Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: EJBCA 7.3.0.1
-
Fix Version/s: EJBCA 7.3.1, EJBCA 7.3.0.1
-
Component/s: Protocols
-
Labels:None
-
Environment:WF14.0.1 on OpenJDK8 from CentOS 7
CertbotACMEClient/0.31.0
-
Issue discovered during:Integration
-
Sprint:EJBCA Team Bob - 2019 w42
Description
A request to the default ACME alias fails with:
Caused by: java.lang.NullPointerException at org.ejbca.ui.web.protocol.acme.AcmeEndPoint.getDefaultNotAfter(AcmeEndPoint.java:801) at org.ejbca.ui.web.protocol.acme.AcmeEndPoint.newOrder(AcmeEndPoint.java:750)
private long getDefaultNotAfter(final AuthenticationToken authenticationToken, final AcmeConfiguration acmeConfiguration, final long now) { final EndEntityProfile endEntityProfile = acmeRaMasterApiSession .getAuthorizedEndEntityProfiles(authenticationToken, AccessRulesConstants.CREATE_END_ENTITY) .getValue(acmeConfiguration.getEndEntityProfileId()); final CertificateProfile certificateProfile = acmeRaMasterApiSession.getAuthorizedCertificateProfiles(authenticationToken) .getValue(endEntityProfile.getDefaultCertificateProfile()); // <---- line 801 return ValidityDate.getDate(certificateProfile.getEncodedValidity(), new Date(now)).getTime() + SimpleTime.parseMillies(CesecoreConfiguration.getCertificateValidityOffset()); }
Due to lack of logging, a fair guess is that acmeConfiguration.getEndEntityProfileId() is not present among the authorized End Entity Profiles where .../create_end_entity/ is granted.
A non-existing or unset acmeConfiguration.getEndEntityProfileId() might result in a similar problem.
Fix outline
- Rewrite to log WARN if the acmeConfiguration.getEndEntityProfileId() isn't configured since it makes no sense to allow ACME access that will always fail and this requires the attention of the instance owner
- Be defensive and respond with a proper ACME unauthorized error code + log INFO when enrollment is tried on a host that really doesn't allow access to this EEP.