The test of dogtag-pki is failing on the nss 3.63 that is in impish proposed.
Bad:
Installing CA into /var/lib/pki/pki-tomcat.
Installation failed: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
ERROR: ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 995, in spawn
cert = deployer.setup_cert(client, tag)
File "/usr/lib/python3/dist-packages/pki/server/deployment/__init__.py", line 355, in setup_cert
return client.setupCert(request)
File "/usr/lib/python3/dist-packages/pki/system.py", line 389, in setupCert
response = self.connection.post(
File "/usr/lib/python3/dist-packages/pki/client.py", line 55, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python3/dist-packages/pki/client.py", line 293, in post
r = self.session.post(
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 590, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 498, in send
raise ConnectionError(err, request=request)
>>>> CA spawn failed:
Good:
nstalling CA into /var/lib/pki/pki-tomcat.
Notice: Trust flag u is set automatically if the private key is present.
/usr/lib/python3/dist-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for i-dogtag has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
The good test above was with:
ii libnss3:s390x 2:3.61-1ubuntu2 s390x Network Security Service libraries
ii 389-ds-base 1.4.4.11-2 s390x 389 Directory Server suite - server
Worth to know, the good case test still fails later on with:
IOException: SocketException cannot write on socket: Failed to write to socket: (-5938) Encountered end of file.
ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', '-f', '/etc/pki/pki-tomcat/password.conf', '-U', 'https://i-dogtag:8443', 'securitydomain-join', '--session', '4717921475119312283', '--type', 'TKS', '--hostname', 'i-dogtag', '--unsecure-port', '8080', '--secure-port', '8443', 'TKS i-dogtag 8443']' returned non-zero exit status 255.
File "/usr/lib/python3/dist-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3/dist-packages/pki/server/deployment/scriptlets/configuration.py", line 1038, in spawn
subsystem.join_security_domain(
File "/usr/lib/python3/dist-packages/pki/server/subsystem.py", line 1201, in join_security_domain
subprocess.check_call(cmd)
File "/usr/lib/python3.9/subprocess.py", line 373, in check_call
raise CalledProcessError(retcode, cmd)
Installation failed: Command failed: pki -d /etc/pki/pki-tomcat/alias -f /etc/pki/pki-tomcat/password.conf -U https://i-dogtag:8443 securitydomain-join --session 4717921475119312283 --type TKS --hostname i-dogtag --unsecure-port 8080 --secure-port 8443 TKS i-dogtag 8443
Please check pkispawn logs in /var/log/pki/pki-tks-spawn.20210607093926.log
Well one issue at a time ... the current install issue first.
Since it worked with the nss in -release I was upgrading this to the new nss.
ii 389-ds-base 1.4.4.11-2 s390x 389 Directory Server suite - server
ii libnss3:s390x 2:3.63-1ubuntu1 s390x Network Security Service libraries
With this the install fail is reprodicible.
So we can switch in/out bad case by up/downgrading libnss3.
Comparing those two cases until they reach the first successful install message
I've seen a crash:
pki-tomcat[37160]: #
pki-tomcat[37160]: # A fatal error has been detected by the Java Runtime Environment:
pki-tomcat[37160]: #
pki-tomcat[37160]: # SIGSEGV (0xb) at pc=0x000003ff9ce9ec02, pid=37160, tid=37246
pki-tomcat[37160]: #
pki-tomcat[37160]: # JRE version: OpenJDK Runtime Environment (11.0.12+4) (build 11.0.12-ea+4-Ubuntu-0ubuntu2)
pki-tomcat[37160]: # Java VM: OpenJDK 64-Bit Server VM (11.0.12-ea+4-Ubuntu-0ubuntu2, mixed mode, tiered, compressed oops, serial gc, linux-s390x)
pki-tomcat[37160]: # Problematic frame:
pki-tomcat[37160]: # C [libnss3.so+0x11ec02]
pki-tomcat[37160]: #
pki-tomcat[37160]: # Core dump will be written. Default location: Core dumps may be processed with "/usr/share/apport/apport %p %s %c %d %P %E" (or dumping to /var/lib/pki/pki-tomcat/core.37160)
pki-tomcat[37160]: #
pki-tomcat[37160]: # An error report file with more information is saved as:
pki-tomcat[37160]: # /var/lib/pki/pki-tomcat/hs_err_pid37160.log
pki-tomcat[37160]: #
pki-tomcat[37160]: # If you would like to submit a bug report, please visit:
pki-tomcat[37160]: # https://bugs.launchpad.net/ubuntu/+source/openjdk-lts
pki-tomcat[37160]: # The crash happened outside the Java Virtual Machine in native code.
