Albert Stoune via FreeIPA-users wrote:
> Hello!
> I encountered a problem when revoking a certificate: "IPA Error 4035:
> HTTPRequestError: Request failed with status 500: Non-2xx response from CA
> REST API: 500."
>
> First of all, I looked at the Apache logs in /var/log/httpd/accsess.log and
> found next error:
>
> [08/Dec/2023:13:27:39 +0300] "POST /ca/rest/agent/certs/10/revoke HTTP/1.1"
> 500 6504
>
>
> Then, in /var/log/httpd/error_log:
>
> ipa: INFO: [jsonserver_session] admin@TEST.LOCAL: cert_revoke('10',
> revocation_reason='0', cacn='ipa', version='2.253'): HTTPRequestError
>
>
> And finally I found traceback, which looks like bug in DogTag logs in
> /var/log/pki/pki-tomcat/ca/debug.2023-12-08.log:
>
> 2023-12-08 13:27:39 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] INFO: LDAPSession:
> Retrieving cn=10,ou=certificateRepository, ou=ca,o=ipaca
> 2023-12-08 13:27:39 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-7] SEVERE:
> Servlet.service() for servlet [Resteasy] in context with path [/ca] threw
> exception
> org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException:
> Cannot invoke "String.toLowerCase()" because "<parameter1>" is null
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
> at jdk.internal.reflect.GeneratedMethodAccessor42.invoke(Unknown
> Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:568)
> at
> org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
> at
> java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
> at
> java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221)
> at
> org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
> at
> java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
> at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
> at jdk.internal.reflect.GeneratedMethodAccessor41.invoke(Unknown
> Source)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:568)
> at
> org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
> at
> java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
> at
> java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
> at
> org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145)
> at
> java.base/java.security.AccessController.doPrivileged(AccessController.java:569)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660)
> at
> com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
> at
> org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:555)
> at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
> at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at
> org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
> at
> org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.base/java.lang.Thread.run(Thread.java:833)
> Caused by: java.lang.NullPointerException: Cannot invoke
> "String.toLowerCase()" because "<parameter1>" is null
> at
> org.mozilla.jss.netscape.security.x509.RevocationReason.valueOf(RevocationReason.java:91)
> at
> org.dogtagpki.server.ca.rest.CertService.revokeCert(CertService.java:180)
> at
> org.dogtagpki.server.ca.rest.CertService.revokeCert(CertService.java:162)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:568)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> ... 49 more
>
> It looks like internal mechanisms in DogTag can't parse some arguments from
> LDAP-response. When I'm check similar request to LDAP with ldapsearch I got
> response with certificate details. Looks like all correct in LDAP.
>
> Additional info for debug: command "ipactl status" shows like everything is
> good
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> Also, I can create new certificates, but can't delete already signed. And
> also I can't delete Services with signed certs, and can't delete Hosts with
> that Services
>
> FreeIPA version: VERSION: 4.11.0, API_VERSION: 2.253
This is related to https://pagure.io/freeipa/issue/9345 . PKI for some
reason made the API call for revocation case-sensitive. We weren't aware
that this code was in the wild yet. What version of PKI are you running
and on what distribution?
rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
