[Freeipa-users] Problem installing replica CA

Ade Lee alee at redhat.com
Tue Apr 24 19:00:12 UTC 2012 

On Tue, 2012-04-24 at 11:28 -0400, Rob Crittenden wrote:
> Dan Scott wrote:
> > On Tue, Apr 24, 2012 at 02:58, Ondrej Hamada<ohamada at redhat.com>  wrote:
> >> On 04/20/2012 09:35 PM, Dan Scott wrote:
> >>>
> >>> On Fri, Apr 20, 2012 at 15:26, Dmitri Pal<dpal at redhat.com>    wrote:
> >>>>
> >>>> On 04/20/2012 12:15 PM, Dan Scott wrote:
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> My FreeIPA servers were in a real mess recently and I think I've
> >>>>> finally got them into a reasonable state by cleaning up the tombstone
> >>>>> entries and fixing some broken replication agreements.
> >>>>>
> >>>>> I'm trying to setup a new replica and receive the following error:
> >>>>>
> >>>>> Configuring certificate server: Estimated time 3 minutes 30 seconds
> >>>>>    [1/12]: creating certificate server user
> >>>>>    [2/12]: creating pki-ca instance
> >>>>>    [3/12]: configuring certificate server instance
> >>>>> root        : CRITICAL failed to configure ca instance Command
> >>>>> '/usr/bin/perl /usr/bin/pkisilent 'ConfigureCA' '-cs_hostname'
> >>>>> 'fileserver4.ecg.mit.edu' '-cs_port' '9445' '-client_certdb_dir'
> >>>>> '/tmp/tmp-JwjkjT' '-client_certdb_pwd' XXXXXXXX '-preop_pin'
> >>>>> '5wVoLxO2KJ1aOlOk74mA' '-domain_name' 'IPA' '-admin_user' 'admin'
> >>>>> '-admin_email' 'root at localhost' '-admin_password' XXXXXXXX
> >>>>> '-agent_name' 'ipa-ca-agent' '-agent_key_size' '2048'
> >>>>> '-agent_key_type' 'rsa' '-agent_cert_subject'
> >>>>> 'CN=ipa-ca-agent,O=ECG.MIT.EDU' '-ldap_host' 'fileserver4.ecg.mit.edu'
> >>>>> '-ldap_port' '7389' '-bind_dn' 'cn=Directory Manager' '-bind_password'
> >>>>> XXXXXXXX '-base_dn' 'o=ipaca' '-db_name' 'ipaca' '-key_size' '2048'
> >>>>> '-key_type' 'rsa' '-key_algorithm' 'SHA256withRSA' '-save_p12' 'true'
> >>>>> '-backup_pwd' XXXXXXXX '-subsystem_name' 'pki-cad' '-token_name'
> >>>>> 'internal' '-ca_subsystem_cert_subject_name' 'CN=CA
> >>>>> Subsystem,O=ECG.MIT.EDU' '-ca_ocsp_cert_subject_name' 'CN=OCSP
> >>>>> Subsystem,O=ECG.MIT.EDU' '-ca_server_cert_subject_name'
> >>>>> 'CN=fileserver4.ecg.mit.edu,O=ECG.MIT.EDU'
> >>>>> '-ca_audit_signing_cert_subject_name' 'CN=CA Audit,O=ECG.MIT.EDU'
> >>>>> '-ca_sign_cert_subject_name' 'CN=Certificate Authority,O=ECG.MIT.EDU'
> >>>>> '-external' 'false' '-clone' 'true' '-clone_p12_file' 'ca.p12'
> >>>>> '-clone_p12_password' XXXXXXXX '-sd_hostname'
> >>>>> 'fileserver3.ecg.mit.edu' '-sd_admin_port' '443' '-sd_admin_name'
> >>>>> 'admin' '-sd_admin_password' XXXXXXXX '-clone_start_tls' 'true'
> >>>>> '-clone_uri' 'https://fileserver3.ecg.mit.edu:443'' returned non-zero
> >>>>> exit status 255
> >>>>> creation of replica failed: Configuration of CA failed
> >>>>>
> >>>>> The /var/log/pki-ca/debug file contains:
> >>>>>
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: CertRequestPanel: Failed to
> >>>>> import user certificate.org.mozilla.jss.crypto.TokenException:
> >>>>> PK11_ImportDERCertForKey Unable to import certificate to its token:
> >>>>> (-8054) You are attempting to import a cert with the same
> >>>>> issuer/serial as an existing cert, but that is not the same cert.
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Updating local request...
> >>>>> certTag=sslserver
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn()
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: In LdapBoundConnFactory::getConn()
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: masterConn is connected: true
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: conn is connected true
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getConn: mNumConns now 2
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: returnConn: mNumConns now 3
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel input p=12
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: getNextPanel output p=13
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel no=13
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: panel name=backupkeys
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: total number of panels=19
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: WizardServlet: found xml
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
> >>>>> org.apache.catalina.connector.ResponseFacade
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
> >>>>> java.lang.Boolean
> >>>>> [20/Apr/2012:12:07:36][http-9445-1]: Error: unknown type
> >>>>> org.apache.catalina.connector.RequestFacade
> >>>>>
> >>>>> So it looks like there's some certificate confusion going on.
> >>>>>
> >>>>> Can someone help? Is there anything particularly sensitive in the
> >>>>> /var/log/ipareplica-install.log or /var/log/pki-ca/debug files that I
> >>>>> shouldn't send them to the list?
> >>>>>
> >>>> Are you installing it on a new machine?
> >>>> What version of the OS and tomcat is there?
> >>>> There have been some glitches in the tomcat package in the past.
> >>>
> >>> It's quite new - a VM which I installed 10 days ago. I tried to
> >>> install a replica on it before I cleaned my other IPA servers.
> >>
> >> Are you sure that the CA was cleaned up on the replica? Run
> >> 'ipa-server-install --uninstall' and then check existence of
> >> /var/lib/pki-ca. if it's still there ->
> >> http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Install_Guide/Installation_and_Configuration-Uninstalling_Certificate_System_Subsystems.html
> >
> > Yes, the CA was cleaned on the replica - I've also re-installed this
> > system from scratch and the install still fails.
> >
> > Thanks,
> >
> > Dan
> 
> It is a very strange error message. What this means is that the same 
> cert exists somewhere (same subject and serial number but has a 
> different set of keys). Where that somewhere is I don't know, and 
> considering you have a fresh VM the mystery only deepens.
> 
> I'm cc'ing one of the dogtag devs to see if he has any ideas.
> 
> rob

