.3-3 Regards, --Dinesh > > > On Tue, 2019-09-10 at 12:16 -0400, Dinesh Prasanth Moluguwan > Krishnamoorthy wrote: > > Hi Pavel, > > > > There was a recent merger of pki-cmscore.jar into pki-cms.jar [1]. > > As > > a > > consequence, `com.netscape.cms.servlet.cert.scep.ChallengePassword` > > was > > also affected. I suspect there is some mismatch in the installed > > version of the packages. > > > > Can you post the result of: > > > > `rpm -qa | grep pki` ? > > > > [1] > > https://github.com/dogtagpki/pki/commits/master/base/server/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java > > > > Regards, > > --Dinesh > > > > On Mon, 2019-09-09 at 10:32 +0300, Pavel Ryabikh wrote: > > > Hello dear PKI-users! > > > > > > Our pki system version is: > > > Fedora 29. > > > pki-server-10.8.0-0.1.fc30.noarch > > > > > > We are configured SCEP following: > > > https://www.dogtagpki.org/wiki/SCEP_Setup > > > > > > CS.cfg: > > > ... > > > ca.scep.allowedEncryptionAlgorithms=DES,DES3 > > > ca.scep.allowedHashAlgorithms=MD5,SHA1,SHA256,SHA512 > > > ca.scep.enable=true > > > ca.scep.encryptionAlgorithm=DES > > > ca.scep.hashAlgorithm=MD5 > > > ca.scep.nonceSizeLimit=16 > > > ... > > > > > > we also > > > - installed SSCEP client > > > - generated CA certificate > > > $ sscep getca -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe > > > -c > > > ca.crt > > > it is checked by > > > $ openssl x509 -in ca.crt -text > > > and it is correct > > > - generated CSR request and a key > > > $ /usr/bin/mkrequest -ip 172.16.24.238 Uojs93wkfd0IS > > > > > > and when trying to test enroll we are getting the followng error: > > > (Could not unwrap PKCS10 blob: > > > java.security.cert.CertificateException: > > > Error instantiating class for challenge_password > > > java.lang.ClassNotFoundException): > > > > > > # sscep enroll -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe > > > -c > > > ca.crt -k local.key -r local.csr -l cert.crt -d > > > > > > sscep: starting sscep, version 0.6.1 > > > sscep: new transaction > > > sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E > > > sscep: hostname: ca.lvm.postmet.com > > > sscep: directory: ca/cgi-bin/pkiclient.exe > > > sscep: port: 8080 > > > sscep: Read request with transaction id: > > > 9A6C3918C54DB994E7E951505983A181 > > > sscep: generating selfsigned certificate > > > sscep: SCEP_OPERATION_ENROLL > > > sscep: sending certificate request > > > sscep: creating inner PKCS#7 > > > sscep: inner PKCS#7 in mem BIO > > > sscep: request data dump > > > -----BEGIN CERTIFICATE REQUEST----- > > > MIIBmz..........GDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG > > > 9w0BAQEFAAOBjQAwgYkCgYEAsfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39M > > > ACJqfgxU6os8Kh6sElQcjXn5lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQ > > > Kr9c6oZIcvUc0mBWpDbv3jcqdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ > > > ckUCAwEAAaBDMBwGCSqGSIb3DQEJBzEPDA1Vb2pzOTN3a2ZkMElTMCMGCSqGSIb3 > > > DQEJDjEWMBQwEgYDVR0RAQH/BAgwBocErBAY7jANBgkqhkiG9w0BAQsFAAOBgQA5 > > > URuLsrH0bKtBqrNiaPT1nMQ+fRAJ6Ckjfj/pQsyXO0Nll7blBdbErOtSzDR5yV91 > > > g6/oin5LPn/RwT1hATfjCniF4UVfotLnFjKQe7icsS82gl2FNT+pG1CjTAqxJqZO > > > oBe+ZWzs4cx7wHerjk5u8baz79XFfkQyCdL6QRVlTA== > > > -----END CERTIFICATE REQUEST----- > > > sscep: data payload size: 415 bytes > > > > > > sscep: hexdump request payload > > > 3082019b3082010402010030183116301406035504030c0d3137322e31362e323 > > > 42 > > > e3 > > > 23 > > > 33830819f300d06092a864886f70d010101050003818d0030818902818100b1f7 > > > a8 > > > 6c > > > 4d > > > d44eab7849df6f3e7c86fae8336d6f6e1b59d7966f15bf7f4c00226a7e0c54ea8 > > > b3 > > > c2 > > > a1 > > > eac12541c8d79f994d8b2f0bed5017fceab2a7648471be2a02820c0813132cded > > > 4c > > > d1 > > > 1c > > > 8a502abf5cea864872f51cd26056a436efde372a7537c5d4ca08b36feac8054f8 > > > 36 > > > 7f > > > 9b > > > 19e36575c3c20367a4ccdc964aebf72450203010001a043301c06092a864886f7 > > > 0d > > > 01 > > > 09 > > > 07310f0c0d556f6a733933776b6664304953302306092a864886f70d01090e311 > > > 63 > > > 01 > > > 43 > > > 0120603551d110101ff040830068704ac1018ee300d06092a864886f70d01010b > > > 05 > > > 00 > > > 03 > > > 81810039511b8bb2b1f46cab41aab36268f4f59cc43e7d1009e829237e3fe942c > > > c9 > > > 73 > > > b4 > > > 36597b6e505d6c4aceb52cc3479c95f7583afe88a7e4b3e7fd1c13d610137e30a > > > 78 > > > 85 > > > e1 > > > 455fa2d2e71632907bb89cb12f36825d85353fa91b50a34c0ab126a64ea017be6 > > > 56 > > > ce > > > ce > > > 1cc7bc077ab8e4e6ef1b6b3efd5c57e443209d2fa4115654c > > > sscep: hexdump payload 415 > > > sscep: successfully encrypted payload > > > sscep: envelope size: 956 bytes > > > sscep: printing PEM fomatted PKCS#7 > > > -----BEGIN PKCS7----- > > > MIIDu..........NAQcDoIIDqTCCA6UCAQAxggHYMIIB1AIBADCBuzCBpTELMAkG > > > A1UEBhMCU0MxGTAXBgNVBAgTEE1haGUsIFNleWNoZWxsZXMxHDAaBgNVBAoTE1Bv > > > c3RNZXQgQ29ycG9yYXRpb24xGTAXBgNVBAsTEFNTTCBrZXkgZGl2aXNpb24xIDAe > > > BgNVBAMTF1Bvc3RNZXQgUm9vdCBDQSBDbGFzcyAxMSAwHgYJKoZIhvcNAQkBFhFh > > > ZG1pbkBwb3N0bWV0LmNvbQIRE0hlg2RXY0h1Y0doMWQ1h8EwDQYJKoZIhvcNAQEB > > > BQAEggEAgHq5KowCLbOAX/E3YRrheGwmQqHHHCf2mPHEAx835nifRSd1pPbU9587 > > > 8zOFihn+BY76caLss0eJyjTmh68mksh9Qzgc8sewyPWWgq2ilnE3eZtiiGpjf6Gj > > > e7AN38gY4y6MU0NU04r/E16tcPAuP+/7mmrr+Lh4PYxSn/LkXFy9GOdnGaTmaphv > > > L0qwxb1pS4OO765cumy5IFyJHAn3O5EyNJYuxNPuoXu8azxACKb19SVnEuay0Z2W > > > L0/WCYMNpN6kdX/1KceTlg6Gu8oxqVwBvHUewLvn91Lyy8d+EgPMJOPTXRnZSC49 > > > U4AUes2yA9Idbt4ZLNNIktdsK6MhgjCCAcIGCSqGSIb3DQEHATARBgUrDgMCBwQI > > > +d5X8SPX45KAggGg1CRRmVhAwHcj2zE7uScsfMUzyDiuw3c7fdy3W653pYswYVel > > > CpqQbK6chMv6ya1OCi3G1dMY3+M1sa21nc30tpAeF1MonFD9YSTuvTJVYHo5gAob > > > mjnhNsYL+7H0VGWiRzmDNG+HzgUzQbrdk5vFd/4Wbc5UMTy++7PdXO8e+e300FTl > > > iM96uijNS6QoZruM8vp2eNn1IymLwFv8xfwibJnzAz0SYXpbRJK9I+39g5rGA1/s > > > uTRAa7W2Bc4lp71ROdsHBH3aJDYkzcrffd9nGy+b5icnRZa2S6TJTOEQkWpQos5k > > > YQMi8+/3Chb8IBeH8HQ6/23PjjqIFVAHxj+pPlpiN4psx/10i9WAHzMBfUnodpPE > > > +yqKLTFmo037A/LNEH4NorN9E/yPDsHVp3gwjMG60cLO9ipQHCMMjpCxQF4jwaTC > > > 5W0fZd8uVZyayBXR0qLKBAhhtz6Y6k3zcXUBNjqKO1tyCUemndxLbuMPBMB1JZ7c > > > Km7TipKk+LCMNBwVbLFIPCGQUchzGnJD+fzaQKLTca9fKieLpca8Ui/Ur8o= > > > -----END PKCS7----- > > > sscep: creating outer PKCS#7 > > > sscep: signature added successfully > > > sscep: adding signed attributes > > > sscep: adding string attribute transId > > > sscep: adding string attribute messageType > > > sscep: adding octet attribute senderNonce > > > sscep: PKCS#7 data written successfully > > > sscep: printing PEM fomatted PKCS#7 > > > -----BEGIN PKCS7----- > > > MIIHc..........NAQcCoIIHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ > > > KoZIhvcNAQcBoIIDwASCA7wwggO4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw > > > ggHUAgEAMIG7MIGlMQswCQYDVQQGEwJTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl > > > bGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM > > > IGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE1ldCBSb290IENBIENsYXNzIDEx > > > IDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY29tAhETSGWDZFdjSHVjR2gx > > > ZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8TdhGuF4bCZCocccJ/aY > > > 8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHryaSyH1DOBzyx7DI > > > 9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/uaauv4uHg9 > > > jFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li7E0+6h > > > e7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7Au+f3 > > > UvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKoZI > > > hvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTPI > > > OK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X > > > UyicUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt > > > zlQxPL77s91c7x757fTQVOWIz3q6KM1LpChmu4zy+nZ42fUjKYvAW/zF/CJsmfMD > > > PRJheltEkr0j7f2DmsYDX+y5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm > > > JydFlrZLpMlM4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc+OOogVUAfGP6k+WmI3 > > > imzH/XSL1YAfMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR > > > ws72KlAcIwyOkLFAXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7 > > > W3IJR6ad3Etu4w8EwHUlntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx > > > r18qJ4ulxrxSL9SvyqCCAccwggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0 > > > RTdFOTUxNTA1OTgzQTE4MTANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu > > > MTYuMjQuMjM4MB4XDTE5MDkwOTA3MTIzMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG > > > A1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA > > > sfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39MACJqfgxU6os8Kh6sElQcjXn5 > > > lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQKr9c6oZIcvUc0mBWpDbv3jcq > > > dTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCAwEAATANBgkqhkiG9w0B > > > AQQFAAOBgQATop2OWQJzY3Axds0+9PGPAc0xGtlUQ462teCwgkm6bbrBr7eYhQeL > > > gsT07aesE+37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHglt8nUUESy9ooF490 > > > TZDBIIQ5yBbMk+AYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyELXxDGCAakwggGl > > > AgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MThDNTREQjk5 > > > NEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQkC > > > MQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X > > > DTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQw > > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG+EUBCQcx > > > IhMgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB > > > BQAEgYBThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu > > > Ax/ohg2CAU8+g+k914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb > > > zMp1TGXlKryeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg== > > > -----END PKCS7----- > > > sscep: applying base64 encoding > > > sscep: base64 encoded payload size: 2588 bytes > > > sscep: scep msg: GET /ca/cgi- > > > bin/pkiclient.exe?operation=PKIOperation&message=MIIHc..........N > > > AQ > > > cC > > > oI > > > IHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ%0AKoZIhvcNAQcBoIIDwASC > > > A7 > > > ww > > > gg > > > O4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw%0AggHUAgEAMIG7MIGlMQswCQYD > > > VQ > > > QG > > > Ew > > > JTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl%0AbGxlczEcMBoGA1UEChMTUG9zdE1l > > > dC > > > BD > > > b3 > > > Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM%0AIGtleSBkaXZpc2lvbjEgMB4GA1UEAxMX > > > UG > > > 9z > > > dE > > > 1ldCBSb290IENBIENsYXNzIDEx%0AIDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3Rt > > > ZX > > > Qu > > > Y2 > > > 9tAhETSGWDZFdjSHVjR2gx%0AZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIt > > > s4 > > > Bf > > > 8T > > > dhGuF4bCZCocccJ/aY%0A8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nK > > > NO > > > aH > > > ry > > > aSyH1DOBzyx7DI%0A9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w > > > 8C > > > 4/ > > > 7/ > > > uaauv4uHg9%0AjFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7 > > > kT > > > I0 > > > li > > > 7E0%2B6h%0Ae7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXA > > > G8 > > > dR > > > 7A > > > u%2Bf3%0AUvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIB > > > wg > > > YJ > > > Ko > > > ZI%0AhvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8 > > > xT > > > PI > > > %0 > > > AOK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4X > > > %0 > > > AU > > > yi > > > cUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt%0Az > > > lQ > > > xP > > > L7 > > > 7s91c7x757fTQVOWIz3q6KM1LpChmu4zy%2BnZ42fUjKYvAW/zF/CJsmfMD%0APRJ > > > he > > > lt > > > Ek > > > r0j7f2DmsYDX%2By5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm%0AJydFl > > > rZ > > > Lp > > > Ml > > > M4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc%2BOOogVUAfGP6k%2BWmI3%0AimzH/ > > > XS > > > L1 > > > YA > > > fMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR%0Aws72KlAcI > > > wy > > > Ok > > > LF > > > AXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7%0AW3IJR6ad3Etu4 > > > w8 > > > Ew > > > HU > > > lntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx%0Ar18qJ4ulxrxSL9Svy > > > qC > > > CA > > > cc > > > wggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0%0ARTdFOTUxNTA1OTgzQTE4M > > > TA > > > NB > > > gk > > > qhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu%0AMTYuMjQuMjM4MB4XDTE5MDkwO > > > TA > > > 3M > > > TI > > > zMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG%0AA1UEAwwNMTcyLjE2LjI0LjIzODCBn > > > zA > > > NB > > > gk > > > qhkiG9w0BAQEFAAOBjQAwgYkCgYEA%0AsfeobE3UTqt4Sd9vPnyG%2BugzbW9uG1n > > > Xl > > > m8 > > > Vv > > > 39MACJqfgxU6os8Kh6sElQcjXn5%0AlNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7Uz > > > RH > > > Ip > > > QK > > > r9c6oZIcvUc0mBWpDbv3jcq%0AdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6 > > > /c > > > kU > > > CA > > > wEAATANBgkqhkiG9w0B%0AAQQFAAOBgQATop2OWQJzY3Axds0%2B9PGPAc0xGtlUQ > > > 46 > > > 2t > > > eC > > > wgkm6bbrBr7eYhQeL%0AgsT07aesE%2B37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1 > > > yP > > > XH > > > gl > > > t8nUUESy9ooF490%0ATZDBIIQ5yBbMk%2BAYy0IOWQURlNcc8RJ5LmJXnbq4G/etk > > > LG > > > Gy > > > EL > > > XxDGCAakwggGl%0AAgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2Q > > > zM > > > 5M > > > Th > > > DNTREQjk5%0ANEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpgh > > > kg > > > Bh > > > vh > > > FAQkC%0AMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNA > > > Qk > > > FM > > > Q8 > > > X%0ADTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUb > > > bQ > > > w% > > > 0A > > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG%2BEUBCQc > > > x% > > > 0A > > > Ih > > > MgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB%0A > > > BQ > > > AE > > > gY > > > BThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu%0AAx/o > > > hg > > > 2C > > > AU > > > 8%2Bg%2Bk914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb%0AzMp1 > > > TG > > > Xl > > > Kr > > > yeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg%3D%3D%0A HTTP/1.0 > > > > > > sscep: server returned status code 500 > > > sscep: mime_err: HTTP/1.1 500 > > > Content-Type: text/html;charset=utf-8 > > > Content-Language: en > > > Content-Length: 3234 > > > Date: Mon, 09 Sep 2019 07:12:32 GMT > > > Connection: close > > > > > > HTTP Status 500 ? > > > Internal > > > Server Error

