[Freeipa-users] Freeipa 3.3.3 and --external-ca
Martin Minkus
martin.minkus at corp.sonic.net
Mon Dec 29 22:02:22 UTC 2014
Hi all,
I'm running Freeipa 3.3.3 on CentOS 7.0.
It worked fine self signed but I am having difficulty getting it to work
with --exernal-ca. I've seen a few other reports of this on the list
with no resolution, so I'm not sure whether this is simply broken in
this version or what? Maybe I'm just doing something wrong. :)
>From /var/log/ipaserver-install.log
2014-12-29T21:25:19Z DEBUG Starting external process
2014-12-29T21:25:19Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN
2014-12-29T21:25:21Z DEBUG Process finished, return code=1
2014-12-29T21:25:21Z DEBUG stdout=Loading deployment configuration from
/tmp/tmp00n3qN.
Installing CA into /var/lib/pki/pki-tomcat.
loading external CA signing certificate from file: '/root/ipa.crt'
loading external CA signing certificate chain from file: '/tmp/tmpnVtMl7'
Installation failed.
2014-12-29T21:25:21Z DEBUG stderr=pkispawn : ERROR .......
Exception from Java Configuration Servlet: Error in creating pkcs12 to
backup keys and certs: org.mozilla.jss.crypto.ObjectNotFoundException
2014-12-29T21:25:21Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN' returned non-zero exit status 1
2014-12-29T21:25:21Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 638, in run_script
return_value = main_function()
File "/sbin/ipa-server-install", line 1094, in main
subject_base=options.subject)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
478, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
615, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2014-12-29T21:25:21Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed
>From /var/log/pki/pki-ca-spawn.20141229132519.log
2014-12-29 13:25:19 pkispawn : INFO ... skip populating
'pki.deployment.infrastructure_layout'
2014-12-29 13:25:19 pkispawn : INFO ... skip populating
'pki.deployment.instance_layout'
2014-12-29 13:25:19 pkispawn : INFO ... skip populating
'pki.deployment.subsystem_layout'
2014-12-29 13:25:19 pkispawn : INFO ... skip populating
'pki.deployment.selinux_setup'
2014-12-29 13:25:19 pkispawn : INFO ... skip deploying
'pki.deployment.webapp_deployment'
2014-12-29 13:25:19 pkispawn : INFO ... skip assigning slots for
'pki.deployment.slot_substitution'
2014-12-29 13:25:19 pkispawn : INFO ... skip generating
'pki.deployment.security_databases'
2014-12-29 13:25:19 pkispawn : INFO ... configuring
'pki.deployment.configuration'
2014-12-29 13:25:19 pkispawn : INFO ....... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn : DEBUG ........... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn : DEBUG ........... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn : INFO ....... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2014-12-29 13:25:19 pkispawn : DEBUG ........... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn : DEBUG ........... chown 992:991
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn : INFO ....... executing 'certutil
-N -d /tmp/tmp-s1tfK9 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn : INFO ....... executing 'systemctl
start pki-tomcatd at pki-tomcat.service'
2014-12-29 13:25:19 pkispawn : DEBUG ........... <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.0.5-3.el7</Version></XMLResponse>
2014-12-29 13:25:20 pkispawn : INFO ....... constructing PKI
configuration data.
2014-12-29 13:25:20 pkispawn : INFO ....... generating noise file
called '/tmp/tmp-s1tfK9/noise' and filling it with '2048' random bytes
2014-12-29 13:25:20 pkispawn : DEBUG ........... chmod 660
/tmp/tmp-s1tfK9/noise
2014-12-29 13:25:20 pkispawn : DEBUG ........... chown 992:991
/tmp/tmp-s1tfK9/noise
2014-12-29 13:25:20 pkispawn : INFO ....... executing
'['certutil', '-R', '-d', '/tmp/tmp-s1tfK9', '-s',
'cn=ipa-ca-agent,O=IPA.SONIC.NET', '-g', '2048', '-z',
'/tmp/tmp-s1tfK9/noise', '-f',
'/root/.dogtag/pki-tomcat/ca/password.conf', '-o',
'/tmp/tmp-s1tfK9/admin_pkcs10.bin']'
2014-12-29 13:25:20 pkispawn : INFO ....... ['BtoA',
'/tmp/tmp-s1tfK9/admin_pkcs10.bin', '/tmp/tmp-s1tfK9/admin_pkcs10.bin.asc']
2014-12-29 13:25:21 pkispawn : INFO ....... configuring PKI
configuration data.
2014-12-29 13:25:21 pkispawn : ERROR ....... Exception from Java
Configuration Servlet: Error in creating pkcs12 to backup keys and
certs: org.mozilla.jss.crypto.ObjectNotFoundException
2014-12-29 13:25:21 pkispawn : DEBUG ....... Error Type: HTTPError
2014-12-29 13:25:21 pkispawn : DEBUG ....... Error Message: 500
Server Error: Internal Server Error
2014-12-29 13:25:21 pkispawn : DEBUG ....... File
"/usr/sbin/pkispawn", line 374, in main
rv = instance.spawn()
File
"/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line
128, in spawn
json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
line 2998, in configure_pki_data
response = client.configure(data)
File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
configure
r = self.connection.post('/rest/installer/configure', data, headers)
File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 638,
in raise_for_status
raise http_error
>From /var/log/pki/pki-tomcat/catalina.out
SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
SSLAuthenticatorWithFallback: Setting container
SSLAuthenticatorWithFallback: Initializing authenticators
SSLAuthenticatorWithFallback: Starting authenticators
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAut
hz initialization failed and skipped, error=Property
internaldb.ldapconn.port missing value|
Server is started.
Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
Dec 29, 2014 1:16:00 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 6906 ms
13:16:02,887 INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Deploying javax.ws.rs.core.Application: class com.netscape.ca.Certificat
eAuthorityApplication
13:16:02,900 INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Adding singleton provider com.netscape.certsrv.acls.ACLInterceptor from
Application javax.ws.rs.core.Application
13:16:02,901 INFO
(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82) -
Adding singleton provider com.netscape.certsrv.authentication.AuthMethod
Interceptor from Application javax.ws.rs.core.Application
13:16:03,161 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) -
PathInfo: /installer/configure
AuthInterceptor: SystemConfigResource.configure()
AuthInterceptor: mapping name: default
AuthInterceptor: required auth methods: [*]
AuthInterceptor: anonymous access allowed
13:25:21,125 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) -
PathInfo: /installer/configure
AuthInterceptor: SystemConfigResource.configure()
AuthInterceptor: mapping name: default
AuthInterceptor: required auth methods: [*]
AuthInterceptor: anonymous access allowed
java.security.cert.CertificateEncodingException: Security library failed
to decode certificate package: (-8183) security library: improperly
formatted DER-encoded message.
at org.mozilla.jss.CryptoManager.importCertPackageNative(Native
Method)
at
org.mozilla.jss.CryptoManager.importCertPackage(CryptoManager.java:1042)
And so on.
openssl x509 -text -in ipa.crt
and
openssl x509 -text -in cacert.pem
Both work and display the signed cert as well as the CA's cert.
I've tried the process a couple times on different lab environments and
always get the exact same result.
I saw an error above about imporperly formatted DER message so I thought
I'd try converting the cacert's certificate from PEM to DER using
something like this:
openssl x509 -in cert.crt -outform der -out cert.der
But this did not fix the problem. In fact, ipa-server-install throws an
error immediately and does not seem to like DER formatted certificates.
Thanks,
Martin.
More information about the Freeipa-users
mailing list