Could not sign CSR Caused by: java.net.SocketTimeoutException: connect timed out
Article ID: CTX216188
Updated On:
Description
After configuring Client Certificate Authentication for XMS but you do not see a Client Certificate Request on the Issuing Server
2016-06-27T13:01:11.409+0000 | | ERROR | http-nio-10080-exec-1 | EWSession | Exception on certificate issuer
com.zenprise.zdm.pki.spi.IssuingServiceException: Could not sign CSR
at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:147)
at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueCredential(AbstractIssuingAdapter.java:92)
at com.sparus.nps.admin.impl.drivers.provisioning.CertXmlProvDeployAction.generateCertificate(CertXmlProvDeployAction.java:322)
at com.sparus.nps.admin.impl.drivers.provisioning.CertXmlProvDeployAction.injectCertificate(CertXmlProvDeployAction.java:899)
at com.sparus.nps.admin.impl.drivers.provisioning.CertXmlProvDeployAction.getNewCertContent(CertXmlProvDeployAction.java:984)
at com.sparus.nps.callbacks.XmlProvCertDeployAction.getContent(XmlProvCertDeployAction.java:94)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback.buildXmlCommand(XmlProvWithCertsCallback.java:524)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback.buildXmlCommands(XmlProvWithCertsCallback.java:502)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback$2.call(XmlProvWithCertsCallback.java:279)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback$2.call(XmlProvWithCertsCallback.java:276)
at com.sparus.nps.util.CallableInSession$Wrapper.callInSession(CallableInSession.java:217)
at com.sparus.nps.util.CallableInSession.call(CallableInSession.java:146)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback.digest0(XmlProvWithCertsCallback.java:282)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback$1.run(XmlProvWithCertsCallback.java:164)
at com.sparus.nps.util.TaskInSession$Wrapper.runInSession(TaskInSession.java:216)
at com.sparus.nps.util.TaskInSession.run(TaskInSession.java:136)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback.process(XmlProvWithCertsCallback.java:173)
at com.sparus.nps.callbacks.XmlProvWithCertsCallback.process(XmlProvWithCertsCallback.java:63)
at com.sparus.nps.ServiceResponseBroker.invokeCallback(ServiceResponseBroker.java:338)
at com.sparus.nps.device.services.impl.DefaultServiceResponseProcessor.handlePacket(DefaultServiceResponseProcessor.java:21)
at com.sparus.nps.NPCBroker.notifyPacketReceived(NPCBroker.java:88)
at com.sparus.nps.shtp.StartRequest.receivePacketsAsynchronously(StartRequest.java:294)
at com.sparus.nps.shtp.StartRequest.receivePackets(StartRequest.java:373)
at com.sparus.nps.shtp.StartRequest.eventRead(StartRequest.java:328)
at com.sparus.nps.Halley.read(Halley.java:326)
at com.sparus.nps.Halley.event(Halley.java:95)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilterEvent(ApplicationFilterChain.java:482)
at org.apache.catalina.core.ApplicationFilterChain.doFilterEvent(ApplicationFilterChain.java:375)
at org.apache.catalina.core.StandardWrapperValve.event(StandardWrapperValve.java:409)
at org.apache.catalina.core.StandardContextValve.event(StandardContextValve.java:145)
at org.apache.catalina.valves.ValveBase.event(ValveBase.java:222)
at org.apache.catalina.core.StandardHostValve.event(StandardHostValve.java:262)
at org.apache.catalina.valves.ValveBase.event(ValveBase.java:222)
at org.apache.catalina.core.StandardEngineValve.event(StandardEngineValve.java:136)
at org.apache.catalina.connector.CoyoteAdapter.event(CoyoteAdapter.java:212)
at org.apache.coyote.http11.Http11NioProcessor.event(Http11NioProcessor.java:119)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:619)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1783)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1740)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.sparus.nps.pki.CertificateSigningException: Could not sign certificate
at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:107)
at com.zenprise.zdm.pki.util.CredentialCaFactory$CredentialCa.sign(CredentialCaFactory.java:204)
at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:137)
... 42 more
Caused by: java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at com.sparus.nps.pki.connector.MsCertSrvConnector.openConnection(MsCertSrvConnector.java:433)
at com.sparus.nps.pki.connector.MsCertSrvConnector.openConnection(MsCertSrvConnector.java:350)
at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity0(MsCertSrvConnector.java:241)
at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity(MsCertSrvConnector.java:207)
at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:90)
Resolution
1. the the Web enrollment service root URL under >Settings >PKI Entities >General within XMS is pointing to the correct Issuing Server
2. the Issuing Server is publishing over HTTPS by opening a browser and navigating to the CertSrv Website (e.g. https://MyCAorIntermediate/certsev/)
3. an NSLookup resolves the Issuing Server FQDN to the correct IP
4. a TCP connectivity test over port 443 to that same host does NOT fail with a timeout, if it does check the VPN filters and/or network routing to verify traffic to/from the Issuing Server and the XMS
5. Verify if the certificate has been renewed recently and the problem started post that.
If still receiving the connect time out, after verifying the connectivity to/from the Issuing Server and the XMS. Increase the Connection Timeout to Microsoft Certification Server by modifying the XMS Server Property - mscertsrv.static.connectTimeout.millis
The default value for this property is 15000 ms so you can increase this to 30000ms.
Problem Cause
Traffic to/from the Issuing Server and the XMS is blocked or the XMS server is timing out before we can successfully reach the Issuing ServerIssue/Introduction