HTTP Status > > > 500 > > > ? > > > Internal Server Error


Type > > > Exception > > > Report

Message Couldn't handle CEP request > > > (PKCSReq) > > > - > > > Could not unwrap PKCS10 blob: > > > java.security.cert.CertificateException: > > > Error instantiating class for challenge_password > > > java.lang.ClassNotFoundException: > > > com.netscape.cms.servlet.cert.scep.ChallengePassword

Des > > > cr > > > ip > > > ti > > > on The server encountered an unexpected condition that > > > prevented > > > it > > > from fulfilling the > > > request.

Exception

javax.servlet.ServletExce
> > > pt
> > > io
> > > n:
> > > Couldn't handle CEP request (PKCSReq) - Could not unwrap
> > > PKCS10
> > > blob: java.security.cert.CertificateException: Error
> > > instantiating
> > > class for challenge_password java.lang.ClassNotFoundException:
> > > com.netscape.cms.servlet.cert.scep.ChallengePassword
> > >         com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(
> > > CR
> > > SE
> > > nr
> > > ollment.java:397)
> > >         javax.servlet.http.HttpServlet.service(HttpServlet.java:7
> > > 41
> > > )
> > >         sun.reflect.GeneratedMethodAccessor48.invoke(Unknown
> > > Source)
> > >         sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegatin
> > > gM
> > > et
> > > ho
> > > dAccessorImpl.java:43)
> > >         java.lang.reflect.Method.invoke(Method.java:498)
> > >         org.apache.catalina.security.SecurityUtil$1.run(SecurityU
> > > ti
> > > l.
> > > ja
> > > va:282)
> > >         org.apache.catalina.security.SecurityUtil$1.run(SecurityU
> > > ti
> > > l.
> > > ja
> > > va:279)
> > >         java.security.AccessController.doPrivileged(Native
> > > Method)
> > >         javax.security.auth.Subject.doAsPrivileged(Subject.java:5
> > > 49
> > > )
> > >         org.apache.catalina.security.SecurityUtil.execute(Securit
> > > yU
> > > ti
> > > l.
> > > java:314)
> > >         org.apache.catalina.security.SecurityUtil.doAsPrivilege(S
> > > ec
> > > ur
> > > it
> > > yUtil.java:170)
> > >         java.security.AccessController.doPrivileged(Native
> > > Method)
> > >         org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFi
> > > lt
> > > er
> > > .j
> > > ava:53)
> > >         sun.reflect.GeneratedMethodAccessor47.invoke(Unknown
> > > Source)
> > >         sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegatin
> > > gM
> > > et
> > > ho
> > > dAccessorImpl.java:43)
> > >         java.lang.reflect.Method.invoke(Method.java:498)
> > >         org.apache.catalina.security.SecurityUtil$1.run(SecurityU
> > > ti
> > > l.
> > > ja
> > > va:282)
> > >         org.apache.catalina.security.SecurityUtil$1.run(SecurityU
> > > ti
> > > l.
> > > ja
> > > va:279)
> > >         java.security.AccessController.doPrivileged(Native
> > > Method)
> > >         javax.security.auth.Subject.doAsPrivileged(Subject.java:5
> > > 49
> > > )
> > >         org.apache.catalina.security.SecurityUtil.execute(Securit
> > > yU
> > > ti
> > > l.
> > > java:314)
> > >         org.apache.catalina.security.SecurityUtil.doAsPrivilege(S
> > > ec
> > > ur
> > > it
> > > yUtil.java:253)
> > > 

Note The full stack trace of the root cause is > > > available in the server logs.


