Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8946

EST: Exception Not authorized to manage peer RA

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: EJBCA 7.4.0
    • Fix Version/s: None
    • Component/s: CA GUI, Protocols
    • Labels:
      None
    • Environment:
      Root CA
      CentOS 7
      Wildfly 14
      OpenJDK 8
      MySQL 5.7
      Enabled Configured EST

      Remote Server
      Ubuntu 18.04
      ApacheServer
      OpenJDK 1.8

      Description

      On a remote server
      A keystore was created to include the DNS and IP address of the RootCA server

      Steps

      1. curl https://qaestserver:8442/.well-known/est/cacerts -o cacerts.p7 --cacert ManagementCA.cacert.pem
      2. openssl req -nodes -newkey rsa:2048 -keyout device.key -out device.csr -outform DER -subj "/CN=123456789"
      3. openssl base64 -in device.csr -out device.b64 -e
      4. curl -v --cacert ManagementCA.cacert.pem --user estadmin:foo123 --data @device.b64 -o device-p7.b64 -H "Content-Type: application/pkcs10" \
      -H "Content-Transfer-Encoding: base64" https://qaestserver:8442/.well-known/est/simpleenroll

      Expected: The -o certificate to be generated

      Actual:
      *Curl Response*

      • Rebuilt URL to: -H/
      • Host name ' -H' contains bad letter
      • Closing connection -1
        curl: (3) Host name ' -H' contains bad letter
      • Rebuilt URL to: Content-Transfer-Encoding: base64/
      • Port number ended with ' '
      • Closing connection -1
        curl: (3) Port number ended with ' '
      • Trying 192.168.56.110...
      • TCP_NODELAY set
      • Connected to 192.168.56.110 (192.168.56.110) port 8442 (#0)
      • ALPN, offering h2
      • ALPN, offering http/1.1
      • successfully set certificate verify locations:
      • CAfile: ManagementCA.cacert.pem
        CApath: /etc/ssl/certs
      • TLSv1.3 (OUT), TLS handshake, Client hello (1):
      • TLSv1.3 (IN), TLS handshake, Server hello (2):
      • TLSv1.2 (IN), TLS handshake, Certificate (11):
      • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      • TLSv1.2 (IN), TLS handshake, Server finished (14):
      • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
      • TLSv1.2 (OUT), TLS handshake, Finished (20):
      • TLSv1.2 (IN), TLS handshake, Finished (20):
      • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
      • ALPN, server did not agree to a protocol
      • Server certificate:
      • subject: CN=EstServer; O=PrimeKey Solutions AB; C=SE
      • start date: Mar 11 13:03:07 2020 GMT
      • expire date: Mar 11 13:03:07 2022 GMT
        • subjectAltName: host "192.168.56.110" matched cert's IP address! This is has been a sore spot...I thought I resolved this by generating a new keystore that contains ip and dns
        • issuer: CN=ManagementCA; O=EJBCA Sample; C=SE
      • SSL certificate verify ok.
      • Server auth using Basic with user 'estadmin'
        > POST /.well-known/est/simpleenroll HTTP/1.1
        > Host: 192.168.56.110:8442
        > Authorization: Basic ZXN0YWRtaW46Zm9vMTIz
        > User-Agent: curl/7.61.0
        > Accept: /
        > Content-Type: application/pkcs10
        > Content-Length: 808
        >
      • upload completely sent off: 808 out of 808 bytes
        < HTTP/1.1 400 Bad Request
        < Connection: keep-alive
        < Content-Type: text/html;charset=UTF-8
        < Content-Length: 112
        < Date: Mon, 16 Mar 2020 13:42:35 GMT
        <
      • Connection #0 to host 192.168.56.110 left intact
        <html><head><title>Error</title></head><body>Exception encountered when trying to enroll over EST.</body></html>root@ejbcaserverrororororororororoot@ejbcaserver:/opt/certs/results#

      *From Server Log*
      2020-03-16 14:43:10,621 DEBUG [org.ejbca.peerconnector.ra.PeerRaMasterServiceBean] (EJB default - 2) Not authorized to manage Peer RA at https://ra.administrator:8443/ejbca/peer/v1.
      [root@qaestserver log]# tail -n 20 server.log
      at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
      at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
      at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
      at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
      at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)
      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)
      at org.ejbca.peerconnector.client.PeerConnectorPool.send(PeerConnectorPool.java:332)
      ... 135 more

      *Keystore Content on RootCA*
      Alias name: estserver
      Creation date: Mar 11, 2020
      Entry type: PrivateKeyEntry
      Certificate chain length: 2
      Certificate[1]:
      Owner: C=SE, O=PrimeKey Solutions AB, CN=EstServer
      Issuer: C=SE, O=EJBCA Sample, CN=ManagementCA
      Serial number: 1a30d003a35d0d8fdb0c7e201572ab4550ba19e1
      Valid from: Wed Mar 11 14:03:07 CET 2020 until: Fri Mar 11 14:03:07 CET 2022
      Certificate fingerprints:
      MD5: 70:F2:88:B1:73:3A:08:8E:F6:13:07:60:28:54:DF:B6
      SHA1: 0A:5C:2F:F2:FA:DC:0B:3B:A7:B0:6D:67:44:99:57:54:58:B3:EA:7B
      SHA256: 47:AF:B1:54:DF:5A:70:D4:F7:A7:2D:83:71:EE:9F:EE:21:8E:E3:11:51:14:66:74:DE:CA:0D:39:00:DA:66:B9
      Signature algorithm name: SHA256withRSA
      Subject Public Key Algorithm: 2048-bit RSA key
      Version: 3

      Extensions:

      #1: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: EB 4C 8F F3 82 19 CF 35 55 EF 08 F5 23 56 02 5F .L.....5U...#V._
      0010: 19 C1 0D C9 ....
      ]
      ]

      #2: ObjectId: 2.5.29.19 Criticality=true
      BasicConstraints:[
      CA:false
      PathLen: undefined
      ]

      #3: ObjectId: 2.5.29.37 Criticality=false
      ExtendedKeyUsages [
      serverAuth
      ]

      #4: ObjectId: 2.5.29.15 Criticality=true
      KeyUsage [
      DigitalSignature
      Key_Encipherment
      ]

      #5: ObjectId: 2.5.29.17 Criticality=false
      SubjectAlternativeName [
      DNSName: localhost
      DNSName: qaestserver
      IPAddress: 127.0.0.1
      IPAddress: 192.168.56.110
      ]

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            margarett Margaret Thomas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: