[Freeipa-users] Freeipa 3.3.3 and --external-ca
Daniel Hjorth
Daniel.Hjorth at octanner.com
Tue Dec 30 18:02:45 UTC 2014
Hi Martin,
I think I ran into the same problem. Do you know which signing algorithm
your external CA used? In my case the external CA is on Server 2003 which
only allowed SHA1 but IPA 3.3.3 seems to require SHA256.
I was not able to get my CA to use SHA256 so I applied the diff from the
commit below:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=081580779b2609c3a4
53077042f7d3fc7b25a57d
I then used the "--ca-signing-algorithm=" option when installing IPA.
This may not be the best solution but it worked and I haven¹t seen any
issues.
Hope this helps,
Daniel
On 12/29/14, 3:02 PM, "Martin Minkus" <martin.minkus at corp.sonic.net> wrote:
>Hi all,
>
>I'm running Freeipa 3.3.3 on CentOS 7.0.
>
>It worked fine self signed but I am having difficulty getting it to work
>with --exernal-ca. I've seen a few other reports of this on the list
>with no resolution, so I'm not sure whether this is simply broken in
>this version or what? Maybe I'm just doing something wrong. :)
>
>>From /var/log/ipaserver-install.log
>
>
>2014-12-29T21:25:19Z DEBUG Starting external process
>2014-12-29T21:25:19Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN
>2014-12-29T21:25:21Z DEBUG Process finished, return code=1
>2014-12-29T21:25:21Z DEBUG stdout=Loading deployment configuration from
>/tmp/tmp00n3qN.
>Installing CA into /var/lib/pki/pki-tomcat.
>loading external CA signing certificate from file: '/root/ipa.crt'
>loading external CA signing certificate chain from file: '/tmp/tmpnVtMl7'
>Installation failed.
>
>
>2014-12-29T21:25:21Z DEBUG stderr=pkispawn : ERROR .......
>Exception from Java Configuration Servlet: Error in creating pkcs12 to
>backup keys and certs: org.mozilla.jss.crypto.ObjectNotFoundException
>
>2014-12-29T21:25:21Z CRITICAL failed to configure ca instance Command
>'/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN' returned non-zero exit
>status 1
>2014-12-29T21:25:21Z DEBUG File
>"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>line 638, in run_script
> return_value = main_function()
>
> File "/sbin/ipa-server-install", line 1094, in main
> subject_base=options.subject)
>
> File
>"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>478, in configure_instance
> self.start_creation(runtime=210)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>line 364, in start_creation
> method()
>
> File
>"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>615, in __spawn_instance
> raise RuntimeError('Configuration of CA failed')
>
>2014-12-29T21:25:21Z DEBUG The ipa-server-install command failed,
>exception: RuntimeError: Configuration of CA failed
>
>
>>From /var/log/pki/pki-ca-spawn.20141229132519.log
>
>2014-12-29 13:25:19 pkispawn : INFO ... skip populating
>'pki.deployment.infrastructure_layout'
>2014-12-29 13:25:19 pkispawn : INFO ... skip populating
>'pki.deployment.instance_layout'
>2014-12-29 13:25:19 pkispawn : INFO ... skip populating
>'pki.deployment.subsystem_layout'
>2014-12-29 13:25:19 pkispawn : INFO ... skip populating
>'pki.deployment.selinux_setup'
>2014-12-29 13:25:19 pkispawn : INFO ... skip deploying
>'pki.deployment.webapp_deployment'
>2014-12-29 13:25:19 pkispawn : INFO ... skip assigning slots for
>'pki.deployment.slot_substitution'
>2014-12-29 13:25:19 pkispawn : INFO ... skip generating
>'pki.deployment.security_databases'
>2014-12-29 13:25:19 pkispawn : INFO ... configuring
>'pki.deployment.configuration'
>2014-12-29 13:25:19 pkispawn : INFO ....... modifying
>'/root/.dogtag/pki-tomcat/ca/password.conf'
>2014-12-29 13:25:19 pkispawn : DEBUG ........... chmod 660
>/root/.dogtag/pki-tomcat/ca/password.conf
>2014-12-29 13:25:19 pkispawn : DEBUG ........... chown 0:0
>/root/.dogtag/pki-tomcat/ca/password.conf
>2014-12-29 13:25:19 pkispawn : INFO ....... modifying
>'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
>2014-12-29 13:25:19 pkispawn : DEBUG ........... chmod 660
>/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>2014-12-29 13:25:19 pkispawn : DEBUG ........... chown 992:991
>/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>2014-12-29 13:25:19 pkispawn : INFO ....... executing 'certutil
>-N -d /tmp/tmp-s1tfK9 -f /root/.dogtag/pki-tomcat/ca/password.conf'
>2014-12-29 13:25:19 pkispawn : INFO ....... executing 'systemctl
>start pki-tomcatd at pki-tomcat.service'
>2014-12-29 13:25:19 pkispawn : DEBUG ........... <?xml
>version="1.0" encoding="UTF-8"
>standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>runni
>ng</Status><Version>10.0.5-3.el7</Version></XMLResponse>
>2014-12-29 13:25:20 pkispawn : INFO ....... constructing PKI
>configuration data.
