568787 – pki-ca fails to create SSL connectors

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 568787 - pki-ca fails to create SSL connectors

Summary: pki-ca fails to create SSL connectors

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Dogtag Certificate System
Classification:	Retired
Component:	Execution Management (start/stop/restart)
Sub Component:
Version:	1.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	---
Assignee:	Matthew Harmsen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	dogtagIPAv2
TreeView+	depends on / blocked

Reported:	2010-02-26 16:01 UTC by Didier
Modified:	2020-03-27 19:04 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-03-27 19:04:14 UTC
Embargoed:

Attachments	(Terms of Use)
Excerpt from /var/log/pki-ca/catalina.out (deleted) 2010-02-26 16:01 UTC, Didier	no flags	Details
EPEL fix for "_sharedstatedir" macro on RHEL (deleted) 2010-04-07 18:45 UTC, Matthew Harmsen	no flags	Details \| Diff
EPEL fix for "_sharedstatedir" macro on RHEL (deleted) 2010-04-07 18:45 UTC, Matthew Harmsen	no flags	Details \| Diff
EPEL fix for "_sharedstatedir" macro on RHEL (deleted) 2010-04-07 18:46 UTC, Matthew Harmsen	no flags	Details \| Diff
View All

Description Didier 2010-02-26 16:01:48 UTC

Created attachment 396574 [details]
Excerpt from /var/log/pki-ca/catalina.out

Description of problem:

After running pkicreate for the first time, the Secure Admin Port (9445) and Secure EE Port (9444) are not created, rendering it impossible to configure the CA through the Configuration Wizard.


Version-Release number of selected component (if applicable):
pki-ca-1.3.0-7.el5 (tried 1.3.2 too) from EPEL


How reproducible:
Always


Steps to Reproduce:
1. Install clean RHEL5u4
2. yum install pki-ca and its dependencies
3. Create pkiuser (uid=17) and run pkicreate (CA instance creation)

  
Actual results:
Unable to connect to the Configuration Wizard at https://hostname:9445/ca/admin/console/config/login?pin=xxx as specified in /var/log/pki-ca-install.log


Expected results:
Port 9445 should be created, allowing access to the Configuration Wizard.


Additional info:

- tomcat-native is absent, jss and tomcatjss are installed ;
- LANG=C ;

- The PKI Secure port (9443) is created :
# lsof |grep pkiuser |grep TCP
java      28349   pkiuser   71u     IPv6           1445890                 TCP *:9180 (LISTEN)
java      28349   pkiuser   76u     IPv6           1445899                 TCP *:9443 (LISTEN)
java      28349   pkiuser   77u     IPv6           1445900                 TCP localhost.localdomain:9701 (LISTEN)


As the inability to access the Configuration Wizard renders DCS useless, I took the liberty of setting the Severity to 'urgent'.

Comment 1 Didier 2010-03-01 13:36:35 UTC

Not reproducible on Fedora 12 (32-bit) ; reproducible on RHEL5u4 (tested on 64-bit).

Comment 2 Didier 2010-03-02 09:59:15 UTC

And reproducible on CentOS5u4 (32-bit).

In summary : works with Fedora 12, does not work with CentOS5/RHEL5 + EPEL.


When taking into account https://bugzilla.redhat.com/show_bug.cgi?id=566342#c16, one has to wonder whether DCS installation has been tested on CentOS/RHEL ?

If not, is there any advantage in adding the non-functional builds to EPEL ?

Comment 3 Didier 2010-03-04 16:52:07 UTC

When deleting the 'Agent Secure Port Connector' entry (port 9443) from /etc/pki-ca/server.xml, the 'Admin Secure Port Connector' entry (port 9445) is processed, and TCP port 9445 is created.

This is confirmed by moving the 'EE Secure Port Connector' entry (port 9444) in front of the Admin port entry : only EE is created.


Hence, it appears only the first SSL connector definition in /etc/pki-ca/server.xml is processed.

Additionally, trying to connect to any created SSL port (9443, 9444, 9445) yields a "The connection was interrupted" error message in the client browser.

It seems SSL in the EL-5 package is borked.

Comment 4 Didier 2010-03-12 16:50:00 UTC

How reproducible:
Always

--> Always on RHEL5/CentOS5.

(works on Fedora 12)

Comment 6 Didier 2010-03-18 15:16:04 UTC

Updated to (epel-testing) :

pki-setup-1.3.4-1.el5
pki-console-1.3.1-1.el5
pki-ca-1.3.3-1.el5
dogtag-pki-console-ui-1.3.1-1.el5

Removed old pki instance and created a new instance (EEClientAuth connector is now added to server.xml).

Dogtag is still not functional (see also BZ #573038).

Comment 7 Matthew Harmsen 2010-04-07 18:45:10 UTC

Created attachment 405058 [details]
EPEL fix for "_sharedstatedir" macro on RHEL

References:

* http://fedoraproject.org/wiki/PackagingDrafts/RPMMacros_sharedstatedir_optflags_and_admonitions
* http://fedoraproject.org/wiki/Packaging/DistTag

Comment 8 Matthew Harmsen 2010-04-07 18:45:44 UTC

Created attachment 405059 [details]
EPEL fix for "_sharedstatedir" macro on RHEL

References:

* http://fedoraproject.org/wiki/PackagingDrafts/RPMMacros_sharedstatedir_optflags_and_admonitions
* http://fedoraproject.org/wiki/Packaging/DistTag

Comment 9 Matthew Harmsen 2010-04-07 18:46:21 UTC

Created attachment 405060 [details]
EPEL fix for "_sharedstatedir" macro on RHEL

References:

* http://fedoraproject.org/wiki/PackagingDrafts/RPMMacros_sharedstatedir_optflags_and_admonitions
* http://fedoraproject.org/wiki/Packaging/DistTag

Comment 10 Andrew Wnuk 2010-04-07 18:53:03 UTC

attachment (id=405058)
attachment (id=405059)
attachment (id=405060)
+awnuk

Comment 11 Matthew Harmsen 2010-04-07 20:39:11 UTC

See also 'Bugzilla Bug #573038 - Unable to login on Dogtag EPEL installation'



# cd tomcatjss

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       tomcatjss.spec
M       build_tomcatjss
M       build.xml

# svn commit
Sending        build.xml
Sending        build_tomcatjss
Sending        tomcatjss.spec
Transmitting file data ...
Committed revision 88.



# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       config/release.xml

# svn commit
Sending        base/config/release.xml
Transmitting file data .
Committed revision 1029.



# cd pki/dogtag

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       common/pki-common.spec
M       config-ext/build_dogtag_pki
M       util/pki-util.spec

# svn commit
Sending        dogtag/common/pki-common.spec
Sending        dogtag/config-ext/build_dogtag_pki
Sending        dogtag/util/pki-util.spec
Transmitting file data ...
Committed revision 1030.

Comment 12 Didier 2010-04-23 08:27:22 UTC

Confirmed fixed in current EPEL-testing rebuilds.

Note You need to log in before you can comment on or make changes to this bug.