[
https://issues.jboss.org/browse/WFCORE-4034?page=com.atlassian.jira.plugi...
]
Farah Juma commented on WFCORE-4034:
------------------------------------
I've submitted a PR that ensures that we no longer wrap the {{AcmeException}} in a
{{RuntimeException}} here.
[~claudio4j] Just FYI, I took a closer look at the steps to reproduce and noticed that
there's actually an issue with the alias that's being provided for the
{{obtain-certificate}} operation. In particular, the provided {{alias}} and {{key-store}}
indicate that if the {{obtain-certificate}} operation succeeds, it should store the
obtained signed certificate under the {{alias}} "www.cnn.com" in the
{{key-store}} "keyst2". However, the same alias/key-store combination was also
used for the {{certificate-authority-account}} key in the previous step. So, even though
{{obtain-certificate}} fails and doesn't actually obtain a certificate or update the
key-store in any way, when {{revoke-certificate}} is called using the alias
"www.cnn.com", this ends up attempting to revoke the certificate that is
associated with the account key since this entry does exist in the keystore. This will
correctly result in an {{AcmeException}} since this certificate wasn't issued by
Let's Encrypt. Using the following commands instead (notice a different alias is used
for the account key and the obtain-certificate operation) will correctly result in the
following error message:
{code}
/subsystem=elytron/key-store=keyst2:add(credential-reference={clear-text=senha},type=JKS,path=keyst2.jks)
/subsystem=elytron/certificate-authority-account=ca_letsenc2:add(alias=myaccount,key-store=keyst2)
/subsystem=elytron/key-store=keyst2:obtain-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2,domain-names=["www.cnn.com"],agree-to-terms-of-service,algorithm=RSA)
/subsystem=elytron/key-store=keyst2:revoke-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2)
{
"outcome" => "failed",
"failure-description" => "WFLYELY01029: Alias 'www.cnn.com'
does not exist in KeyStore",
"rolled-back" => true
}
{code}
RuntimeException when call key-store=ks:revoke-certificate
----------------------------------------------------------
Key: WFCORE-4034
URL:
https://issues.jboss.org/browse/WFCORE-4034
Project: WildFly Core
Issue Type: Bug
Components: Security
Reporter: Claudio Miranda
Assignee: Farah Juma
There is a RuntimeException when call a key-store=keys:revoke-certificate on a existing
alias, but having failed to obtain certificate from CA
Steps to reproduce
{code}
/subsystem=elytron/key-store=keyst2:add(credential-reference={clear-text=senha},type=JKS,path=keyst2.jks)
/subsystem=elytron/certificate-authority-account=ca_letsenc2:add(alias=www.cnn.com,key-store=keyst2)
/subsystem=elytron/key-store=keyst2:obtain-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2,domain-names=["www.cnn.com"],agree-to-terms-of-service,algorithm=RSA)
/subsystem=elytron/key-store=keyst2:revoke-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2)
{code}
obtain-certificate results in an exception, then call revoke-certificate
{code}
/subsystem=elytron/key-store=keyst2:obtain-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2,domain-names=["www.cnn.com"],agree-to-terms-of-service,algorithm=RSA)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed:
java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: ELY10048:
Challenge response failed validation by the ACME ser
ver",
"rolled-back" => true
}
[standalone@localhost:9990 /]
/subsystem=elytron/key-store=keyst2:revoke-certificate(alias=www.cnn.com,certificate-authority-account=ca_letsenc2)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed:
java.lang.RuntimeException: org.wildfly.security.x500.cert.acme.AcmeException: No such
certificate",
"rolled-back" => true
}
{code}
I understand it make no sense to revoke a certificate that doesn't exist in CA
provider, but it was more an accident to discover it as I was playing with the operations.
Probably a WARN message would be more appropriate than a RuntimeException.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)