Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 568787

Summary: pki-ca fails to create SSL connectors
Product: [Retired] Dogtag Certificate System Reporter: Didier <d.bz-redhat>
Component: Execution Management (start/stop/restart)Assignee: Matthew Harmsen <mharmsen>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: high    
Version: 1.3CC: dennis, dpal, gsterlin, jgalipea, jmagne, shug
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 19:04:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 541012    
Attachments:
Description Flags
Excerpt from /var/log/pki-ca/catalina.out
none
EPEL fix for "_sharedstatedir" macro on RHEL
none
EPEL fix for "_sharedstatedir" macro on RHEL
none
EPEL fix for "_sharedstatedir" macro on RHEL none

Description Didier 2010-02-26 16:01:48 UTC 
Created attachment 396574 [details]
Excerpt from /var/log/pki-ca/catalina.out

Description of problem:

After running pkicreate for the first time, the Secure Admin Port (9445) and Secure EE Port (9444) are not created, rendering it impossible to configure the CA through the Configuration Wizard.


Version-Release number of selected component (if applicable):
pki-ca-1.3.0-7.el5 (tried 1.3.2 too) from EPEL


How reproducible:
Always


Steps to Reproduce:
1. Install clean RHEL5u4
2. yum install pki-ca and its dependencies
3. Create pkiuser (uid=17) and run pkicreate (CA instance creation)

  
Actual results:
Unable to connect to the Configuration Wizard at https://hostname:9445/ca/admin/console/config/login?pin=xxx as specified in /var/log/pki-ca-install.log


Expected results:
Port 9445 should be created, allowing access to the Configuration Wizard.


Additional info:

- tomcat-native is absent, jss and tomcatjss are installed ;
- LANG=C ;

- The PKI Secure port (9443) is created :
# lsof |grep pkiuser |grep TCP
java      28349   pkiuser   71u     IPv6           1445890                 TCP *:9180 (LISTEN)
java      28349   pkiuser   76u     IPv6           1445899                 TCP *:9443 (LISTEN)
java      28349   pkiuser   77u     IPv6           1445900                 TCP localhost.localdomain:9701 (LISTEN)


As the inability to access the Configuration Wizard renders DCS useless, I took the liberty of setting the Severity to 'urgent'.
Comment 1 Didier 2010-03-01 13:36:35 UTC 
Not reproducible on Fedora 12 (32-bit) ; reproducible on RHEL5u4 (tested on 64-bit).
Comment 2 Didier 2010-03-02 09:59:15 UTC 
And reproducible on CentOS5u4 (32-bit).

In summary : works with Fedora 12, does not work with CentOS5/RHEL5 + EPEL.


When taking into account https://bugzilla.redhat.com/show_bug.cgi?id=566342#c16, one has to wonder whether DCS installation has been tested on CentOS/RHEL ?

If not, is there any advantage in adding the non-functional builds to EPEL ?
Comment 3 Didier 2010-03-04 16:52:07 UTC 
When deleting the 'Agent Secure Port Connector' entry (port 9443) from /etc/pki-ca/server.xml, the 'Admin Secure Port Connector' entry (port 9445) is processed, and TCP port 9445 is created.

This is confirmed by moving the 'EE Secure Port Connector' entry (port 9444) in front of the Admin port entry : only EE is created.


Hence, it appears only the first SSL connector definition in /etc/pki-ca/server.xml is processed.

Additionally, trying to connect to any created SSL port (9443, 9444, 9445) yields a "The connection was interrupted" error message in the client browser.

It seems SSL in the EL-5 package is borked.
Comment 4 Didier 2010-03-12 16:50:00 UTC 
How reproducible:
Always

--> Always on RHEL5/CentOS5.

(works on Fedora 12)
Comment 6 Didier 2010-03-18 15:16:04 UTC 
Updated to (epel-testing) :

pki-setup-1.3.4-1.el5
pki-console-1.3.1-1.el5
pki-ca-1.3.3-1.el5
dogtag-pki-console-ui-1.3.1-1.el5

Removed old pki instance and created a new instance (EEClientAuth connector is now added to server.xml).

Dogtag is still not functional (see also BZ #573038).
Comment 7 Matthew Harmsen 2010-04-07 18:45:10 UTC 
Created attachment 405058 [details]
EPEL fix for "_sharedstatedir" macro on RHEL

References:

* http://fedoraproject.org/wiki/PackagingDrafts/RPMMacros_sharedstatedir_optflags_and_admonitions
* http://fedoraproject.org/wiki/Packaging/DistTag
Comment 8 Matthew Harmsen 2010-04-07 18:45:44 UTC 
Created attachment 405059 [details]
EPEL fix for "_sharedstatedir" macro on RHEL

References:

* http://fedoraproject.org/wiki/PackagingDrafts/RPMMacros_sharedstatedir_optflags_and_admonitions
* http://fedoraproject.org/wiki/Packaging/DistTag
Comment 9 Matthew Harmsen 2010-04-07 18:46:21 UTC 
Created attachment 405060 [details]
EPEL fix for "_sharedstatedir" macro on RHEL

References:

* http://fedoraproject.org/wiki/PackagingDrafts/RPMMacros_sharedstatedir_optflags_and_admonitions
* http://fedoraproject.org/wiki/Packaging/DistTag
Comment 10 Andrew Wnuk 2010-04-07 18:53:03 UTC 
attachment (id=405058)
attachment (id=405059)
attachment (id=405060)
+awnuk
Comment 11 Matthew Harmsen 2010-04-07 20:39:11 UTC 
See also 'Bugzilla Bug #573038 - Unable to login on Dogtag EPEL installation'



# cd tomcatjss

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tomcatjss.spec
M       build_tomcatjss
M       build.xml

# svn commit
Sending        build.xml
Sending        build_tomcatjss
Sending        tomcatjss.spec
Transmitting file data ...
Committed revision 88.



# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       config/release.xml

# svn commit
Sending        base/config/release.xml
Transmitting file data .
Committed revision 1029.



# cd pki/dogtag

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       common/pki-common.spec
M       config-ext/build_dogtag_pki
M       util/pki-util.spec

# svn commit
Sending        dogtag/common/pki-common.spec
Sending        dogtag/config-ext/build_dogtag_pki
Sending        dogtag/util/pki-util.spec
Transmitting file data ...
Committed revision 1030.
Comment 12 Didier 2010-04-23 08:27:22 UTC 
Confirmed fixed in current EPEL-testing rebuilds.