Apache > > > Tomcat/9.0.21

> > > sscep: wrong (or missing) MIME content type > > > sscep: error while sending message > > > > > > > > > Why it is trying to unwrap PKCS10 if we are sending PKCS7 ? > > > How it can be fixed ? > > > I am sure you know it. > > > Please help. > > > > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From pr at postmet.com Mon Sep 16 06:11:54 2019 From: pr at postmet.com (Pavel Ryabikh) Date: Mon, 16 Sep 2019 09:11:54 +0300 Subject: [Pki-users] sscep enroll error In-Reply-To: <8a415b307d6729c802bb37c03039fa082f3c8f83.camel@redhat.com> References: <4aaa38b598ca9529d5061f0dd2686cbdd7f47451.camel@postmet.com> <579d7458101fa73047785be465ca799437405f98.camel@redhat.com> <8a415b307d6729c802bb37c03039fa082f3c8f83.camel@redhat.com> Message-ID: Dear, Krishnamoorthy, We are using Fedora 30 (Fedora 29 was a mistake, sorry): $ cat /etc/os-release NAME=Fedora VERSION="30 (Server Edition)" ID=fedora VERSION_ID=30 VERSION_CODENAME="" PLATFORM_ID="platform:f30" PRETTY_NAME="Fedora 30 (Server Edition)" ANSI_COLOR="0;34" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:30" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL=" https://docs.fedoraproject.org/en-US/fedora/f30/system-administrators-guide/ " SUPPORT_URL=" https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=30 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=30 PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" VARIANT="Server Edition" VARIANT_ID=server and "pki-server-10.8.0-0.1.fc30.noarch" What can be a reason of SCEP bug? Can it be fixed? How could we use SCEP in this conditions? Can you at least point a direction to fix it? or it is hopeless to make SCEP work? On Fri, 2019-09-13 at 15:14 -0400, Dinesh Prasanth Moluguwan Krishnamoorthy wrote: > On Wed, 2019-09-11 at 09:20 +0300, Pavel Ryabikh wrote: > > This is the result of "rpm -qa | grep pki": > > > > pki-tools-10.8.0-0.1.fc30.x86_64 > > pki-javadoc-10.8.0-0.1.fc30.noarch > > python3-pki-10.8.0-0.1.fc30.noarch > > pki-ca-10.8.0-0.1.fc30.noarch > > dogtag-pki-console-theme-10.8.0-0.1.fc30.noarch > > pki-server-10.8.0-0.1.fc30.noarch > > pki-tks-10.8.0-0.1.fc30.noarch > > dogtag-pki-10.8.0-0.1.fc30.x86_64 > > pki-base-java-10.8.0-0.1.fc30.noarch > > pki-symkey-10.8.0-0.1.fc30.x86_64 > > pki-ocsp-10.8.0-0.1.fc30.noarch > > dogtag-pki-server-theme-10.8.0-0.1.fc30.noarch > > pki-base-10.8.0-0.1.fc30.noarch > > pki-kra-10.8.0-0.1.fc30.noarch > > pki-console-10.8.0-0.1.fc30.noarch > > pki-tps-10.8.0-0.1.fc30.x86_64 > > > > Does it help to fix the problem ? > Pavel, > > No, it does not. But, helps to identify the issue. > > As per your original email, you are using Fedora 29 system. But, the > packages installed seem to be built on **Fedora 30**. We don't > support > installing Fedora 30 packages on Fedora 29. > > Also, I see that you are using PKI 10.8.0 version. We haven't > officially released it on Fedora. The latest official release is pki- > core-10.7.3-3 > > Regards, > --Dinesh > > > > > On Tue, 2019-09-10 at 12:16 -0400, Dinesh Prasanth Moluguwan > > Krishnamoorthy wrote: > > > Hi Pavel, > > > > > > There was a recent merger of pki-cmscore.jar into pki-cms.jar > > > [1]. > > > As > > > a > > > consequence, > > > `com.netscape.cms.servlet.cert.scep.ChallengePassword` > > > was > > > also affected. I suspect there is some mismatch in the installed > > > version of the packages. > > > > > > Can you post the result of: > > > > > > `rpm -qa | grep pki` ? > > > > > > [1] > > > https://github.com/dogtagpki/pki/commits/master/base/server/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java > > > > > > Regards, > > > --Dinesh > > > > > > On Mon, 2019-09-09 at 10:32 +0300, Pavel Ryabikh wrote: > > > > Hello dear PKI-users! > > > > > > > > Our pki system version is: > > > > Fedora 29. > > > > pki-server-10.8.0-0.1.fc30.noarch > > > > > > > > We are configured SCEP following: > > > > https://www.dogtagpki.org/wiki/SCEP_Setup > > > > > > > > CS.cfg: > > > > ... > > > > ca.scep.allowedEncryptionAlgorithms=DES,DES3 > > > > ca.scep.allowedHashAlgorithms=MD5,SHA1,SHA256,SHA512 > > > > ca.scep.enable=true > > > > ca.scep.encryptionAlgorithm=DES > > > > ca.scep.hashAlgorithm=MD5 > > > > ca.scep.nonceSizeLimit=16 > > > > ... > > > > > > > > we also > > > > - installed SSCEP client > > > > - generated CA certificate > > > > $ sscep getca -u http://$HOSTNAME:8080/ca/cgi-bin/pkiclient.exe > > > > -c > > > > ca.crt > > > > it is checked by > > > > $ openssl x509 -in ca.crt -text > > > > and it is correct > > > > - generated CSR request and a key > > > > $ /usr/bin/mkrequest -ip 172.16.24.238 Uojs93wkfd0IS > > > > > > > > and when trying to test enroll we are getting the followng > > > > error: > > > > (Could not unwrap PKCS10 blob: > > > > java.security.cert.CertificateException: > > > > Error instantiating class for challenge_password > > > > java.lang.ClassNotFoundException): > > > > > > > > # sscep enroll -u http://$HOSTNAME:8080/ca/cgi- > > > > bin/pkiclient.exe > > > > -c > > > > ca.crt -k local.key -r local.csr -l cert.crt -d > > > > > > > > sscep: starting sscep, version 0.6.1 > > > > sscep: new transaction > > > > sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E > > > > sscep: hostname: ca.lvm.postmet.com > > > > sscep: directory: ca/cgi-bin/pkiclient.exe > > > > sscep: port: 8080 > > > > sscep: Read request with transaction id: > > > > 9A6C3918C54DB994E7E951505983A181 > > > > sscep: generating selfsigned certificate > > > > sscep: SCEP_OPERATION_ENROLL > > > > sscep: sending certificate request > > > > sscep: creating inner PKCS#7 > > > > sscep: inner PKCS#7 in mem BIO > > > > sscep: request data dump > > > > -----BEGIN CERTIFICATE REQUEST----- > > > > MIIBmz..........GDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhki > > > > G > > > > 9w0BAQEFAAOBjQAwgYkCgYEAsfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39 > > > > M > > > > ACJqfgxU6os8Kh6sElQcjXn5lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIp > > > > Q > > > > Kr9c6oZIcvUc0mBWpDbv3jcqdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6 > > > > / > > > > ckUCAwEAAaBDMBwGCSqGSIb3DQEJBzEPDA1Vb2pzOTN3a2ZkMElTMCMGCSqGSIb > > > > 3 > > > > DQEJDjEWMBQwEgYDVR0RAQH/BAgwBocErBAY7jANBgkqhkiG9w0BAQsFAAOBgQA > > > > 5 > > > > URuLsrH0bKtBqrNiaPT1nMQ+fRAJ6Ckjfj/pQsyXO0Nll7blBdbErOtSzDR5yV9 > > > > 1 > > > > g6/oin5LPn/RwT1hATfjCniF4UVfotLnFjKQe7icsS82gl2FNT+pG1CjTAqxJqZ > > > > O > > > > oBe+ZWzs4cx7wHerjk5u8baz79XFfkQyCdL6QRVlTA== > > > > -----END CERTIFICATE REQUEST----- > > > > sscep: data payload size: 415 bytes > > > > > > > > sscep: hexdump request payload > > > > 3082019b3082010402010030183116301406035504030c0d3137322e31362e3 > > > > 23 > > > > 42 > > > > e3 > > > > 23 > > > > 33830819f300d06092a864886f70d010101050003818d0030818902818100b1 > > > > f7 > > > > a8 > > > > 6c > > > > 4d > > > > d44eab7849df6f3e7c86fae8336d6f6e1b59d7966f15bf7f4c00226a7e0c54e > > > > a8 > > > > b3 > > > > c2 > > > > a1 > > > > eac12541c8d79f994d8b2f0bed5017fceab2a7648471be2a02820c0813132cd > > > > ed > > > > 4c > > > > d1 > > > > 1c > > > > 8a502abf5cea864872f51cd26056a436efde372a7537c5d4ca08b36feac8054 > > > > f8 > > > > 36 > > > > 7f > > > > 9b > > > > 19e36575c3c20367a4ccdc964aebf72450203010001a043301c06092a864886 > > > > f7 > > > > 0d > > > > 01 > > > > 09 > > > > 07310f0c0d556f6a733933776b6664304953302306092a864886f70d01090e3 > > > > 11 > > > > 63 > > > > 01 > > > > 43 > > > > 0120603551d110101ff040830068704ac1018ee300d06092a864886f70d0101 > > > > 0b > > > > 05 > > > > 00 > > > > 03 > > > > 81810039511b8bb2b1f46cab41aab36268f4f59cc43e7d1009e829237e3fe94 > > > > 2c > > > > c9 > > > > 73 > > > > b4 > > > > 36597b6e505d6c4aceb52cc3479c95f7583afe88a7e4b3e7fd1c13d610137e3 > > > > 0a > > > > 78 > > > > 85 > > > > e1 > > > > 455fa2d2e71632907bb89cb12f36825d85353fa91b50a34c0ab126a64ea017b > > > > e6 > > > > 56 > > > > ce > > > > ce > > > > 1cc7bc077ab8e4e6ef1b6b3efd5c57e443209d2fa4115654c > > > > sscep: hexdump payload 415 > > > > sscep: successfully encrypted payload > > > > sscep: envelope size: 956 bytes > > > > sscep: printing PEM fomatted PKCS#7 > > > > -----BEGIN PKCS7----- > > > > MIIDu..........NAQcDoIIDqTCCA6UCAQAxggHYMIIB1AIBADCBuzCBpTELMAk > > > > G > > > > A1UEBhMCU0MxGTAXBgNVBAgTEE1haGUsIFNleWNoZWxsZXMxHDAaBgNVBAoTE1B > > > > v > > > > c3RNZXQgQ29ycG9yYXRpb24xGTAXBgNVBAsTEFNTTCBrZXkgZGl2aXNpb24xIDA > > > > e > > > > BgNVBAMTF1Bvc3RNZXQgUm9vdCBDQSBDbGFzcyAxMSAwHgYJKoZIhvcNAQkBFhF > > > > h > > > > ZG1pbkBwb3N0bWV0LmNvbQIRE0hlg2RXY0h1Y0doMWQ1h8EwDQYJKoZIhvcNAQE > > > > B > > > > BQAEggEAgHq5KowCLbOAX/E3YRrheGwmQqHHHCf2mPHEAx835nifRSd1pPbU958 > > > > 7 > > > > 8zOFihn+BY76caLss0eJyjTmh68mksh9Qzgc8sewyPWWgq2ilnE3eZtiiGpjf6G > > > > j > > > > e7AN38gY4y6MU0NU04r/E16tcPAuP+/7mmrr+Lh4PYxSn/LkXFy9GOdnGaTmaph > > > > v > > > > L0qwxb1pS4OO765cumy5IFyJHAn3O5EyNJYuxNPuoXu8azxACKb19SVnEuay0Z2 > > > > W > > > > L0/WCYMNpN6kdX/1KceTlg6Gu8oxqVwBvHUewLvn91Lyy8d+EgPMJOPTXRnZSC4 > > > > 9 > > > > U4AUes2yA9Idbt4ZLNNIktdsK6MhgjCCAcIGCSqGSIb3DQEHATARBgUrDgMCBwQ > > > > I > > > > +d5X8SPX45KAggGg1CRRmVhAwHcj2zE7uScsfMUzyDiuw3c7fdy3W653pYswYVe > > > > l > > > > CpqQbK6chMv6ya1OCi3G1dMY3+M1sa21nc30tpAeF1MonFD9YSTuvTJVYHo5gAo > > > > b > > > > mjnhNsYL+7H0VGWiRzmDNG+HzgUzQbrdk5vFd/4Wbc5UMTy++7PdXO8e+e300FT > > > > l > > > > iM96uijNS6QoZruM8vp2eNn1IymLwFv8xfwibJnzAz0SYXpbRJK9I+39g5rGA1/ > > > > s > > > > uTRAa7W2Bc4lp71ROdsHBH3aJDYkzcrffd9nGy+b5icnRZa2S6TJTOEQkWpQos5 > > > > k > > > > YQMi8+/3Chb8IBeH8HQ6/23PjjqIFVAHxj+pPlpiN4psx/10i9WAHzMBfUnodpP > > > > E > > > > +yqKLTFmo037A/LNEH4NorN9E/yPDsHVp3gwjMG60cLO9ipQHCMMjpCxQF4jwaT > > > > C > > > > 5W0fZd8uVZyayBXR0qLKBAhhtz6Y6k3zcXUBNjqKO1tyCUemndxLbuMPBMB1JZ7 > > > > c > > > > Km7TipKk+LCMNBwVbLFIPCGQUchzGnJD+fzaQKLTca9fKieLpca8Ui/Ur8o= > > > > -----END PKCS7----- > > > > sscep: creating outer PKCS#7 > > > > sscep: signature added successfully > > > > sscep: adding signed attributes > > > > sscep: adding string attribute transId > > > > sscep: adding string attribute messageType > > > > sscep: adding octet attribute senderNonce > > > > sscep: PKCS#7 data written successfully > > > > sscep: printing PEM fomatted PKCS#7 > > > > -----BEGIN PKCS7----- > > > > MIIHc..........NAQcCoIIHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwY > > > > J > > > > KoZIhvcNAQcBoIIDwASCA7wwggO4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdg > > > > w > > > > ggHUAgEAMIG7MIGlMQswCQYDVQQGEwJTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2h > > > > l > > > > bGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3Jwb3JhdGlvbjEZMBcGA1UECxMQU1N > > > > M > > > > IGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE1ldCBSb290IENBIENsYXNzIDE > > > > x > > > > IDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY29tAhETSGWDZFdjSHVjR2g > > > > x > > > > ZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8TdhGuF4bCZCocccJ/a > > > > Y > > > > 8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHryaSyH1DOBzyx7D > > > > I > > > > 9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/uaauv4uHg > > > > 9 > > > > jFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li7E0+6 > > > > h > > > > e7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7Au+f > > > > 3 > > > > UvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJKoZ > > > > I > > > > hvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8xTP > > > > I > > > > OK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB4 > > > > X > > > > UyicUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZ > > > > t > > > > zlQxPL77s91c7x757fTQVOWIz3q6KM1LpChmu4zy+nZ42fUjKYvAW/zF/CJsmfM > > > > D > > > > PRJheltEkr0j7f2DmsYDX+y5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5v > > > > m > > > > JydFlrZLpMlM4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc+OOogVUAfGP6k+WmI > > > > 3 > > > > imzH/XSL1YAfMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbr > > > > R > > > > ws72KlAcIwyOkLFAXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo > > > > 7 > > > > W3IJR6ad3Etu4w8EwHUlntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotN > > > > x > > > > r18qJ4ulxrxSL9SvyqCCAccwggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk > > > > 0 > > > > RTdFOTUxNTA1OTgzQTE4MTANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzI > > > > u > > > > MTYuMjQuMjM4MB4XDTE5MDkwOTA3MTIzMloXDTE5MDkxNTA5MTIzMlowGDEWMBQ > > > > G > > > > A1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYE > > > > A > > > > sfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39MACJqfgxU6os8Kh6sElQcjXn > > > > 5 > > > > lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQKr9c6oZIcvUc0mBWpDbv3jc > > > > q > > > > dTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCAwEAATANBgkqhkiG9w0 > > > > B > > > > AQQFAAOBgQATop2OWQJzY3Axds0+9PGPAc0xGtlUQ462teCwgkm6bbrBr7eYhQe > > > > L > > > > gsT07aesE+37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHglt8nUUESy9ooF49 > > > > 0 > > > > TZDBIIQ5yBbMk+AYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyELXxDGCAakwggG > > > > l > > > > AgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MThDNTREQjk > > > > 5 > > > > NEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFAQk > > > > C > > > > MQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8 > > > > X > > > > DTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUbbQ > > > > w > > > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG+EUBCQc > > > > x > > > > IhMgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQE > > > > B > > > > BQAEgYBThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyu > > > > u > > > > Ax/ohg2CAU8+g+k914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpD > > > > b > > > > zMp1TGXlKryeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg== > > > > -----END PKCS7----- > > > > sscep: applying base64 encoding > > > > sscep: base64 encoded payload size: 2588 bytes > > > > sscep: scep msg: GET /ca/cgi- > > > > bin/pkiclient.exe?operation=PKIOperation&message=MIIHc......... > > > > .N > > > > AQ > > > > cC > > > > oI > > > > IHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ%0AKoZIhvcNAQcBoIIDwA > > > > SC > > > > A7 > > > > ww > > > > gg > > > > O4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw%0AggHUAgEAMIG7MIGlMQswCQ > > > > YD > > > > VQ > > > > QG > > > > Ew > > > > JTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl%0AbGxlczEcMBoGA1UEChMTUG9zdE > > > > 1l > > > > dC > > > > BD > > > > b3 > > > > Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM%0AIGtleSBkaXZpc2lvbjEgMB4GA1UEAx > > > > MX > > > > UG > > > > 9z > > > > dE > > > > 1ldCBSb290IENBIENsYXNzIDEx%0AIDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3 > > > > Rt > > > > ZX > > > > Qu > > > > Y2 > > > > 9tAhETSGWDZFdjSHVjR2gx%0AZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjA > > > > It > > > > s4 > > > > Bf > > > > 8T > > > > dhGuF4bCZCocccJ/aY%0A8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4 > > > > nK > > > > NO > > > > aH > > > > ry > > > > aSyH1DOBzyx7DI%0A9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq > > > > 1w > > > > 8C > > > > 4/ > > > > 7/ > > > > uaauv4uHg9%0AjFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCf > > > > c7 > > > > kT > > > > I0 > > > > li > > > > 7E0%2B6h%0Ae7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGp > > > > XA > > > > G8 > > > > dR > > > > 7A > > > > u%2Bf3%0AUvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMI > > > > IB > > > > wg > > > > YJ > > > > Ko > > > > ZI%0AhvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jy > > > > x8 > > > > xT > > > > PI > > > > %0 > > > > AOK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2kB > > > > 4X > > > > %0 > > > > AU > > > > yi > > > > cUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt%0 > > > > Az > > > > lQ > > > > xP > > > > L7 > > > > 7s91c7x757fTQVOWIz3q6KM1LpChmu4zy%2BnZ42fUjKYvAW/zF/CJsmfMD%0AP > > > > RJ > > > > he > > > > lt > > > > Ek > > > > r0j7f2DmsYDX%2By5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm%0AJyd > > > > Fl > > > > rZ > > > > Lp > > > > Ml > > > > M4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc%2BOOogVUAfGP6k%2BWmI3%0Aimz > > > > H/ > > > > XS > > > > L1 > > > > YA > > > > fMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR%0Aws72KlA > > > > cI > > > > wy > > > > Ok > > > > LF > > > > AXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7%0AW3IJR6ad3Et > > > > u4 > > > > w8 > > > > Ew > > > > HU > > > > lntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx%0Ar18qJ4ulxrxSL9S > > > > vy > > > > qC > > > > CA > > > > cc > > > > wggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0%0ARTdFOTUxNTA1OTgzQTE > > > > 4M > > > > TA > > > > NB > > > > gk > > > > qhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu%0AMTYuMjQuMjM4MB4XDTE5MDk > > > > wO > > > > TA > > > > 3M > > > > TI > > > > zMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG%0AA1UEAwwNMTcyLjE2LjI0LjIzODC > > > > Bn > > > > zA > > > > NB > > > > gk > > > > qhkiG9w0BAQEFAAOBjQAwgYkCgYEA%0AsfeobE3UTqt4Sd9vPnyG%2BugzbW9uG > > > > 1n > > > > Xl > > > > m8 > > > > Vv > > > > 39MACJqfgxU6os8Kh6sElQcjXn5%0AlNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7 > > > > Uz > > > > RH > > > > Ip > > > > QK > > > > r9c6oZIcvUc0mBWpDbv3jcq%0AdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZ > > > > K6 > > > > /c > > > > kU > > > > CA > > > > wEAATANBgkqhkiG9w0B%0AAQQFAAOBgQATop2OWQJzY3Axds0%2B9PGPAc0xGtl > > > > UQ > > > > 46 > > > > 2t > > > > eC > > > > wgkm6bbrBr7eYhQeL%0AgsT07aesE%2B37wrtOfmXBucDrdextS6OxW3g5KzC8G > > > > p1 > > > > yP > > > > XH > > > > gl > > > > t8nUUESy9ooF490%0ATZDBIIQ5yBbMk%2BAYy0IOWQURlNcc8RJ5LmJXnbq4G/e > > > > tk > > > > LG > > > > Gy > > > > EL > > > > XxDGCAakwggGl%0AAgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE > > > > 2Q > > > > zM > > > > 5M > > > > Th > > > > DNTREQjk5%0ANEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgp > > > > gh > > > > kg > > > > Bh > > > > vh > > > > FAQkC%0AMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvc > > > > NA > > > > Qk > > > > FM > > > > Q8 > > > > X%0ADTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGb > > > > Ub > > > > bQ > > > > w% > > > > 0A > > > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG%2BEUBC > > > > Qc > > > > x% > > > > 0A > > > > Ih > > > > MgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQEB% > > > > 0A > > > > BQ > > > > AE > > > > gY > > > > BThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu%0AAx > > > > /o > > > > hg > > > > 2C > > > > AU > > > > 8%2Bg%2Bk914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb%0AzM > > > > p1 > > > > TG > > > > Xl > > > > Kr > > > > yeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg%3D%3D%0A HTTP/1.0 > > > > > > > > sscep: server returned status code 500 > > > > sscep: mime_err: HTTP/1.1 500 > > > > Content-Type: text/html;charset=utf-8 > > > > Content-Language: en > > > > Content-Length: 3234 > > > > Date: Mon, 09 Sep 2019 07:12:32 GMT > > > > Connection: close > > > > > > > > HTTP Status 500 ? > > > > Internal > > > > Server Error

