Rob,
Thank you for replying. I've enable debug and i think this is the relevant portion of
the log.
[Sat Jun 10 04:18:58.109402 2017] [:error] [pid 11081] ipa: DEBUG: NSSConnection init
freeipa.fakedomain.local
[Sat Jun 10 04:18:58.271640 2017] [:error] [pid 11081] ipa: DEBUG: Connecting:
192.168.0.10:0
[Sat Jun 10 04:18:58.281333 2017] [:error] [pid 11081] ipa: DEBUG: approved_usage = SSL
Server intended_usage = SSL Server
[Sat Jun 10 04:18:58.281432 2017] [:error] [pid 11081] ipa: DEBUG: cert valid True for
"CN=freeipa.fakedomain.local,O=fakedomain.LOCAL"
[Sat Jun 10 04:18:58.285331 2017] [:error] [pid 11081] ipa: DEBUG: handshake complete,
peer = 192.168.0.10:443
[Sat Jun 10 04:18:58.285406 2017] [:error] [pid 11081] ipa: DEBUG: Protocol: TLS1.2
[Sat Jun 10 04:18:58.285459 2017] [:error] [pid 11081] ipa: DEBUG: Cipher:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[Sat Jun 10 04:18:58.292610 2017] [:error] [pid 11081] ipa: DEBUG: approved_usage = SSL
Server intended_usage = SSL Server
[Sat Jun 10 04:18:58.292691 2017] [:error] [pid 11081] ipa: DEBUG: cert valid True for
"CN=freeipa.fakedomain.local,O=fakedomain.LOCAL"
[Sat Jun 10 04:18:58.303693 2017] [:error] [pid 11081] ipa: DEBUG: handshake complete,
peer = 192.168.0.10:443
[Sat Jun 10 04:18:58.303756 2017] [:error] [pid 11081] ipa: DEBUG: Protocol: TLS1.2
[Sat Jun 10 04:18:58.303803 2017] [:error] [pid 11081] ipa: DEBUG: Cipher:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[Sat Jun 10 04:18:58.336406 2017] [:error] [pid 11081] ipa: DEBUG: response status 200
[Sat Jun 10 04:18:58.336490 2017] [:error] [pid 11081] ipa: DEBUG: response headers
{'date': 'Sat, 10 Jun 2017 02:18:58 GMT', 'content-length':
'144', 'content-type': 'application/xml', 'server':
'Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC
mod_wsgi/3.4 Python/2.7.5'}
[Sat Jun 10 04:18:58.336544 2017] [:error] [pid 11081] ipa: DEBUG: response body
'<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>1</Status><Error>String
index out of range: -36</Error></XMLResponse>'
[Sat Jun 10 04:18:58.336951 2017] [:error] [pid 11081] ipa: DEBUG:
parse_profile_submit_result_xml() xml_text:
[Sat Jun 10 04:18:58.336958 2017] [:error] [pid 11081] <?xml version="1.0"
encoding="UTF-8"
standalone="no"?><XMLResponse><Status>1</Status><Error>String
index out of range: -36</Error></XMLResponse>
[Sat Jun 10 04:18:58.336960 2017] [:error] [pid 11081] parse_result:
[Sat Jun 10 04:18:58.336962 2017] [:error] [pid 11081] {'error_code': 1,
'error_string': u'String index out of range: -36'}
[Sat Jun 10 04:18:58.337049 2017] [:error] [pid 11081] ipa: ERROR:
ra.request_certificate(): FAILURE (String index out of range: -36)
[Sat Jun 10 04:18:58.385983 2017] [:error] [pid 11081] ipa: DEBUG: WSGI wsgi_execute
PublicError: Traceback (most recent call last):
[Sat Jun 10 04:18:58.386003 2017] [:error] [pid 11081] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 366, in
wsgi_execute
[Sat Jun 10 04:18:58.386006 2017] [:error] [pid 11081] result = command(*args,
**options)
[Sat Jun 10 04:18:58.386008 2017] [:error] [pid 11081] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 449, in __call__
[Sat Jun 10 04:18:58.386009 2017] [:error] [pid 11081] return self.__do_call(*args,
**options)
[Sat Jun 10 04:18:58.386011 2017] [:error] [pid 11081] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 477, in __do_call
[Sat Jun 10 04:18:58.386012 2017] [:error] [pid 11081] ret = self.run(*args,
**options)
[Sat Jun 10 04:18:58.386014 2017] [:error] [pid 11081] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 799, in run
[Sat Jun 10 04:18:58.386015 2017] [:error] [pid 11081] return self.execute(*args,
**options)
[Sat Jun 10 04:18:58.386017 2017] [:error] [pid 11081] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 629, in
execute
[Sat Jun 10 04:18:58.386018 2017] [:error] [pid 11081] csr, profile_id, ca_id,
request_type=request_type)
[Sat Jun 10 04:18:58.386020 2017] [:error] [pid 11081] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1612, in
request_certificate
[Sat Jun 10 04:18:58.386022 2017] [:error] [pid 11081]
parse_result.get('error_string'))
[Sat Jun 10 04:18:58.386023 2017] [:error] [pid 11081] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1334, in
raise_certificate_operation_error
[Sat Jun 10 04:18:58.386025 2017] [:error] [pid 11081] raise
errors.CertificateOperationError(error=err_msg)
[Sat Jun 10 04:18:58.386026 2017] [:error] [pid 11081] CertificateOperationError:
Certificate operation cannot be completed: FAILURE (String index out of range: -36)
And from /var/log/pki/pki-tomcat/ca/debug in think this is the relevant portion:
[10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: Finish parsePKCS10 -
CN=vertica1.fakedomain.local
[10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: BasicProfile: populate() policy
setid =serverCertSet
[10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: SubjectNameDefault: populate start
java.lang.StringIndexOutOfBoundsException: String index out of range: -36
at java.lang.String.substring(String.java:1967)
at com.netscape.certsrv.pattern.Pattern.substitute2(Pattern.java:128)
at com.netscape.cms.profile.def.EnrollDefault.mapPattern(EnrollDefault.java:804)
at
com.netscape.cms.profile.def.SubjectNameDefault.populate(SubjectNameDefault.java:160)
at com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:224)
at com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1101)
at
com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:1330)
at
com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:362)
at
com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:181)
at
com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96)
at
com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:243)
at
com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[10/Jun/2017:04:18:58][ajp-bio-127.0.0.1-8009-exec-9]: ProfileSubmitServlet: error in
processing request: java.lang.StringIndexOutOfBoundsException: String index out of range:
-36
So it looks to me like something is going wrong with SubjectNameDefault: but now, how do i
fix this.