[Freeipa-users] ipa-server setup with external CA fails

Martin Kosek mkosek at redhat.com
Wed Mar 11 20:10:42 UTC 2015 

On 03/11/2015 06:33 PM, Gould, Joshua wrote:
> We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows
> ipa-server-4.1.0-18.el7.x86_64.
>
> On 3/11/15, 12:39 PM, "Dmitri Pal" <dpal at redhat.com> wrote:
>
>> On 03/11/2015 11:13 AM, Gould, Joshua wrote:
>>> We¹re trying to setup IPA with it acting as an intermediate CA against
>>> our
>>> test Active Directory environment.
>>>
>>> The first part goes well:
>>>
>>> # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n
>>> unix.test.osuwmc -p  password -P password  -r UNIX.TEST.OSUWMC
>>> --external-ca ‹external-ca-type=ms­cs
>>>
>>> We send our CSR off to our AD admin and he signs it on gives us the
>>> cert.
>>> We go to import the cert with:
>>>
>>> # ipa-server-install  --external-cert-file=/root/ipa.crt
>>>
>>> It blows up when trying to create the RA cert.
>>>
>>> 2015-03-10T21:17:55Z DEBUG Process finished, return code=0
>>> 2015-03-10T21:17:55Z DEBUG stdout=
>>> Certificate request generated by Netscape certutil
>>> Phone: (not specified)
>>> Common Name: IPA RA
>>> Email: (not specified)
>>> Organization: UNIX.TEST.OSUWMC
>>> State: (not specified)
>>> Country: (not specified)
>>> -----BEGIN NEW CERTIFICATE REQUEST-----
>>> MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE
>>> AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe
>>> PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ
>>> H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X
>>> GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW
>>> wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm
>>> FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F
>>> VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky
>>> jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp
>>> D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd
>>> xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH
>>> +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1
>>> kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK
>>> xAmXvOg=
>>> -----END NEW CERTIFICATE REQUEST-----
>>> 2015-03-10T21:17:55Z DEBUG stderr=
>>> Generating key.  This may take a few moments...
>>> 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last):
>>>      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 382, in start_creation
>>>        run_step(full_msg, method)
>>>      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 372, in run_step
>>>        method()
>>>      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 1149, in __request_ra_certificate
>>>        self.requestId = item_node[0].childNodes[0].data
>>> IndexError: list index out of range
>>> 2015-03-10T21:17:55Z DEBUG   [error] IndexError: list index out of range
>>> 2015-03-10T21:17:55Z DEBUG   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>> line 646, in run_script
>>>        return_value = main_function()
>>>      File "/sbin/ipa-server-install", line 1170, in main
>>>        ca_signing_algorithm=options.ca_signing_algorithm)
>>>      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 520, in configure_instance
>>>        self.start_creation(runtime=210)
>>>      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 382, in start_creation
>>>        run_step(full_msg, method)
>>>      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 372, in run_step
>>>        method()
>>>      File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 1149, in __request_ra_certificate
>>>        self.requestId = item_node[0].childNodes[0].data
>>> 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed,
>>> exception: IndexError: list index out of range
>>>
>>>
>>> I¹ve looked at the debug log. I believe this is the part that¹s most
>>> helpful.
>>>
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>>> SelfTestSubsystem::runSelfTestsAtStartup():  ENTERING . . .
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>>> SelfTestSubsystem::runSelfTestsAtStartup():    running "CAPresence"
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>>> SelfTestSubsystem::runSelfTestsAtStartup():    running
>>> "SystemCertsVerification"
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCerts() cert tag=signing
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname(): calling isCertValid()
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname() failed:caSigningCert cert-pki-ca
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>> create()
>>>
>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>> ai
>>> lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate
>>> verification
>>>
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCerts() cert tag=ocsp_signing
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname(): calling isCertValid()
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>> create()
>>>
>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>> ai
>>> lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate
>>> verification
>>>
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCerts() cert tag=sslserver
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname(): calling isCertValid()
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname() failed:Server-Cert cert-pki-ca
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>> create()
>>>
>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>> ai
>>> lure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate
>>> verification
>>>
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCerts() cert tag=subsystem
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname(): calling isCertValid()
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname() failed:subsystemCert cert-pki-ca
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>> create()
>>>
>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>> ai
>>> lure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate
>>> verification
>>>
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCerts() cert tag=audit_signing
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname(): calling isCertValid()
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>> verifySystemCertByNickname() passed:auditSigningCert cert-pki-ca
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>> create()
>>>
>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=S
>>> uc
>>> cess][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate
>>> verification
>>>
>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>> create()
>>>
>>> message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Fail
>>> ur
>>> e] self tests execution (see selftests.log for details)
>>>
>>> The selftests.log contradicts itself and I¹m not really sure where to
>>> look
>>> next. Any ideas?
>>>
>>>
>>>     Joshua
>>>
>>>
>>>
>> Which version is it?
>> A similar problem have been seen with the early IPA 3.3 version and was
>> related to the format of the cert file returned by AD. AFAIR it contains
>> more certs that we expected.
>> Something along those lines.

I am CCing Jan Cholasta who was fixing very similar error in IPA 3.3.3 in 
RHEL-7.0 (should have been fixed in RHEL-7.1), he should have more context.

I am also CCing Endi from Dogtag team, he may also have some idea from PKI side.

HTH,
Martin

More information about the Freeipa-users mailing list