HTTP Status > > > > 500 > > > > ? > > > > Internal Server Error


Type > > > > Exception > > > > Report

Message Couldn't handle CEP request > > > > (PKCSReq) > > > > - > > > > Could not unwrap PKCS10 blob: > > > > java.security.cert.CertificateException: > > > > Error instantiating class for challenge_password > > > > java.lang.ClassNotFoundException: > > > > com.netscape.cms.servlet.cert.scep.ChallengePassword

D > > > > es > > > > cr > > > > ip > > > > ti > > > > on The server encountered an unexpected condition that > > > > prevented > > > > it > > > > from fulfilling the > > > > request.

Exception

javax.servlet.ServletEx
> > > > ce
> > > > pt
> > > > io
> > > > n:
> > > > Couldn't handle CEP request (PKCSReq) - Could not unwrap
> > > > PKCS10
> > > > blob: java.security.cert.CertificateException: Error
> > > > instantiating
> > > > class for challenge_password java.lang.ClassNotFoundException:
> > > > com.netscape.cms.servlet.cert.scep.ChallengePassword
> > > >         com.netscape.cms.servlet.cert.scep.CRSEnrollment.servic
> > > > e(
> > > > CR
> > > > SE
> > > > nr
> > > > ollment.java:397)
> > > >         javax.servlet.http.HttpServlet.service(HttpServlet.java
> > > > :7
> > > > 41
> > > > )
> > > >         sun.reflect.GeneratedMethodAccessor48.invoke(Unknown
> > > > Source)
> > > >         sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegat
> > > > in
> > > > gM
> > > > et
> > > > ho
> > > > dAccessorImpl.java:43)
> > > >         java.lang.reflect.Method.invoke(Method.java:498)
> > > >         org.apache.catalina.security.SecurityUtil$1.run(Securit
> > > > yU
> > > > ti
> > > > l.
> > > > ja
> > > > va:282)
> > > >         org.apache.catalina.security.SecurityUtil$1.run(Securit
> > > > yU
> > > > ti
> > > > l.
> > > > ja
> > > > va:279)
> > > >         java.security.AccessController.doPrivileged(Native
> > > > Method)
> > > >         javax.security.auth.Subject.doAsPrivileged(Subject.java
> > > > :5
> > > > 49
> > > > )
> > > >         org.apache.catalina.security.SecurityUtil.execute(Secur
> > > > it
> > > > yU
> > > > ti
> > > > l.
> > > > java:314)
> > > >         org.apache.catalina.security.SecurityUtil.doAsPrivilege
> > > > (S
> > > > ec
> > > > ur
> > > > it
> > > > yUtil.java:170)
> > > >         java.security.AccessController.doPrivileged(Native
> > > > Method)
> > > >         org.apache.tomcat.websocket.server.WsFilter.doFilter(Ws
> > > > Fi
> > > > lt
> > > > er
> > > > .j
> > > > ava:53)
> > > >         sun.reflect.GeneratedMethodAccessor47.invoke(Unknown
> > > > Source)
> > > >         sun.reflect.DelegatingMethodAccessorImpl.invoke(Delegat
> > > > in
> > > > gM
> > > > et
> > > > ho
> > > > dAccessorImpl.java:43)
> > > >         java.lang.reflect.Method.invoke(Method.java:498)
> > > >         org.apache.catalina.security.SecurityUtil$1.run(Securit
> > > > yU
> > > > ti
> > > > l.
> > > > ja
> > > > va:282)
> > > >         org.apache.catalina.security.SecurityUtil$1.run(Securit
> > > > yU
> > > > ti
> > > > l.
> > > > ja
> > > > va:279)
> > > >         java.security.AccessController.doPrivileged(Native
> > > > Method)
> > > >         javax.security.auth.Subject.doAsPrivileged(Subject.java
> > > > :5
> > > > 49
> > > > )
> > > >         org.apache.catalina.security.SecurityUtil.execute(Secur
> > > > it
> > > > yU
> > > > ti
> > > > l.
> > > > java:314)
> > > >         org.apache.catalina.security.SecurityUtil.doAsPrivilege
> > > > (S
> > > > ec
> > > > ur
> > > > it
> > > > yUtil.java:253)
> > > > 

Note The full stack trace of the root cause is > > > > available in the server logs.