>2014-12-29 13:25:20 pkispawn : INFO ....... generating noise file
>called '/tmp/tmp-s1tfK9/noise' and filling it with '2048' random bytes
>2014-12-29 13:25:20 pkispawn : DEBUG ........... chmod 660
>/tmp/tmp-s1tfK9/noise
>2014-12-29 13:25:20 pkispawn : DEBUG ........... chown 992:991
>/tmp/tmp-s1tfK9/noise
>2014-12-29 13:25:20 pkispawn : INFO ....... executing
>'['certutil', '-R', '-d', '/tmp/tmp-s1tfK9', '-s',
>'cn=ipa-ca-agent,O=IPA.SONIC.NET', '-g', '2048', '-z',
>'/tmp/tmp-s1tfK9/noise', '-f',
>'/root/.dogtag/pki-tomcat/ca/password.conf', '-o',
>'/tmp/tmp-s1tfK9/admin_pkcs10.bin']'
>2014-12-29 13:25:20 pkispawn : INFO ....... ['BtoA',
>'/tmp/tmp-s1tfK9/admin_pkcs10.bin',
>'/tmp/tmp-s1tfK9/admin_pkcs10.bin.asc']
>2014-12-29 13:25:21 pkispawn : INFO ....... configuring PKI
>configuration data.
>2014-12-29 13:25:21 pkispawn : ERROR ....... Exception from Java
>Configuration Servlet: Error in creating pkcs12 to backup keys and
>certs: org.mozilla.jss.crypto.ObjectNotFoundException
>2014-12-29 13:25:21 pkispawn : DEBUG ....... Error Type: HTTPError
>2014-12-29 13:25:21 pkispawn : DEBUG ....... Error Message: 500
>Server Error: Internal Server Error
>2014-12-29 13:25:21 pkispawn : DEBUG ....... File
>"/usr/sbin/pkispawn", line 374, in main
> rv = instance.spawn()
> File
>"/usr/lib/python2.7/site-packages/pki/deployment/configuration.py", line
>128, in spawn
> json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
> File "/usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py",
>line 2998, in configure_pki_data
> response = client.configure(data)
> File "/usr/lib/python2.7/site-packages/pki/system.py", line 80, in
>configure
> r = self.connection.post('/rest/installer/configure', data, headers)
> File "/usr/lib/python2.7/site-packages/pki/client.py", line 64, in post
> r.raise_for_status()
> File "/usr/lib/python2.7/site-packages/requests/models.py", line 638,
>in raise_for_status
> raise http_error
>
>
>>From /var/log/pki/pki-tomcat/catalina.out
>
>SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
>SSLAuthenticatorWithFallback: Setting container
>SSLAuthenticatorWithFallback: Initializing authenticators
>SSLAuthenticatorWithFallback: Starting authenticators
>CMS Warning: FAILURE: Cannot build CA chain. Error
>java.security.cert.CertificateException: Certificate is not a PKCS #11
>certificate|FAILURE: authz instance DirAclAut
>hz initialization failed and skipped, error=Property
>internaldb.ldapconn.port missing value|
>Server is started.
>Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
>INFO: Starting ProtocolHandler ["http-bio-8080"]
>Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
>INFO: Starting ProtocolHandler ["http-bio-8443"]
>Dec 29, 2014 1:16:00 PM org.apache.coyote.AbstractProtocol start
>INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"]
>Dec 29, 2014 1:16:00 PM org.apache.catalina.startup.Catalina start
>INFO: Server startup in 6906 ms
>13:16:02,887 INFO
>(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
>-
>Deploying javax.ws.rs.core.Application: class com.netscape.ca.Certificat
>eAuthorityApplication
>13:16:02,900 INFO
>(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
>-
>Adding singleton provider com.netscape.certsrv.acls.ACLInterceptor from
>Application javax.ws.rs.core.Application
>13:16:02,901 INFO
>(org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher:82)
>-
>Adding singleton provider com.netscape.certsrv.authentication.AuthMethod
>Interceptor from Application javax.ws.rs.core.Application
>13:16:03,161 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) -
>PathInfo: /installer/configure
>AuthInterceptor: SystemConfigResource.configure()
>AuthInterceptor: mapping name: default
>AuthInterceptor: required auth methods: [*]
>AuthInterceptor: anonymous access allowed
>13:25:21,125 DEBUG (org.jboss.resteasy.core.SynchronousDispatcher:60) -
>PathInfo: /installer/configure
>AuthInterceptor: SystemConfigResource.configure()
>AuthInterceptor: mapping name: default
>AuthInterceptor: required auth methods: [*]
>AuthInterceptor: anonymous access allowed
>java.security.cert.CertificateEncodingException: Security library failed
>to decode certificate package: (-8183) security library: improperly
>formatted DER-encoded message.
> at org.mozilla.jss.CryptoManager.importCertPackageNative(Native
>Method)
> at
>org.mozilla.jss.CryptoManager.importCertPackage(CryptoManager.java:1042)
>
>
>And so on.
>
>openssl x509 -text -in ipa.crt
>and
>openssl x509 -text -in cacert.pem
>
>Both work and display the signed cert as well as the CA's cert.
>
>I've tried the process a couple times on different lab environments and
>always get the exact same result.
>
>I saw an error above about imporperly formatted DER message so I thought
>I'd try converting the cacert's certificate from PEM to DER using
>something like this:
>
>openssl x509 -in cert.crt -outform der -out cert.der
>
>But this did not fix the problem. In fact, ipa-server-install throws an
>error immediately and does not seem to like DER formatted certificates.
>
>Thanks,
>Martin.
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list