pki-tomcat[37160]: # See problematic frame for where to report the bug.
A few extra runs had also shown:
# Problematic frame:
# C [libnssutil3.so+0x1b60c] PORT_FreeArena_Util+0xc
And while I could not get a core dump out as the config required to be changed
is written on the fly and then started I was able to find the code.
Obviously there has to be a lot of abstraction but plenty of recent changes
fixed double frees and dangling pointer values.
For example https://github.com/nss-dev/nss/commit/350807b3a70f60928ea3f2bc95fd1795aae9b753
This is all (this and more similar fixes) in 3.66 which is released and in Debian unstable.
It might be worth to re-merge that, throw it into a PPA and re-run the tests.
The test of dogtag-pki is failing on the nss 3.63 that is in impish proposed.
Bad: pki/pki- tomcat. ted('Remote end closed connection without response')) ted('Remote end closed connection without response')) python3/ dist-packages/ pki/server/ pkispawn. py", line 575, in main spawn(deployer) python3/ dist-packages/ pki/server/ deployment/ scriptlets/ configuration. py", line 995, in spawn setup_cert( client, tag) python3/ dist-packages/ pki/server/ deployment/ __init_ _.py", line 355, in setup_cert setupCert( request) python3/ dist-packages/ pki/system. py", line 389, in setupCert .post( python3/ dist-packages/ pki/client. py", line 55, in wrapper python3/ dist-packages/ pki/client. py", line 293, in post python3/ dist-packages/ requests/ sessions. py", line 590, in post 'POST', url, data=data, json=json, **kwargs) python3/ dist-packages/ requests/ sessions. py", line 542, in request python3/ dist-packages/ requests/ sessions. py", line 655, in send send(request, **kwargs) python3/ dist-packages/ requests/ adapters. py", line 498, in send (err, request=request)
Installing CA into /var/lib/
Installation failed: ('Connection aborted.', RemoteDisconnec
ERROR: ConnectionError: ('Connection aborted.', RemoteDisconnec
File "/usr/lib/
scriptlet.
File "/usr/lib/
cert = deployer.
File "/usr/lib/
return client.
File "/usr/lib/
response = self.connection
File "/usr/lib/
return func(self, *args, **kwargs)
File "/usr/lib/
r = self.session.post(
File "/usr/lib/
return self.request(
File "/usr/lib/
resp = self.send(prep, **send_kwargs)
File "/usr/lib/
r = adapter.
File "/usr/lib/
raise ConnectionError
>>>> CA spawn failed:
Good: pki/pki- tomcat. python3/ dist-packages/ urllib3/ connection. py:455: SubjectAltNameW arning: Certificate for i-dogtag has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https:/ /github. com/urllib3/ urllib3/ issues/ 497 for details.)
nstalling CA into /var/lib/
Notice: Trust flag u is set automatically if the private key is present.
/usr/lib/
warnings.warn(
=== ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= =
INSTALLATIO N SUMMARY ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= =
===
...
