[Freeipa-users] ipa-server setup with external CA fails

Gould, Joshua Joshua.Gould at osumc.edu
Wed Mar 11 15:13:50 UTC 2015 

We¹re trying to setup IPA with it acting as an intermediate CA against our
test Active Directory environment.

The first part goes well:

# ipa-server-install -a admin-pass ‹hostname=server.domain.com -n
unix.test.osuwmc -p  password -P password  -r UNIX.TEST.OSUWMC
--external-ca ‹external-ca-type=ms­cs

We send our CSR off to our AD admin and he signs it on gives us the cert.
We go to import the cert with:

# ipa-server-install  --external-cert-file=/root/ipa.crt

It blows up when trying to create the RA cert.

2015-03-10T21:17:55Z DEBUG Process finished, return code=0
2015-03-10T21:17:55Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: IPA RA
Email: (not specified)
Organization: UNIX.TEST.OSUWMC
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE
AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe
PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ
H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X
GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW
wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm
FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F
VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky
jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp
D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd
xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH
+wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1
kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK
xAmXvOg=
-----END NEW CERTIFICATE REQUEST-----
2015-03-10T21:17:55Z DEBUG stderr=
Generating key.  This may take a few moments...
2015-03-10T21:17:55Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
     method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1149, in __request_ra_certificate
     self.requestId = item_node[0].childNodes[0].data
IndexError: list index out of range
2015-03-10T21:17:55Z DEBUG   [error] IndexError: list index out of range
2015-03-10T21:17:55Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
     return_value = main_function()
   File "/sbin/ipa-server-install", line 1170, in main
     ca_signing_algorithm=options.ca_signing_algorithm)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
520, in configure_instance
     self.start_creation(runtime=210)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
     run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
     method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1149, in __request_ra_certificate
     self.requestId = item_node[0].childNodes[0].data
2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed,
exception: IndexError: list index out of range


I¹ve looked at the debug log. I believe this is the part that¹s most
helpful. 

[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup():  ENTERING . . .
[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup():    running "CAPresence"
[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup():    running
"SystemCertsVerification"
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:caSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create() 
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=ocsp_signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create() 
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate
verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=sslserver
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:Server-Cert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create() 
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=subsystem
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:subsystemCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create() 
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=audit_signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() passed:auditSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create() 
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Suc
cess][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate
verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create() 
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failur
e] self tests execution (see selftests.log for details)

The selftests.log contradicts itself and I¹m not really sure where to look
next. Any ideas?


  Joshua

More information about the Freeipa-users mailing list