[Freeipa-users] Freeipa 3.3.3 and --external-ca

Martin Minkus martin.minkus at corp.sonic.net
Mon Dec 29 22:02:22 UTC 2014 

Hi all,

I'm running Freeipa 3.3.3 on CentOS 7.0.

It worked fine self signed but I am having difficulty getting it to work
with --exernal-ca. I've seen a few other reports of this on the list
with no resolution, so I'm not sure whether this is simply broken in
this version or what? Maybe I'm just doing something wrong. :)

>From /var/log/ipaserver-install.log


2014-12-29T21:25:19Z DEBUG Starting external process
2014-12-29T21:25:19Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN
2014-12-29T21:25:21Z DEBUG Process finished, return code=1
2014-12-29T21:25:21Z DEBUG stdout=Loading deployment configuration from
/tmp/tmp00n3qN.
Installing CA into /var/lib/pki/pki-tomcat.
loading external CA signing certificate from file: '/root/ipa.crt'
loading external CA signing certificate chain from file: '/tmp/tmpnVtMl7'
Installation failed.


2014-12-29T21:25:21Z DEBUG stderr=pkispawn    : ERROR    .......
Exception from Java Configuration Servlet: Error in creating pkcs12 to
backup keys and certs: org.mozilla.jss.crypto.ObjectNotFoundException

2014-12-29T21:25:21Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN' returned non-zero exit status 1
2014-12-29T21:25:21Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 1094, in main
    subject_base=options.subject)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
478, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
    method()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
615, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')

2014-12-29T21:25:21Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed


>From /var/log/pki/pki-ca-spawn.20141229132519.log

2014-12-29 13:25:19 pkispawn    : INFO     ... skip populating
'pki.deployment.infrastructure_layout'
2014-12-29 13:25:19 pkispawn    : INFO     ... skip populating
'pki.deployment.instance_layout'
2014-12-29 13:25:19 pkispawn    : INFO     ... skip populating
'pki.deployment.subsystem_layout'
2014-12-29 13:25:19 pkispawn    : INFO     ... skip populating
'pki.deployment.selinux_setup'
2014-12-29 13:25:19 pkispawn    : INFO     ... skip deploying
'pki.deployment.webapp_deployment'
2014-12-29 13:25:19 pkispawn    : INFO     ... skip assigning slots for
'pki.deployment.slot_substitution'
2014-12-29 13:25:19 pkispawn    : INFO     ... skip generating
'pki.deployment.security_databases'
2014-12-29 13:25:19 pkispawn    : INFO     ... configuring
'pki.deployment.configuration'
2014-12-29 13:25:19 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn    : DEBUG    ........... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn    : INFO     ....... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2014-12-29 13:25:19 pkispawn    : DEBUG    ........... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn    : DEBUG    ........... chown 992:991
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn    : INFO     ....... executing 'certutil
-N -d /tmp/tmp-s1tfK9 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn    : INFO     ....... executing 'systemctl
start pki-tomcatd at pki-tomcat.service'
2014-12-29 13:25:19 pkispawn    : DEBUG    ........... <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.0.5-3.el7</Version></XMLResponse>
2014-12-29 13:25:20 pkispawn    : INFO     ....... constructing PKI
configuration data.
2014-12-29 13:25:20 pkispawn    : INFO     ....... generating noise file
called '/tmp/tmp-s1tfK9/noise' and filling it with '2048' random bytes
2014-12-29 13:25:20 pkispawn    : DEBUG    ........... chmod 660
/tmp/tmp-s1tfK9/noise
2014-12-29 13:25:20 pkispawn    : DEBUG    ........... chown 992:991
/tmp/tmp-s1tfK9/noise
2014-12-29 13:25:20 pkispawn    : INFO     ....... executing
'['certutil', '-R', '-d', '/tmp/tmp-s1tfK9', '-s',
'cn=ipa-ca-agent,O=IPA.SONIC.NET', '-g', '2048', '-z',
'/tmp/tmp-s1tfK9/noise', '-f',
'/root/.dogtag/pki-tomcat/ca/password.conf', '-o',
'/tmp/tmp-s1tfK9/admin_pkcs10.bin']'
2014-12-29 13:25:20 pkispawn    : INFO     ....... ['BtoA',
'/tmp/tmp-s1tfK9/admin_pkcs10.bin', '/tmp/tmp-s1tfK9/admin_pkcs10.bin.asc']
2014-12-29 13:25:21 pkispawn    : INFO     ....... configuring PKI
configuration data.
2014-12-29 13:25:21 pkispawn    : ERROR    ....... Exception from Java
Configuration Servlet: Error in creating pkcs12 to backup keys and
certs: org.mozilla.jss.crypto.ObjectNotFoundException
2014-12-29 13:25:21 pkispawn    : DEBUG    ....... Error Type: HTTPError
2014-12-29 13:25:21 pkispawn    : DEBUG    ....... Error Message: 500
Server Error: Internal Server Error
2014-12-29 13:25:21 pkispawn    : DEBUG    .......   File
"/usr/sbin/pkispawn", line 374, in main
    rv = instance.spawn()
  File
"/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line
128, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
line 2998, in configure_pki_data
    response = client.configure(data)
  File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
configure
    r = self.connection.post('/rest/installer/configure', data, headers)
  File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
    r.raise_for_status()
  File "/usr/lib/python2.7/site-packages/requests/models.py", line 638,
in raise_for_status
    raise http_error


>From /var/log/pki/pki-tomcat/catalina.out

SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
SSLAuthenticatorWithFallback: Setting container
SSLAuthenticatorWithFallback: Initializing authenticators
SSLAuthenticatorWithFallback: Starting authenticators
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAut
hz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value|
Server is started.
Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Dec 29, 2014 1:16:00 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 6906 ms
13:16:02,887  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Deploying javax.ws.rs.core.Application: class com.netscape.ca.Certificat
eAuthorityApplication
13:16:02,900  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Adding singleton provider com.netscape.certsrv.acls.ACLInterceptor from
Application javax.ws.rs.core.Application
13:16:02,901  INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Adding singleton provider com.netscape.certsrv.authentication.AuthMethod
Interceptor from Application javax.ws.rs.core.Application
13:16:03,161 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) -
PathInfo: /installer/configure
AuthInterceptor: SystemConfigResource.configure()
AuthInterceptor: mapping name: default
AuthInterceptor: required auth methods: [*]
AuthInterceptor: anonymous access allowed
13:25:21,125 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) -
PathInfo: /installer/configure
AuthInterceptor: SystemConfigResource.configure()
AuthInterceptor: mapping name: default
AuthInterceptor: required auth methods: [*]
AuthInterceptor: anonymous access allowed
java.security.cert.CertificateEncodingException: Security library failed
to decode certificate package: (-8183) security library: improperly
formatted DER-encoded message.
        at org.mozilla.jss.CryptoManager.importCertPackageNative(Native
Method)
        at
org.mozilla.jss.CryptoManager.importCertPackage(CryptoManager.java:1042)


And so on.

openssl x509 -text -in ipa.crt
and
openssl x509 -text -in cacert.pem

Both work and display the signed cert as well as the CA's cert.

I've tried the process a couple times on different lab environments and
always get the exact same result.

I saw an error above about imporperly formatted DER message so I thought
I'd try converting the cacert's certificate from PEM to DER using
something like this:

openssl x509 -in cert.crt -outform der -out cert.der

But this did not fix the problem. In fact, ipa-server-install throws an
error immediately and does not seem to like DER formatted certificates.

Thanks,
Martin.

More information about the Freeipa-users mailing list