Apache > > > > Tomcat/9.0.21

> > > > sscep: wrong (or missing) MIME content type > > > > sscep: error while sending message > > > > > > > > > > > > Why it is trying to unwrap PKCS10 if we are sending PKCS7 ? > > > > How it can be fixed ? > > > > I am sure you know it. > > > > Please help. > > > > > > > > > > > > -- Pavel Ryabih PostMet Corporation http://www.postmet.com Call to sip:pr at postmet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6468 bytes Desc: not available URL: From dmoluguw at redhat.com Mon Sep 16 14:33:37 2019 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Mon, 16 Sep 2019 10:33:37 -0400 Subject: [Pki-users] sscep enroll error In-Reply-To: References: <4aaa38b598ca9529d5061f0dd2686cbdd7f47451.camel@postmet.com> <579d7458101fa73047785be465ca799437405f98.camel@redhat.com> <8a415b307d6729c802bb37c03039fa082f3c8f83.camel@redhat.com> Message-ID: <40c22e64a32a4da8ad55059260a23f9f39ae67e9.camel@redhat.com> Pavel, The error you posted seems to be more of a issue with jar files/classpaths rather than a bug in SCEP itself. As mentioned before, it is best to try the officially released pki- core-10.7.3-3 rather than building from master (which might have some bugs). If you face the same issue with 10.7.3-3, I'd suggest you to file a bug against pki-core in https://bugzilla.redhat.com/ with required logs and we'd be able to investigate deeper. Regards, --Dinesh On Mon, 2019-09-16 at 09:11 +0300, Pavel Ryabikh wrote: > Dear, Krishnamoorthy, > > We are using Fedora 30 (Fedora 29 was a mistake, sorry): > > $ cat /etc/os-release > NAME=Fedora > VERSION="30 (Server Edition)" > ID=fedora > VERSION_ID=30 > VERSION_CODENAME="" > PLATFORM_ID="platform:f30" > PRETTY_NAME="Fedora 30 (Server Edition)" > ANSI_COLOR="0;34" > LOGO=fedora-logo-icon > CPE_NAME="cpe:/o:fedoraproject:fedora:30" > HOME_URL="https://fedoraproject.org/" > DOCUMENTATION_URL=" > https://docs.fedoraproject.org/en-US/fedora/f30/system-administrators-guide/ > " > SUPPORT_URL=" > https://fedoraproject.org/wiki/Communicating_and_getting_help" > BUG_REPORT_URL="https://bugzilla.redhat.com/" > REDHAT_BUGZILLA_PRODUCT="Fedora" > REDHAT_BUGZILLA_PRODUCT_VERSION=30 > REDHAT_SUPPORT_PRODUCT="Fedora" > REDHAT_SUPPORT_PRODUCT_VERSION=30 > PRIVACY_POLICY_URL=" > https://fedoraproject.org/wiki/Legal:PrivacyPolicy" > VARIANT="Server Edition" > VARIANT_ID=server > > and "pki-server-10.8.0-0.1.fc30.noarch" > > What can be a reason of SCEP bug? > Can it be fixed? > How could we use SCEP in this conditions? > Can you at least point a direction to fix it? or it is hopeless to > make > SCEP work? > > > On Fri, 2019-09-13 at 15:14 -0400, Dinesh Prasanth Moluguwan > Krishnamoorthy wrote: > > On Wed, 2019-09-11 at 09:20 +0300, Pavel Ryabikh wrote: > > > This is the result of "rpm -qa | grep pki": > > > > > > pki-tools-10.8.0-0.1.fc30.x86_64 > > > pki-javadoc-10.8.0-0.1.fc30.noarch > > > python3-pki-10.8.0-0.1.fc30.noarch > > > pki-ca-10.8.0-0.1.fc30.noarch > > > dogtag-pki-console-theme-10.8.0-0.1.fc30.noarch > > > pki-server-10.8.0-0.1.fc30.noarch > > > pki-tks-10.8.0-0.1.fc30.noarch > > > dogtag-pki-10.8.0-0.1.fc30.x86_64 > > > pki-base-java-10.8.0-0.1.fc30.noarch > > > pki-symkey-10.8.0-0.1.fc30.x86_64 > > > pki-ocsp-10.8.0-0.1.fc30.noarch > > > dogtag-pki-server-theme-10.8.0-0.1.fc30.noarch > > > pki-base-10.8.0-0.1.fc30.noarch > > > pki-kra-10.8.0-0.1.fc30.noarch > > > pki-console-10.8.0-0.1.fc30.noarch > > > pki-tps-10.8.0-0.1.fc30.x86_64 > > > > > > Does it help to fix the problem ? > > Pavel, > > > > No, it does not. But, helps to identify the issue. > > > > As per your original email, you are using Fedora 29 system. But, > > the > > packages installed seem to be built on **Fedora 30**. We don't > > support > > installing Fedora 30 packages on Fedora 29. > > > > Also, I see that you are using PKI 10.8.0 version. We haven't > > officially released it on Fedora. The latest official release is > > pki- > > core-10.7.3-3 > > > > Regards, > > --Dinesh > > > > > On Tue, 2019-09-10 at 12:16 -0400, Dinesh Prasanth Moluguwan > > > Krishnamoorthy wrote: > > > > Hi Pavel, > > > > > > > > There was a recent merger of pki-cmscore.jar into pki-cms.jar > > > > [1]. > > > > As > > > > a > > > > consequence, > > > > `com.netscape.cms.servlet.cert.scep.ChallengePassword` > > > > was > > > > also affected. I suspect there is some mismatch in the > > > > installed > > > > version of the packages. > > > > > > > > Can you post the result of: > > > > > > > > `rpm -qa | grep pki` ? > > > > > > > > [1] > > > > https://github.com/dogtagpki/pki/commits/master/base/server/src/com/netscape/cms/servlet/cert/scep/ChallengePassword.java > > > > > > > > Regards, > > > > --Dinesh > > > > > > > > On Mon, 2019-09-09 at 10:32 +0300, Pavel Ryabikh wrote: > > > > > Hello dear PKI-users! > > > > > > > > > > Our pki system version is: > > > > > Fedora 29. > > > > > pki-server-10.8.0-0.1.fc30.noarch > > > > > > > > > > We are configured SCEP following: > > > > > https://www.dogtagpki.org/wiki/SCEP_Setup > > > > > > > > > > CS.cfg: > > > > > ... > > > > > ca.scep.allowedEncryptionAlgorithms=DES,DES3 > > > > > ca.scep.allowedHashAlgorithms=MD5,SHA1,SHA256,SHA512 > > > > > ca.scep.enable=true > > > > > ca.scep.encryptionAlgorithm=DES > > > > > ca.scep.hashAlgorithm=MD5 > > > > > ca.scep.nonceSizeLimit=16 > > > > > ... > > > > > > > > > > we also > > > > > - installed SSCEP client > > > > > - generated CA certificate > > > > > $ sscep getca -u http://$HOSTNAME:8080/ca/cgi- > > > > > bin/pkiclient.exe > > > > > -c > > > > > ca.crt > > > > > it is checked by > > > > > $ openssl x509 -in ca.crt -text > > > > > and it is correct > > > > > - generated CSR request and a key > > > > > $ /usr/bin/mkrequest -ip 172.16.24.238 Uojs93wkfd0IS > > > > > > > > > > and when trying to test enroll we are getting the followng > > > > > error: > > > > > (Could not unwrap PKCS10 blob: > > > > > java.security.cert.CertificateException: > > > > > Error instantiating class for challenge_password > > > > > java.lang.ClassNotFoundException): > > > > > > > > > > # sscep enroll -u http://$HOSTNAME:8080/ca/cgi- > > > > > bin/pkiclient.exe > > > > > -c > > > > > ca.crt -k local.key -r local.csr -l cert.crt -d > > > > > > > > > > sscep: starting sscep, version 0.6.1 > > > > > sscep: new transaction > > > > > sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E > > > > > sscep: hostname: ca.lvm.postmet.com > > > > > sscep: directory: ca/cgi-bin/pkiclient.exe > > > > > sscep: port: 8080 > > > > > sscep: Read request with transaction id: > > > > > 9A6C3918C54DB994E7E951505983A181 > > > > > sscep: generating selfsigned certificate > > > > > sscep: SCEP_OPERATION_ENROLL > > > > > sscep: sending certificate request > > > > > sscep: creating inner PKCS#7 > > > > > sscep: inner PKCS#7 in mem BIO > > > > > sscep: request data dump > > > > > -----BEGIN CERTIFICATE REQUEST----- > > > > > MIIBmz..........GDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqh > > > > > ki > > > > > G > > > > > 9w0BAQEFAAOBjQAwgYkCgYEAsfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv > > > > > 39 > > > > > M > > > > > ACJqfgxU6os8Kh6sElQcjXn5lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRH > > > > > Ip > > > > > Q > > > > > Kr9c6oZIcvUc0mBWpDbv3jcqdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZ > > > > > K6 > > > > > / > > > > > ckUCAwEAAaBDMBwGCSqGSIb3DQEJBzEPDA1Vb2pzOTN3a2ZkMElTMCMGCSqGS > > > > > Ib > > > > > 3 > > > > > DQEJDjEWMBQwEgYDVR0RAQH/BAgwBocErBAY7jANBgkqhkiG9w0BAQsFAAOBg > > > > > QA > > > > > 5 > > > > > URuLsrH0bKtBqrNiaPT1nMQ+fRAJ6Ckjfj/pQsyXO0Nll7blBdbErOtSzDR5y > > > > > V9 > > > > > 1 > > > > > g6/oin5LPn/RwT1hATfjCniF4UVfotLnFjKQe7icsS82gl2FNT+pG1CjTAqxJ > > > > > qZ > > > > > O > > > > > oBe+ZWzs4cx7wHerjk5u8baz79XFfkQyCdL6QRVlTA== > > > > > -----END CERTIFICATE REQUEST----- > > > > > sscep: data payload size: 415 bytes > > > > > > > > > > sscep: hexdump request payload > > > > > 3082019b3082010402010030183116301406035504030c0d3137322e31362 > > > > > e3 > > > > > 23 > > > > > 42 > > > > > e3 > > > > > 23 > > > > > 33830819f300d06092a864886f70d010101050003818d0030818902818100 > > > > > b1 > > > > > f7 > > > > > a8 > > > > > 6c > > > > > 4d > > > > > d44eab7849df6f3e7c86fae8336d6f6e1b59d7966f15bf7f4c00226a7e0c5 > > > > > 4e > > > > > a8 > > > > > b3 > > > > > c2 > > > > > a1 > > > > > eac12541c8d79f994d8b2f0bed5017fceab2a7648471be2a02820c0813132 > > > > > cd > > > > > ed > > > > > 4c > > > > > d1 > > > > > 1c > > > > > 8a502abf5cea864872f51cd26056a436efde372a7537c5d4ca08b36feac80 > > > > > 54 > > > > > f8 > > > > > 36 > > > > > 7f > > > > > 9b > > > > > 19e36575c3c20367a4ccdc964aebf72450203010001a043301c06092a8648 > > > > > 86 > > > > > f7 > > > > > 0d > > > > > 01 > > > > > 09 > > > > > 07310f0c0d556f6a733933776b6664304953302306092a864886f70d01090 > > > > > e3 > > > > > 11 > > > > > 63 > > > > > 01 > > > > > 43 > > > > > 0120603551d110101ff040830068704ac1018ee300d06092a864886f70d01 > > > > > 01 > > > > > 0b > > > > > 05 > > > > > 00 > > > > > 03 > > > > > 81810039511b8bb2b1f46cab41aab36268f4f59cc43e7d1009e829237e3fe > > > > > 94 > > > > > 2c > > > > > c9 > > > > > 73 > > > > > b4 > > > > > 36597b6e505d6c4aceb52cc3479c95f7583afe88a7e4b3e7fd1c13d610137 > > > > > e3 > > > > > 0a > > > > > 78 > > > > > 85 > > > > > e1 > > > > > 455fa2d2e71632907bb89cb12f36825d85353fa91b50a34c0ab126a64ea01 > > > > > 7b > > > > > e6 > > > > > 56 > > > > > ce > > > > > ce > > > > > 1cc7bc077ab8e4e6ef1b6b3efd5c57e443209d2fa4115654c > > > > > sscep: hexdump payload 415 > > > > > sscep: successfully encrypted payload > > > > > sscep: envelope size: 956 bytes > > > > > sscep: printing PEM fomatted PKCS#7 > > > > > -----BEGIN PKCS7----- > > > > > MIIDu..........NAQcDoIIDqTCCA6UCAQAxggHYMIIB1AIBADCBuzCBpTELM > > > > > Ak > > > > > G > > > > > A1UEBhMCU0MxGTAXBgNVBAgTEE1haGUsIFNleWNoZWxsZXMxHDAaBgNVBAoTE > > > > > 1B > > > > > v > > > > > c3RNZXQgQ29ycG9yYXRpb24xGTAXBgNVBAsTEFNTTCBrZXkgZGl2aXNpb24xI > > > > > DA > > > > > e > > > > > BgNVBAMTF1Bvc3RNZXQgUm9vdCBDQSBDbGFzcyAxMSAwHgYJKoZIhvcNAQkBF > > > > > hF > > > > > h > > > > > ZG1pbkBwb3N0bWV0LmNvbQIRE0hlg2RXY0h1Y0doMWQ1h8EwDQYJKoZIhvcNA > > > > > QE > > > > > B > > > > > BQAEggEAgHq5KowCLbOAX/E3YRrheGwmQqHHHCf2mPHEAx835nifRSd1pPbU9 > > > > > 58 > > > > > 7 > > > > > 8zOFihn+BY76caLss0eJyjTmh68mksh9Qzgc8sewyPWWgq2ilnE3eZtiiGpjf > > > > > 6G > > > > > j > > > > > e7AN38gY4y6MU0NU04r/E16tcPAuP+/7mmrr+Lh4PYxSn/LkXFy9GOdnGaTma > > > > > ph > > > > > v > > > > > L0qwxb1pS4OO765cumy5IFyJHAn3O5EyNJYuxNPuoXu8azxACKb19SVnEuay0 > > > > > Z2 > > > > > W > > > > > L0/WCYMNpN6kdX/1KceTlg6Gu8oxqVwBvHUewLvn91Lyy8d+EgPMJOPTXRnZS > > > > > C4 > > > > > 9 > > > > > U4AUes2yA9Idbt4ZLNNIktdsK6MhgjCCAcIGCSqGSIb3DQEHATARBgUrDgMCB > > > > > wQ > > > > > I > > > > > +d5X8SPX45KAggGg1CRRmVhAwHcj2zE7uScsfMUzyDiuw3c7fdy3W653pYswY > > > > > Ve > > > > > l > > > > > CpqQbK6chMv6ya1OCi3G1dMY3+M1sa21nc30tpAeF1MonFD9YSTuvTJVYHo5g > > > > > Ao > > > > > b > > > > > mjnhNsYL+7H0VGWiRzmDNG+HzgUzQbrdk5vFd/4Wbc5UMTy++7PdXO8e+e300 > > > > > FT > > > > > l > > > > > iM96uijNS6QoZruM8vp2eNn1IymLwFv8xfwibJnzAz0SYXpbRJK9I+39g5rGA > > > > > 1/ > > > > > s > > > > > uTRAa7W2Bc4lp71ROdsHBH3aJDYkzcrffd9nGy+b5icnRZa2S6TJTOEQkWpQo > > > > > s5 > > > > > k > > > > > YQMi8+/3Chb8IBeH8HQ6/23PjjqIFVAHxj+pPlpiN4psx/10i9WAHzMBfUnod > > > > > pP > > > > > E > > > > > +yqKLTFmo037A/LNEH4NorN9E/yPDsHVp3gwjMG60cLO9ipQHCMMjpCxQF4jw > > > > > aT > > > > > C > > > > > 5W0fZd8uVZyayBXR0qLKBAhhtz6Y6k3zcXUBNjqKO1tyCUemndxLbuMPBMB1J > > > > > Z7 > > > > > c > > > > > Km7TipKk+LCMNBwVbLFIPCGQUchzGnJD+fzaQKLTca9fKieLpca8Ui/Ur8o= > > > > > -----END PKCS7----- > > > > > sscep: creating outer PKCS#7 > > > > > sscep: signature added successfully > > > > > sscep: adding signed attributes > > > > > sscep: adding string attribute transId > > > > > sscep: adding string attribute messageType > > > > > sscep: adding octet attribute senderNonce > > > > > sscep: PKCS#7 data written successfully > > > > > sscep: printing PEM fomatted PKCS#7 > > > > > -----BEGIN PKCS7----- > > > > > MIIHc..........NAQcCoIIHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDz > > > > > wY > > > > > J > > > > > KoZIhvcNAQcBoIIDwASCA7wwggO4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCA > > > > > dg > > > > > w > > > > > ggHUAgEAMIG7MIGlMQswCQYDVQQGEwJTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y > > > > > 2h > > > > > l > > > > > bGxlczEcMBoGA1UEChMTUG9zdE1ldCBDb3Jwb3JhdGlvbjEZMBcGA1UECxMQU > > > > > 1N > > > > > M > > > > > IGtleSBkaXZpc2lvbjEgMB4GA1UEAxMXUG9zdE1ldCBSb290IENBIENsYXNzI > > > > > DE > > > > > x > > > > > IDAeBgkqhkiG9w0BCQEWEWFkbWluQHBvc3RtZXQuY29tAhETSGWDZFdjSHVjR > > > > > 2g > > > > > x > > > > > ZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkqjAIts4Bf8TdhGuF4bCZCocccJ > > > > > /a > > > > > Y > > > > > 8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4FjvpxouyzR4nKNOaHryaSyH1DOBzyx > > > > > 7D > > > > > I > > > > > 9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8TXq1w8C4/7/uaauv4u > > > > > Hg > > > > > 9 > > > > > jFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkcCfc7kTI0li7E0 > > > > > +6 > > > > > h > > > > > e7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yjGpXAG8dR7Au > > > > > +f > > > > > 3 > > > > > UvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGCMIIBwgYJK > > > > > oZ > > > > > I > > > > > hvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5Jyx8x > > > > > TP > > > > > I > > > > > OK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2k > > > > > B4 > > > > > X > > > > > UyicUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/ > > > > > hZ > > > > > t > > > > > zlQxPL77s91c7x757fTQVOWIz3q6KM1LpChmu4zy+nZ42fUjKYvAW/zF/CJsm > > > > > fM > > > > > D > > > > > PRJheltEkr0j7f2DmsYDX+y5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL > > > > > 5v > > > > > m > > > > > JydFlrZLpMlM4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc+OOogVUAfGP6k+W > > > > > mI > > > > > 3 > > > > > imzH/XSL1YAfMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMw > > > > > br > > > > > R > > > > > ws72KlAcIwyOkLFAXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2O > > > > > oo > > > > > 7 > > > > > W3IJR6ad3Etu4w8EwHUlntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAo > > > > > tN > > > > > x > > > > > r18qJ4ulxrxSL9SvyqCCAccwggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCO > > > > > Tk > > > > > 0 > > > > > RTdFOTUxNTA1OTgzQTE4MTANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xN > > > > > zI > > > > > u > > > > > MTYuMjQuMjM4MB4XDTE5MDkwOTA3MTIzMloXDTE5MDkxNTA5MTIzMlowGDEWM > > > > > BQ > > > > > G > > > > > A1UEAwwNMTcyLjE2LjI0LjIzODCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCg > > > > > YE > > > > > A > > > > > sfeobE3UTqt4Sd9vPnyG+ugzbW9uG1nXlm8Vv39MACJqfgxU6os8Kh6sElQcj > > > > > Xn > > > > > 5 > > > > > lNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTLN7UzRHIpQKr9c6oZIcvUc0mBWpDbv3 > > > > > jc > > > > > q > > > > > dTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3JZK6/ckUCAwEAATANBgkqhkiG9 > > > > > w0 > > > > > B > > > > > AQQFAAOBgQATop2OWQJzY3Axds0+9PGPAc0xGtlUQ462teCwgkm6bbrBr7eYh > > > > > Qe > > > > > L > > > > > gsT07aesE+37wrtOfmXBucDrdextS6OxW3g5KzC8Gp1yPXHglt8nUUESy9ooF > > > > > 49 > > > > > 0 > > > > > TZDBIIQ5yBbMk+AYy0IOWQURlNcc8RJ5LmJXnbq4G/etkLGGyELXxDGCAakwg > > > > > gG > > > > > l > > > > > AgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgOUE2QzM5MThDNTREQ > > > > > jk > > > > > 5 > > > > > NEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASBgpghkgBhvhFA > > > > > Qk > > > > > C > > > > > MQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFM > > > > > Q8 > > > > > X > > > > > DTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0kGbUb > > > > > bQ > > > > > w > > > > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG+EUBC > > > > > Qc > > > > > x > > > > > IhMgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNA > > > > > QE > > > > > B > > > > > BQAEgYBThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAd > > > > > yu > > > > > u > > > > > Ax/ohg2CAU8+g+k914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWx > > > > > pD > > > > > b > > > > > zMp1TGXlKryeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg== > > > > > -----END PKCS7----- > > > > > sscep: applying base64 encoding > > > > > sscep: base64 encoded payload size: 2588 bytes > > > > > sscep: scep msg: GET /ca/cgi- > > > > > bin/pkiclient.exe?operation=PKIOperation&message=MIIHc....... > > > > > .. > > > > > .N > > > > > AQ > > > > > cC > > > > > oI > > > > > IHYjCCB14CAQExDjAMBggqhkiG9w0CBQUAMIIDzwYJ%0AKoZIhvcNAQcBoIID > > > > > wA > > > > > SC > > > > > A7 > > > > > ww > > > > > gg > > > > > O4BgkqhkiG9w0BBwOgggOpMIIDpQIBADGCAdgw%0AggHUAgEAMIG7MIGlMQsw > > > > > CQ > > > > > YD > > > > > VQ > > > > > QG > > > > > Ew > > > > > JTQzEZMBcGA1UECBMQTWFoZSwgU2V5Y2hl%0AbGxlczEcMBoGA1UEChMTUG9z > > > > > dE > > > > > 1l > > > > > dC > > > > > BD > > > > > b3 > > > > > Jwb3JhdGlvbjEZMBcGA1UECxMQU1NM%0AIGtleSBkaXZpc2lvbjEgMB4GA1UE > > > > > Ax > > > > > MX > > > > > UG > > > > > 9z > > > > > dE > > > > > 1ldCBSb290IENBIENsYXNzIDEx%0AIDAeBgkqhkiG9w0BCQEWEWFkbWluQHBv > > > > > c3 > > > > > Rt > > > > > ZX > > > > > Qu > > > > > Y2 > > > > > 9tAhETSGWDZFdjSHVjR2gx%0AZDWHwTANBgkqhkiG9w0BAQEFAASCAQCAerkq > > > > > jA > > > > > It > > > > > s4 > > > > > Bf > > > > > 8T > > > > > dhGuF4bCZCocccJ/aY%0A8cQDHzfmeJ9FJ3Wk9tT3nzvzM4WKGf4Fjvpxouyz > > > > > R4 > > > > > nK > > > > > NO > > > > > aH > > > > > ry > > > > > aSyH1DOBzyx7DI%0A9ZaCraKWcTd5m2KIamN/oaN7sA3fyBjjLoxTQ1TTiv8T > > > > > Xq > > > > > 1w > > > > > 8C > > > > > 4/ > > > > > 7/ > > > > > uaauv4uHg9%0AjFKf8uRcXL0Y52cZpOZqmG8vSrDFvWlLg47vrly6bLkgXIkc > > > > > Cf > > > > > c7 > > > > > kT > > > > > I0 > > > > > li > > > > > 7E0%2B6h%0Ae7xrPEAIpvX1JWcS5rLRnZYvT9YJgw2k3qR1f/Upx5OWDoa7yj > > > > > Gp > > > > > XA > > > > > G8 > > > > > dR > > > > > 7A > > > > > u%2Bf3%0AUvLLx34SA8wk49NdGdlILj1TgBR6zbID0h1u3hks00iS12wroyGC > > > > > MI > > > > > IB > > > > > wg > > > > > YJ > > > > > Ko > > > > > ZI%0AhvcNAQcBMBEGBSsOAwIHBAj53lfxI9fjkoCCAaDUJFGZWEDAdyPbMTu5 > > > > > Jy > > > > > x8 > > > > > xT > > > > > PI > > > > > %0 > > > > > AOK7Ddzt93LdbrnelizBhV6UKmpBsrpyEy/rJrU4KLcbV0xjf4zWxrbWdzfS2 > > > > > kB > > > > > 4X > > > > > %0 > > > > > AU > > > > > yi > > > > > cUP1hJO69MlVgejmAChuaOeE2xgv7sfRUZaJHOYM0b4fOBTNBut2Tm8V3/hZt > > > > > %0 > > > > > Az > > > > > lQ > > > > > xP > > > > > L7 > > > > > 7s91c7x757fTQVOWIz3q6KM1LpChmu4zy%2BnZ42fUjKYvAW/zF/CJsmfMD%0 > > > > > AP > > > > > RJ > > > > > he > > > > > lt > > > > > Ek > > > > > r0j7f2DmsYDX%2By5NEBrtbYFziWnvVE52wcEfdokNiTNyt9932cbL5vm%0AJ > > > > > yd > > > > > Fl > > > > > rZ > > > > > Lp > > > > > Ml > > > > > M4RCRalCizmRhAyLz7/cKFvwgF4fwdDr/bc%2BOOogVUAfGP6k%2BWmI3%0Ai > > > > > mz > > > > > H/ > > > > > XS > > > > > L1 > > > > > YA > > > > > fMwF9Seh2k8T7KootMWajTfsD8s0Qfg2is30T/I8OwdWneDCMwbrR%0Aws72K > > > > > lA > > > > > cI > > > > > wy > > > > > Ok > > > > > LF > > > > > AXiPBpMLlbR9l3y5VnJrIFdHSosoECGG3PpjqTfNxdQE2Ooo7%0AW3IJR6ad3 > > > > > Et > > > > > u4 > > > > > w8 > > > > > Ew > > > > > HU > > > > > lntwqbtOKkqT4sIw0HBVssUg8IZBRyHMackP5/NpAotNx%0Ar18qJ4ulxrxSL > > > > > 9S > > > > > vy > > > > > qC > > > > > CA > > > > > cc > > > > > wggHDMIIBLKADAgECAiA5QTZDMzkxOEM1NERCOTk0%0ARTdFOTUxNTA1OTgzQ > > > > > TE > > > > > 4M > > > > > TA > > > > > NB > > > > > gk > > > > > qhkiG9w0BAQQFADAYMRYwFAYDVQQDDA0xNzIu%0AMTYuMjQuMjM4MB4XDTE5M > > > > > Dk > > > > > wO > > > > > TA > > > > > 3M > > > > > TI > > > > > zMloXDTE5MDkxNTA5MTIzMlowGDEWMBQG%0AA1UEAwwNMTcyLjE2LjI0LjIzO > > > > > DC > > > > > Bn > > > > > zA > > > > > NB > > > > > gk > > > > > qhkiG9w0BAQEFAAOBjQAwgYkCgYEA%0AsfeobE3UTqt4Sd9vPnyG%2BugzbW9 > > > > > uG > > > > > 1n > > > > > Xl > > > > > m8 > > > > > Vv > > > > > 39MACJqfgxU6os8Kh6sElQcjXn5%0AlNiy8L7VAX/Oqyp2SEcb4qAoIMCBMTL > > > > > N7 > > > > > Uz > > > > > RH > > > > > Ip > > > > > QK > > > > > r9c6oZIcvUc0mBWpDbv3jcq%0AdTfF1MoIs2/qyAVPg2f5sZ42V1w8IDZ6TM3 > > > > > JZ > > > > > K6 > > > > > /c > > > > > kU > > > > > CA > > > > > wEAATANBgkqhkiG9w0B%0AAQQFAAOBgQATop2OWQJzY3Axds0%2B9PGPAc0xG > > > > > tl > > > > > UQ > > > > > 46 > > > > > 2t > > > > > eC > > > > > wgkm6bbrBr7eYhQeL%0AgsT07aesE%2B37wrtOfmXBucDrdextS6OxW3g5KzC > > > > > 8G > > > > > p1 > > > > > yP > > > > > XH > > > > > gl > > > > > t8nUUESy9ooF490%0ATZDBIIQ5yBbMk%2BAYy0IOWQURlNcc8RJ5LmJXnbq4G > > > > > /e > > > > > tk > > > > > LG > > > > > Gy > > > > > EL > > > > > XxDGCAakwggGl%0AAgEBMDwwGDEWMBQGA1UEAwwNMTcyLjE2LjI0LjIzOAIgO > > > > > UE > > > > > 2Q > > > > > zM > > > > > 5M > > > > > Th > > > > > DNTREQjk5%0ANEU3RTk1MTUwNTk4M0ExODEwDAYIKoZIhvcNAgUFAKCBwTASB > > > > > gp > > > > > gh > > > > > kg > > > > > Bh > > > > > vh > > > > > FAQkC%0AMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIh > > > > > vc > > > > > NA > > > > > Qk > > > > > FM > > > > > Q8 > > > > > X%0ADTE5MDkwOTA3MTIzMlowHwYJKoZIhvcNAQkEMRIEEMhY6izfmIjbrJo0k > > > > > Gb > > > > > Ub > > > > > bQ > > > > > w% > > > > > 0A > > > > > IAYKYIZIAYb4RQEJBTESBBDpm5bmNyqQpJbJXX9leZwfMDAGCmCGSAGG%2BEU > > > > > BC > > > > > Qc > > > > > x% > > > > > 0A > > > > > Ih > > > > > MgOUE2QzM5MThDNTREQjk5NEU3RTk1MTUwNTk4M0ExODEwDQYJKoZIhvcNAQE > > > > > B% > > > > > 0A > > > > > BQ > > > > > AE > > > > > gY > > > > > BThSGDFq9BdXNiOmDxxgw03eEEpxHKTn5jwdHnHxR5nLq2IKmVicyAdyuu%0A > > > > > Ax > > > > > /o > > > > > hg > > > > > 2C > > > > > AU > > > > > 8%2Bg%2Bk914OzYWMh611mmKu5UyliRmq5LofTgXxzF3duW6aeRkMWxpDb%0A > > > > > zM > > > > > p1 > > > > > TG > > > > > Xl > > > > > Kr > > > > > yeo1uPpZ5xZ0GGPqbkhsFlgCc2mhn35B7M2bD4jg%3D%3D%0A HTTP/1.0 > > > > > > > > > > sscep: server returned status code 500 > > > > > sscep: mime_err: HTTP/1.1 500 > > > > > Content-Type: text/html;charset=utf-8 > > > > > Content-Language: en > > > > > Content-Length: 3234 > > > > > Date: Mon, 09 Sep 2019 07:12:32 GMT > > > > > Connection: close > > > > > > > > > > HTTP Status 500 ? > > > > > Internal > > > > > Server Error

