[Freeipa-users] ipa-server setup with external CA fails

Gould, Joshua Joshua.Gould at osumc.edu
Wed Mar 11 17:33:43 UTC 2015 

We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows
ipa-server-4.1.0-18.el7.x86_64.

On 3/11/15, 12:39 PM, "Dmitri Pal" <dpal at redhat.com> wrote:

>On 03/11/2015 11:13 AM, Gould, Joshua wrote:
>> We¹re trying to setup IPA with it acting as an intermediate CA against
>>our
>> test Active Directory environment.
>>
>> The first part goes well:
>>
>> # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n
>> unix.test.osuwmc -p  password -P password  -r UNIX.TEST.OSUWMC
>> --external-ca ‹external-ca-type=ms­cs
>>
>> We send our CSR off to our AD admin and he signs it on gives us the
>>cert.
>> We go to import the cert with:
>>
>> # ipa-server-install  --external-cert-file=/root/ipa.crt
>>
>> It blows up when trying to create the RA cert.
>>
>> 2015-03-10T21:17:55Z DEBUG Process finished, return code=0
>> 2015-03-10T21:17:55Z DEBUG stdout=
>> Certificate request generated by Netscape certutil
>> Phone: (not specified)
>> Common Name: IPA RA
>> Email: (not specified)
>> Organization: UNIX.TEST.OSUWMC
>> State: (not specified)
>> Country: (not specified)
>> -----BEGIN NEW CERTIFICATE REQUEST-----
>> MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE
>> AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe
>> PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ
>> H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X
>> GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW
>> wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm
>> FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F
>> VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky
>> jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp
>> D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd
>> xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH
>> +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1
>> kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK
>> xAmXvOg=
>> -----END NEW CERTIFICATE REQUEST-----
>> 2015-03-10T21:17:55Z DEBUG stderr=
>> Generating key.  This may take a few moments...
>> 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last):
>>     File 
>>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>>       run_step(full_msg, method)
>>     File 
>>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 372, in run_step
>>       method()
>>     File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1149, in __request_ra_certificate
>>       self.requestId = item_node[0].childNodes[0].data
>> IndexError: list index out of range
>> 2015-03-10T21:17:55Z DEBUG   [error] IndexError: list index out of range
>> 2015-03-10T21:17:55Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>> line 646, in run_script
>>       return_value = main_function()
>>     File "/sbin/ipa-server-install", line 1170, in main
>>       ca_signing_algorithm=options.ca_signing_algorithm)
>>     File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 520, in configure_instance
>>       self.start_creation(runtime=210)
>>     File 
>>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>>       run_step(full_msg, method)
>>     File 
>>"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 372, in run_step
>>       method()
>>     File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1149, in __request_ra_certificate
>>       self.requestId = item_node[0].childNodes[0].data
>> 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed,
>> exception: IndexError: list index out of range
>>
>>
>> I¹ve looked at the debug log. I believe this is the part that¹s most
>> helpful.
>>
>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>> SelfTestSubsystem::runSelfTestsAtStartup():  ENTERING . . .
>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>> SelfTestSubsystem::runSelfTestsAtStartup():    running "CAPresence"
>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>> SelfTestSubsystem::runSelfTestsAtStartup():    running
>> "SystemCertsVerification"
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCerts() cert tag=signing
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname(): calling isCertValid()
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname() failed:caSigningCert cert-pki-ca
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>> create()
>> 
>>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>ai
>> lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate
>>verification
>>
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCerts() cert tag=ocsp_signing
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname(): calling isCertValid()
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>> create()
>> 
>>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>ai
>> lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate
>> verification
>>
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCerts() cert tag=sslserver
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname(): calling isCertValid()
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname() failed:Server-Cert cert-pki-ca
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>> create()
>> 
>>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>ai
>> lure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate
>>verification
>>
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCerts() cert tag=subsystem
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname(): calling isCertValid()
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname() failed:subsystemCert cert-pki-ca
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>> create()
>> 
>>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>ai
>> lure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate
>>verification
>>
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCerts() cert tag=audit_signing
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname(): calling isCertValid()
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>> verifySystemCertByNickname() passed:auditSigningCert cert-pki-ca
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>> create()
>> 
>>message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=S
>>uc
>> cess][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate
>> verification
>>
>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>> create()
>> 
>>message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Fail
>>ur
>> e] self tests execution (see selftests.log for details)
>>
>> The selftests.log contradicts itself and I¹m not really sure where to
>>look
>> next. Any ideas?
>>
>>
>>    Joshua
>>
>>
>>
>Which version is it?
>A similar problem have been seen with the early IPA 3.3 version and was
>related to the format of the cert file returned by AD. AFAIR it contains
>more certs that we expected.
>Something along those lines.
>
>-- 
>Thank you,
>Dmitri Pal
>
>Sr. Engineering Manager IdM portfolio
>Red Hat, Inc.
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailma
>n_listinfo_freeipa-2Dusers&d=AwIF-g&c=k9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8S
>FEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk8zPbIs_SvJwojC24&m=h5oW5B694QIxIFZz30
>YpHYRTTf82-7TQJn-c3JZPMEI&s=bekc3w9LwD5vNCRvK7q44uOWht6TAjts5vO9uxCXsCo&e=
> 
>Go to 
>https://urldefense.proofpoint.com/v2/url?u=http-3A__freeipa.org&d=AwIF-g&c
>=k9MF1d71ITtkuJx-PdWme51dKbmfPEvxwt8SFEkBfs4&r=C8H0y1Bn8C6Mf5i9qrqkUDy3xSk
>8zPbIs_SvJwojC24&m=h5oW5B694QIxIFZz30YpHYRTTf82-7TQJn-c3JZPMEI&s=5wQ5LeH20
>oFmoV1OwkXJQHYOm1ZZdUEe9uqwmJKSaCk&e=  for more info on the project

More information about the Freeipa-users mailing list