The good test above was with:
ii libnss3:s390x 2:3.61-1ubuntu2 s390x Network Security Service libraries
ii 389-ds-base 1.4.4.11-2 s390x 389 Directory Server suite - server
Worth to know, the good case test still fails later on with: pki-tomcat/ alias', '-f', '/etc/pki/ pki-tomcat/ password. conf', '-U', 'https:/ /i-dogtag: 8443', 'securitydomain -join', '--session', '47179214751193 12283', '--type', 'TKS', '--hostname', 'i-dogtag', '--unsecure-port', '8080', '--secure-port', '8443', 'TKS i-dogtag 8443']' returned non-zero exit status 255. python3/ dist-packages/ pki/server/ pkispawn. py", line 575, in main spawn(deployer) python3/ dist-packages/ pki/server/ deployment/ scriptlets/ configuration. py", line 1038, in spawn join_security_ domain( python3/ dist-packages/ pki/server/ subsystem. py", line 1201, in join_security_ domain check_call( cmd) python3. 9/subprocess. py", line 373, in check_call ror(retcode, cmd) pki-tomcat/ alias -f /etc/pki/ pki-tomcat/ password. conf -U https:/ /i-dogtag: 8443 securitydomain-join --session 4717921475119312283 --type TKS --hostname i-dogtag --unsecure-port 8080 --secure-port 8443 TKS i-dogtag 8443 pki/pki- tks-spawn. 20210607093926. log
IOException: SocketException cannot write on socket: Failed to write to socket: (-5938) Encountered end of file.
ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/
File "/usr/lib/
scriptlet.
File "/usr/lib/
subsystem.
File "/usr/lib/
subprocess.
File "/usr/lib/
raise CalledProcessEr
Installation failed: Command failed: pki -d /etc/pki/
Please check pkispawn logs in /var/log/
Well one issue at a time ... the current install issue first.
Since it worked with the nss in -release I was upgrading this to the new nss.
ii 389-ds-base 1.4.4.11-2 s390x 389 Directory Server suite - server
ii libnss3:s390x 2:3.63-1ubuntu1 s390x Network Security Service libraries
With this the install fail is reprodicible.
So we can switch in/out bad case by up/downgrading libnss3.
Comparing those two cases until they reach the first successful install message
I've seen a crash:
pki-tomcat[ 37160]: # 37160]: # A fatal error has been detected by the Java Runtime Environment: 37160]: # 37160]: # SIGSEGV (0xb) at pc=0x000003ff9c e9ec02, pid=37160, tid=37246 37160]: # 37160]: # JRE version: OpenJDK Runtime Environment (11.0.12+4) (build 11.0.12- ea+4-Ubuntu- 0ubuntu2) 37160]: # Java VM: OpenJDK 64-Bit Server VM (11.0.12- ea+4-Ubuntu- 0ubuntu2, mixed mode, tiered, compressed oops, serial gc, linux-s390x) 37160]: # Problematic frame: 37160]: # C [libnss3. so+0x11ec02] 37160]: # 37160]: # Core dump will be written. Default location: Core dumps may be processed with "/usr/share/ apport/ apport %p %s %c %d %P %E" (or dumping to /var/lib/ pki/pki- tomcat/ core.37160) 37160]: # 37160]: # An error report file with more information is saved as: 37160]: # /var/lib/ pki/pki- tomcat/ hs_err_ pid37160. log 37160]: # 37160]: # If you would like to submit a bug report, please visit: 37160]: # https:/ /bugs.launchpad .net/ubuntu/ +source/ openjdk- lts 37160]: # The crash happened outside the Java Virtual Machine in native code. 37160]: # See problematic frame for where to report the bug.
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
pki-tomcat[
A few extra runs had also shown: so+0x1b60c] PORT_FreeArena_ Util+0xc
# Problematic frame:
# C [libnssutil3.
And while I could not get a core dump out as the config required to be changed /github. com/nss- dev/nss/ commit/ 350807b3a70f609 28ea3f2bc95fd17 95aae9b753
is written on the fly and then started I was able to find the code.
Obviously there has to be a lot of abstraction but plenty of recent changes
fixed double frees and dangling pointer values.
For example https:/
This is all (this and more similar fixes) in 3.66 which is released and in Debian unstable.
It might be worth to re-merge that, throw it into a PPA and re-run the tests.