Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8661

ACME newOrder fails due to lack of access to EEP or other failed assumption

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 7.3.0.1
    • Fix Version/s: EJBCA 7.3.1, EJBCA 7.3.0.1
    • Component/s: Protocols
    • Labels:
      None
    • Environment:
      WF14.0.1 on OpenJDK8 from CentOS 7
      CertbotACMEClient/0.31.0
    • Issue discovered during:
      Integration
    • Sprint:
      EJBCA Team Bob - 2019 w42

      Description

      A request to the default ACME alias fails with:

      Caused by: java.lang.NullPointerException
              at org.ejbca.ui.web.protocol.acme.AcmeEndPoint.getDefaultNotAfter(AcmeEndPoint.java:801)
              at org.ejbca.ui.web.protocol.acme.AcmeEndPoint.newOrder(AcmeEndPoint.java:750)
      
          private long getDefaultNotAfter(final AuthenticationToken authenticationToken, final AcmeConfiguration acmeConfiguration, final long now) {
              final EndEntityProfile endEntityProfile = acmeRaMasterApiSession
                      .getAuthorizedEndEntityProfiles(authenticationToken, AccessRulesConstants.CREATE_END_ENTITY)
                      .getValue(acmeConfiguration.getEndEntityProfileId());
              final CertificateProfile certificateProfile = acmeRaMasterApiSession.getAuthorizedCertificateProfiles(authenticationToken)
                      .getValue(endEntityProfile.getDefaultCertificateProfile()); // <---- line 801
              return ValidityDate.getDate(certificateProfile.getEncodedValidity(), new Date(now)).getTime() +
                      SimpleTime.parseMillies(CesecoreConfiguration.getCertificateValidityOffset());
          }
      

      Due to lack of logging, a fair guess is that acmeConfiguration.getEndEntityProfileId() is not present among the authorized End Entity Profiles where .../create_end_entity/ is granted.
      A non-existing or unset acmeConfiguration.getEndEntityProfileId() might result in a similar problem.

      Fix outline

      • Rewrite to log WARN if the acmeConfiguration.getEndEntityProfileId() isn't configured since it makes no sense to allow ACME access that will always fail and this requires the attention of the instance owner
      • Be defensive and respond with a proper ACME unauthorized error code + log INFO when enrollment is tried on a host that really doesn't allow access to this EEP.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              johan Johan Eklund
              Reporter:
              johan Johan Eklund
              Verified by:
              Jekaterina Bunina
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: