0

There is a CSR from user with O=test_org, CN=test. It is necessary to sign it with CA test in FreeIPA. I do it by following command:

ipa cert-request test-client.csr --ca=ca-name --certificate-out=signed.crt

After that IPA offer me to enter some Principal:

Principal: HTTP/test

But I get error:

ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Unable to create enrollment request: Invalid Request.

I've added service with alias:

ipa service-add HTTP/test --force --skip-host-check

but still get the same error.

How can i sign the CSR from some regular user?

Edit 1.

Text from logfile /var/log/pki/pki-tomcat/ca/debug.2020-09-23.log

2020-09-23 11:03:18 [Timer-0] INFO: SessionTimer: checking security domain sessions
2020-09-23 11:03:21 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: updating serial numbers
2020-09-23 11:06:01 [ajp-nio-127.0.0.1-8009-exec-8] INFO: Searching for certificates
2020-09-23 11:06:01 [ajp-nio-127.0.0.1-8009-exec-8] INFO: Search filter: (|(x509cert.subject=*CN=*test*))
2020-09-23 11:06:01 [ajp-nio-127.0.0.1-8009-exec-8] INFO: Search results: 0
2020-09-23 11:06:37 [ajp-nio-127.0.0.1-8009-exec-1] INFO: Searching for certificates
2020-09-23 11:06:37 [ajp-nio-127.0.0.1-8009-exec-1] INFO: Search filter: (|(x509cert.subject=*CN=*test*))
2020-09-23 11:06:37 [ajp-nio-127.0.0.1-8009-exec-1] INFO: Search results: 0
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Authenticating certificate chain:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - CN=IPA RA, O=<REALM>
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: CertUserDBAuthentication: UID ipara authenticated.
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: User ID: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: User DN: uid=ipara,ou=people,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Roles:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Certificate Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Registration Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: AAclAuthz: Granting login permission for certServer.ca.account
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Creating session DDFF8395C362510FA3DBF577019D6F10
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Principal:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - ID: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Full Name: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Email: 
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Roles:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO:   - Certificate Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO:   - Registration Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: Authenticating certificate chain:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: - CN=IPA RA, O=<REALM>
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: CertUserDBAuthentication: UID ipara authenticated.
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: User ID: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: User DN: uid=ipara,ou=people,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: Roles:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: - Certificate Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: - Registration Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: AAclAuthz: Granting logout permission for certServer.ca.account
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: Destroying session 77064A7AFDA57F5A8D80F4A1DA6775FB
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] INFO: Receiving certificate request
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] WARNING: CertProcessor: No authenticator credentials required
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] INFO: AgentCertAuthentication: authenticated uid=ipara,ou=people,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] INFO: EnrollProfile: Parsing PKCS #10 request:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to parse PKCS #10 request: Only named ECParameters supported
java.io.IOException: Only named ECParameters supported
    at sun.security.ec.ECParameters.engineInit(ECParameters.java:150)
    at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
    at org.mozilla.jss.netscape.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:219)
    at org.mozilla.jss.netscape.security.x509.AlgorithmId.<init>(AlgorithmId.java:193)
    at org.mozilla.jss.netscape.security.x509.AlgorithmId.parse(AlgorithmId.java:151)
    at org.mozilla.jss.netscape.security.x509.X509Key.parse(X509Key.java:109)
    at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:173)
    at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:235)
    at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:249)
    at com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:285)
    at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
    at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
    at org.dogtagpki.server.ca.rest.CertRequestDAO.submitRequest(CertRequestDAO.java:216)
    at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:169)
    at sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    at sun.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at sun.reflect.GeneratedMethodAccessor67.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
    at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:394)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1379)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to create enrollment request: Invalid Request
Invalid Request
    at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:258)
    at com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:285)
    at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
    at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
    at org.dogtagpki.server.ca.rest.CertRequestDAO.submitRequest(CertRequestDAO.java:216)
    at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:169)
    at sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    at sun.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at sun.reflect.GeneratedMethodAccessor67.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
    at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:394)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1379)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Only named ECParameters supported
    at sun.security.ec.ECParameters.engineInit(ECParameters.java:150)
    at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
    at org.mozilla.jss.netscape.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:219)
    at org.mozilla.jss.netscape.security.x509.AlgorithmId.<init>(AlgorithmId.java:193)
    at org.mozilla.jss.netscape.security.x509.AlgorithmId.parse(AlgorithmId.java:151)
    at org.mozilla.jss.netscape.security.x509.X509Key.parse(X509Key.java:109)
    at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:173)
    at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:235)
    at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:249)
    ... 67 more
MrSetplus
  • 1
  • 1
  • Your CA returns a 500 error for the web request. A 500 error is the webservers way of saying "I have a major problem, but I don't want to talk about it in public". Look at the error log of the server (usually located under `/var/log`), there will be a clear message saying what's wrong. – Gerald Schneider Sep 23 '20 at 08:42
  • @GeraldSchneider, thanks for advice! I edit my question with text from log file in `/var/log/pki/pki-tomcat/ca` directory. – MrSetplus Sep 23 '20 at 08:50
  • There it is: `Only named ECParameters supported`. I'm not that familiar with this, maybe someone else can shed some more light on it, but it seems like the CSR was created with parameters that are not compatible with FreeIPA. – Gerald Schneider Sep 23 '20 at 09:10
  • @GeraldSchneider, Yeah, i've noticed it too, but cannot understand what it means. – MrSetplus Sep 23 '20 at 09:11

0 Answers0