HTTP > > > > > Status > > > > > 500 > > > > > ? > > > > > Internal Server Error


Type > > > > > Exception > > > > > Report

Message Couldn't handle CEP request > > > > > (PKCSReq) > > > > > - > > > > > Could not unwrap PKCS10 blob: > > > > > java.security.cert.CertificateException: > > > > > Error instantiating class for challenge_password > > > > > java.lang.ClassNotFoundException: > > > > > com.netscape.cms.servlet.cert.scep.ChallengePassword

> > > > >D > > > > > es > > > > > cr > > > > > ip > > > > > ti > > > > > on The server encountered an unexpected condition that > > > > > prevented > > > > > it > > > > > from fulfilling the > > > > > request.

Exception

javax.servlet.Servlet
> > > > > Ex
> > > > > ce
> > > > > pt
> > > > > io
> > > > > n:
> > > > > Couldn't handle CEP request (PKCSReq) - Could not unwrap
> > > > > PKCS10
> > > > > blob: java.security.cert.CertificateException: Error
> > > > > instantiating
> > > > > class for challenge_password
> > > > > java.lang.ClassNotFoundException:
> > > > > com.netscape.cms.servlet.cert.scep.ChallengePassword
> > > > >         com.netscape.cms.servlet.cert.scep.CRSEnrollment.serv
> > > > > ic
> > > > > e(
> > > > > CR
> > > > > SE
> > > > > nr
> > > > > ollment.java:397)
> > > > >         javax.servlet.http.HttpServlet.service(HttpServlet.ja
> > > > > va
> > > > > :7
> > > > > 41
> > > > > )
> > > > >         sun.reflect.GeneratedMethodAccessor48.invoke(Unknown
> > > > > Source)
> > > > >         sun.reflect.DelegatingMethodAccessorImpl.invoke(Deleg
> > > > > at
> > > > > in
> > > > > gM
> > > > > et
> > > > > ho
> > > > > dAccessorImpl.java:43)
> > > > >         java.lang.reflect.Method.invoke(Method.java:498)
> > > > >         org.apache.catalina.security.SecurityUtil$1.run(Secur
> > > > > it
> > > > > yU
> > > > > ti
> > > > > l.
> > > > > ja
> > > > > va:282)
> > > > >         org.apache.catalina.security.SecurityUtil$1.run(Secur
> > > > > it
> > > > > yU
> > > > > ti
> > > > > l.
> > > > > ja
> > > > > va:279)
> > > > >         java.security.AccessController.doPrivileged(Native
> > > > > Method)
> > > > >         javax.security.auth.Subject.doAsPrivileged(Subject.ja
> > > > > va
> > > > > :5
> > > > > 49
> > > > > )
> > > > >         org.apache.catalina.security.SecurityUtil.execute(Sec
> > > > > ur
> > > > > it
> > > > > yU
> > > > > ti
> > > > > l.
> > > > > java:314)
> > > > >         org.apache.catalina.security.SecurityUtil.doAsPrivile
> > > > > ge
> > > > > (S
> > > > > ec
> > > > > ur
> > > > > it
> > > > > yUtil.java:170)
> > > > >         java.security.AccessController.doPrivileged(Native
> > > > > Method)
> > > > >         org.apache.tomcat.websocket.server.WsFilter.doFilter(
> > > > > Ws
> > > > > Fi
> > > > > lt
> > > > > er
> > > > > .j
> > > > > ava:53)
> > > > >         sun.reflect.GeneratedMethodAccessor47.invoke(Unknown
> > > > > Source)
> > > > >         sun.reflect.DelegatingMethodAccessorImpl.invoke(Deleg
> > > > > at
> > > > > in
> > > > > gM
> > > > > et
> > > > > ho
> > > > > dAccessorImpl.java:43)
> > > > >         java.lang.reflect.Method.invoke(Method.java:498)
> > > > >         org.apache.catalina.security.SecurityUtil$1.run(Secur
> > > > > it
> > > > > yU
> > > > > ti
> > > > > l.
> > > > > ja
> > > > > va:282)
> > > > >         org.apache.catalina.security.SecurityUtil$1.run(Secur
> > > > > it
> > > > > yU
> > > > > ti
> > > > > l.
> > > > > ja
> > > > > va:279)
> > > > >         java.security.AccessController.doPrivileged(Native
> > > > > Method)
> > > > >         javax.security.auth.Subject.doAsPrivileged(Subject.ja
> > > > > va
> > > > > :5
> > > > > 49
> > > > > )
> > > > >         org.apache.catalina.security.SecurityUtil.execute(Sec
> > > > > ur
> > > > > it
> > > > > yU
> > > > > ti
> > > > > l.
> > > > > java:314)
> > > > >         org.apache.catalina.security.SecurityUtil.doAsPrivile
> > > > > ge
> > > > > (S
> > > > > ec
> > > > > ur
> > > > > it
> > > > > yUtil.java:253)
> > > > > 

Note The full stack trace of the root cause > > > > > is > > > > > available in the server logs.


> > > > />

Apache > > > > > Tomcat/9.0.21

> > > > > sscep: wrong (or missing) MIME content type > > > > > sscep: error while sending message > > > > > > > > > > > > > > > Why it is trying to unwrap PKCS10 if we are sending PKCS7 ? > > > > > How it can be fixed ? > > > > > I am sure you know it. > > > > > Please help. > > > > > > > > > > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From al at its-lehmann.de Mon Sep 23 20:00:25 2019 From: al at its-lehmann.de (Arno Lehmann) Date: Mon, 23 Sep 2019 22:00:25 +0200 Subject: [Pki-users] New Release: PKI 10.7.3 is available for testing Message-ID: Hi all, I managed to upgrade my Fedora-based PKI system to Release 31, which is not yet ready for production (as I think I found). Now, after the upgrade, I can enjoy server error 500 messages once the web server middleware gets busy: https://...de:8443/pki/ui/ results in > HTTP Status 500 ? Internal Server Error > > Type Exception Report > > Message org.apache.jasper.JasperException: Unable to compile class for JSP > > Beschreibung The server encountered an unexpected condition that prevented it from fulfilling the request. > > Exception > > org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to compile class for JSP > org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:604) > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422) I can, of course, provide full stacktraces and configuration details. Configuration is mostly unmodified, but the whole system has been going through some upgrades since its first setup. From the automatically created debug log, I gather that this: > 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE: Servlet.service() for servlet [jsp] in context with path [/pki] threw exception [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause > java.security.AccessControlException: access denied ("java.util.PropertyPermission" "tolerateIllegalAmbiguousVarargsInvocation" "read") > at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) > at java.security.AccessController.checkPermission(AccessController.java:886) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) > at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) > ... is probably the reason for the failure. Status of the server, at a first glance, looks ok to me: > [root at ca2 ~]# pki-server --verbose status CA2 > Command: status CA2 > INFO: Loading instance: CA2 > INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf > INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf > INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf > INFO: Loading password config: /etc/pki/CA2/password.conf > INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2 > INFO: Loading subsystem: ca > INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg > INFO: Loading subsystem: ocsp > INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg > Instance ID: CA2 > Active: True > Unsecure Port: 8080 > Secure Port: 8443 > Tomcat Port: 8005 > > CA Subsystem: > Type: Root CA (Security Domain) > SD Registration URL: https://ca2..de:8443 > Enabled: True > Unsecure URL: http://ca2..de:8080/ca/ee/ca > Secure Agent URL: https://ca2..de:8443/ca/agent/ca > Secure EE URL: https://ca2..de:8443/ca/ee/ca > Secure Admin URL: https://ca2..de:8443/ca/services > PKI Console URL: https://ca2..de:8443/ca > > OCSP Subsystem: > Type: OCSP > SD Registration URL: https://ca2..de:8443 > Enabled: True > Unsecure URL: http://ca2..de:8080/ocsp/ee/ocsp/ > Secure Agent URL: https://ca2..de:8443/ocsp/agent/ocsp > Secure EE URL: https://ca2..de:8443/ocsp/ee/ocsp/ > Secure Admin URL: https://ca2..de:8443/ocsp/services > PKI Console URL: https://ca2..de:8443/ocsp There's no other PKI instance in place, and I'm not sufficiently skilled with dogtag to actually do much with the configuration anyway, so I kept my fingers off if as far as I could :-) Is this a known problem, is there a reasonably simple fix, or is it time to load my latest backup? Thanks, Arno -- Arno Lehmann IT-Service Lehmann Sandstr. 6, 49080 Osnabr?ck From dmoluguw at redhat.com Wed Sep 25 18:23:46 2019 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Wed, 25 Sep 2019 14:23:46 -0400 Subject: [Pki-users] New Release: PKI 10.7.3 is available for testing In-Reply-To: References: Message-ID: Hello Arno, As you might be aware, Fedora 31 hasn't reached its GA [1] yet. Fedora 31 is currently in beta and might carry some bugs. We do not support PKI on unreleased Fedora versions. Looking at your logs, I see an "access denied" error. This is mostly due to bug in a different package which might be fixed before the actual GA. [1] https://fedoraproject.org/wiki/Releases/31/Schedule Regards, --Dinesh On Mon, 2019-09-23 at 22:00 +0200, Arno Lehmann wrote: > Hi all, > > I managed to upgrade my Fedora-based PKI system to Release 31, which > is > not yet ready for production (as I think I found). > > Now, after the upgrade, I can enjoy server error 500 messages once > the > web server middleware gets busy: > > https://...de:8443/pki/ui/ > results in > > HTTP Status 500 ? Internal Server Error > > > > Type Exception Report > > > > Message org.apache.jasper.JasperException: Unable to compile class > > for JSP > > > > Beschreibung The server encountered an unexpected condition that > > prevented it from fulfilling the request. > > > > Exception > > > > org.apache.jasper.JasperException: > > org.apache.jasper.JasperException: Unable to compile class for JSP > > org.apache.jasper.servlet.JspServletWrapper.handleJspException( > > JspServletWrapper.java:604) > > org.apache.jasper.servlet.JspServletWrapper.service(JspServletW > > rapper.java:422) > > I can, of course, provide full stacktraces and configuration details. > > > > Configuration is mostly unmodified, but the whole system has been > going > through some upgrades since its first setup. > > > From the automatically created debug log, I gather that this: > > 2019-09-23 20:56:41 [https-jsse-nio-8443-exec-9] SEVERE: > > Servlet.service() for servlet [jsp] in context with path [/pki] > > threw exception [org.apache.jasper.JasperException: Unable to > > compile class for JSP] with root cause > > java.security.AccessControlException: access denied > > ("java.util.PropertyPermission" > > "tolerateIllegalAmbiguousVarargsInvocation" "read") > > at > > java.security.AccessControlContext.checkPermission(AccessControlCon > > text.java:472) > > at > > java.security.AccessController.checkPermission(AccessController.jav > > a:886) > > at > > java.lang.SecurityManager.checkPermission(SecurityManager.java:549) > > at > > java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java: > > 1294) > > ... > > is probably the reason for the failure. > > > Status of the server, at a first glance, looks ok to me: > > [root at ca2 ~]# pki-server --verbose status CA2 > > Command: status CA2 > > INFO: Loading instance: CA2 > > INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf > > INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf > > INFO: Loading instance Tomcat config: /etc/pki/CA2/tomcat.conf > > INFO: Loading password config: /etc/pki/CA2/password.conf > > INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/CA2/CA2 > > INFO: Loading subsystem: ca > > INFO: Loading subsystem config: /var/lib/pki/CA2/ca/conf/CS.cfg > > INFO: Loading subsystem: ocsp > > INFO: Loading subsystem config: /var/lib/pki/CA2/ocsp/conf/CS.cfg > > Instance ID: CA2 > > Active: True > > Unsecure Port: 8080 > > Secure Port: 8443 > > Tomcat Port: 8005 > > > > CA Subsystem: > > Type: Root CA (Security Domain) > > SD Registration URL: https://ca2..de:8443 > > Enabled: True > > Unsecure URL: http://ca2..de:8080/ca/ee/ca > > Secure Agent URL: https://ca2..de:8443/ca/agent/ca > > Secure EE URL: https://ca2..de:8443/ca/ee/ca > > Secure Admin URL: https://ca2..de:8443/ca/services > > PKI Console URL: https://ca2..de:8443/ca > > > > OCSP Subsystem: > > Type: OCSP > > SD Registration URL: https://ca2..de:8443 > > Enabled: True > > Unsecure URL: > > http://ca2..de:8080/ocsp/ee/ocsp/ > > Secure Agent URL: > > https://ca2..de:8443/ocsp/agent/ocsp > > Secure EE URL: > > https://ca2..de:8443/ocsp/ee/ocsp/ > > Secure Admin URL: > > https://ca2..de:8443/ocsp/services > > PKI Console URL: https://ca2..de:8443/ocsp > > There's no other PKI instance in place, and I'm not sufficiently > skilled > with dogtag to actually do much with the configuration anyway, so I > kept > my fingers off if as far as I could :-) > > > Is this a known problem, is there a reasonably simple fix, or is it > time > to load my latest backup? > > > Thanks, > > Arno > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From al at its-lehmann.de Wed Sep 25 20:34:51 2019 From: al at its-lehmann.de (Arno Lehmann) Date: Wed, 25 Sep 2019 22:34:51 +0200 Subject: [Pki-users] New Release: PKI 10.7.3 is available for testing In-Reply-To: References: Message-ID: Hi Dinesh, On 25.09.19 at 20:23, Dinesh Prasanth Moluguwan Krishnamoorthy wrote: > Hello Arno, > > As you might be aware, Fedora 31 hasn't reached its GA [1] yet. Indeed, and that's why I feel kind of stupid, managing to upgrade to a beta distro without even noticing... ... > Looking at your logs, I see an "access denied" error. This is mostly > due to bug in a different package which might be fixed before the > actual GA. Hmm, so no clue on your side, for now. Thanks. I'll try my backups, I guess :-) Thanks for the information / confirmation, and also thanks for working on something that I use nearly -- well, monthly, but still. Cheers, Arno -- Arno Lehmann IT-Service Lehmann Sandstr. 6, 49080 Osnabr?ck