In the CertRequestPanel for a replica, we are trying to import the newly
generated sslserver cert into the dogtag security database
in /var/lib/pki-ca/alias.

Here is roughly how this all works:
1. pkicreate runs and creates a new dogtag CA instance.  It creates the
security databases under /var/lib/pki-ca/alias and creates a self signed
server cert for bootstrap SSL connection.
2. In the RestoreKeyCertPanel, the dogtag installer reads the pk12 file
provided by IPA for the master.  It imports various master certs into
the security database.  It should NOT import an sslserver cert.
3. In the CertRequestPanel, the bootstrap server cert is deleted, and a
newly generated sslserver cert is imported into the security database.

1. Please do a cleanup and confirm that the
directory /var/lib/pki-ca/alias does not exist.  If it does, you need to
do additional cleanup.

2. Check the PK12 file for the certs and keys being imported from the
master.  An ssl server cert should not be included in this file. 
(Rob, where is this file and how can it be extracted?)

3.  If there is a server cert in the PK12 file, check the debug log to
confirm that it is not imported in the RestoreKeyCertPanel.

4. Check in the debug log to see if the bootstrap server is in fact
deleted.

If none of the above pinpoints the problem, send the logs for the
replica and the output of the following commands to me and Rob.
    certutil -L -d /var/lib/pki-ca/alias
    certutil -K -d /var/lib/pki-ca/alias

The security database password is in /etc/pki-ca/password.conf and is
prefixed as internal=foo

Ade

More information about the Freeipa-users mailing list