Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8661

ACME newOrder fails due to lack of access to EEP or other failed assumption

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 7.3.0.1
    • Fix Version/s: EJBCA 7.3.1, EJBCA 7.3.0.1
    • Component/s: Protocols
    • Labels:
      None
    • Environment:
      WF14.0.1 on OpenJDK8 from CentOS 7
      CertbotACMEClient/0.31.0
    • Issue discovered during:
      Integration
    • Sprint:
      EJBCA Team Bob - 2019 w42

      Description

      A request to the default ACME alias fails with:

      Caused by: java.lang.NullPointerException
        at org.ejbca.ui.web.protocol.acme.AcmeEndPoint.getDefaultNotAfter(AcmeEndPoint.java:801)
        at org.ejbca.ui.web.protocol.acme.AcmeEndPoint.newOrder(AcmeEndPoint.java:750)

          private long getDefaultNotAfter(final AuthenticationToken authenticationToken, final AcmeConfiguration acmeConfiguration, final long now) {
        final EndEntityProfile endEntityProfile = acmeRaMasterApiSession
                .getAuthorizedEndEntityProfiles(authenticationToken, AccessRulesConstants.CREATE_END_ENTITY)
                .getValue(acmeConfiguration.getEndEntityProfileId());
        final CertificateProfile certificateProfile = acmeRaMasterApiSession.getAuthorizedCertificateProfiles(authenticationToken)
                .getValue(endEntityProfile.getDefaultCertificateProfile()); // <---- line 801
        return ValidityDate.getDate(certificateProfile.getEncodedValidity(), new Date(now)).getTime() +
                SimpleTime.parseMillies(CesecoreConfiguration.getCertificateValidityOffset());
    }

      Due to lack of logging, a fair guess is that acmeConfiguration.getEndEntityProfileId() is not present among the authorized End Entity Profiles where .../create_end_entity/ is granted.
      A non-existing or unset acmeConfiguration.getEndEntityProfileId() might result in a similar problem.

      Fix outline

      • Rewrite to log WARN if the acmeConfiguration.getEndEntityProfileId() isn't configured since it makes no sense to allow ACME access that will always fail and this requires the attention of the instance owner
      • Be defensive and respond with a proper ACME unauthorized error code + log INFO when enrollment is tried on a host that really doesn't allow access to this EEP.

        Attachments

          Issue Links

          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. ECA-6870 ACME

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          relates

          Improvement - An improvement or enhancement to an existing feature or task. ECA-8671 ACME UI configuration should not display first available EEP when unconfigured

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

            Activity

              People

              Assignee:
              johan Johan Eklund
              Reporter:
              johan Johan Eklund
              Verified by:
              Jekaterina Bunina
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: