[Freeipa-users] ipa-server setup with external CA fails

Jan Cholasta jcholast at redhat.com
Thu Mar 12 06:14:40 UTC 2015 

Dne 11.3.2015 v 21:10 Martin Kosek napsal(a):
> On 03/11/2015 06:33 PM, Gould, Joshua wrote:
>> We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows
>> ipa-server-4.1.0-18.el7.x86_64.
>>
>> On 3/11/15, 12:39 PM, "Dmitri Pal" <dpal at redhat.com> wrote:
>>
>>> On 03/11/2015 11:13 AM, Gould, Joshua wrote:
>>>> We¹re trying to setup IPA with it acting as an intermediate CA against
>>>> our
>>>> test Active Directory environment.
>>>>
>>>> The first part goes well:
>>>>
>>>> # ipa-server-install -a admin-pass ‹hostname=server.domain.com -n
>>>> unix.test.osuwmc -p  password -P password  -r UNIX.TEST.OSUWMC
>>>> --external-ca ‹external-ca-type=ms­cs
>>>>
>>>> We send our CSR off to our AD admin and he signs it on gives us the
>>>> cert.
>>>> We go to import the cert with:
>>>>
>>>> # ipa-server-install  --external-cert-file=/root/ipa.crt
>>>>
>>>> It blows up when trying to create the RA cert.
>>>>
>>>> 2015-03-10T21:17:55Z DEBUG Process finished, return code=0
>>>> 2015-03-10T21:17:55Z DEBUG stdout=
>>>> Certificate request generated by Netscape certutil
>>>> Phone: (not specified)
>>>> Common Name: IPA RA
>>>> Email: (not specified)
>>>> Organization: UNIX.TEST.OSUWMC
>>>> State: (not specified)
>>>> Country: (not specified)
>>>> -----BEGIN NEW CERTIFICATE REQUEST-----
>>>> MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE
>>>> AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe
>>>> PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ
>>>> H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X
>>>> GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW
>>>> wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm
>>>> FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F
>>>> VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky
>>>> jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp
>>>> D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd
>>>> xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH
>>>> +wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1
>>>> kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK
>>>> xAmXvOg=
>>>> -----END NEW CERTIFICATE REQUEST-----
>>>> 2015-03-10T21:17:55Z DEBUG stderr=
>>>> Generating key.  This may take a few moments...
>>>> 2015-03-10T21:17:55Z DEBUG Traceback (most recent call last):
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 382, in start_creation
>>>>        run_step(full_msg, method)
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 372, in run_step
>>>>        method()
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line
>>>> 1149, in __request_ra_certificate
>>>>        self.requestId = item_node[0].childNodes[0].data
>>>> IndexError: list index out of range
>>>> 2015-03-10T21:17:55Z DEBUG   [error] IndexError: list index out of
>>>> range
>>>> 2015-03-10T21:17:55Z DEBUG   File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
>>>> line 646, in run_script
>>>>        return_value = main_function()
>>>>      File "/sbin/ipa-server-install", line 1170, in main
>>>>        ca_signing_algorithm=options.ca_signing_algorithm)
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line
>>>> 520, in configure_instance
>>>>        self.start_creation(runtime=210)
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 382, in start_creation
>>>>        run_step(full_msg, method)
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>>> line 372, in run_step
>>>>        method()
>>>>      File
>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
>>>> line
>>>> 1149, in __request_ra_certificate
>>>>        self.requestId = item_node[0].childNodes[0].data
>>>> 2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed,
>>>> exception: IndexError: list index out of range
>>>>
>>>>
>>>> I¹ve looked at the debug log. I believe this is the part that¹s most
>>>> helpful.
>>>>
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>>>> SelfTestSubsystem::runSelfTestsAtStartup():  ENTERING . . .
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>>>> SelfTestSubsystem::runSelfTestsAtStartup():    running "CAPresence"
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]:
>>>> SelfTestSubsystem::runSelfTestsAtStartup():    running
>>>> "SystemCertsVerification"
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCerts() cert tag=signing
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname(): calling isCertValid()
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname() failed:caSigningCert cert-pki-ca
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>>> create()
>>>>
>>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>>>
>>>> ai
>>>> lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate
>>>> verification
>>>>
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCerts() cert tag=ocsp_signing
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname(): calling isCertValid()
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>>> create()
>>>>
>>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>>>
>>>> ai
>>>> lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate
>>>> verification
>>>>
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCerts() cert tag=sslserver
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname(): calling isCertValid()
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname() failed:Server-Cert cert-pki-ca
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>>> create()
>>>>
>>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>>>
>>>> ai
>>>> lure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate
>>>> verification
>>>>
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCerts() cert tag=subsystem
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname(): calling isCertValid()
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname() failed:subsystemCert cert-pki-ca
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>>> create()
>>>>
>>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
>>>>
>>>> ai
>>>> lure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate
>>>> verification
>>>>
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCerts() cert tag=audit_signing
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname(): calling isCertValid()
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
>>>> verifySystemCertByNickname() passed:auditSigningCert cert-pki-ca
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>>> create()
>>>>
>>>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=S
>>>>
>>>> uc
>>>> cess][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate
>>>> verification
>>>>
>>>> [10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
>>>> create()
>>>>
>>>> message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Fail
>>>>
>>>> ur
>>>> e] self tests execution (see selftests.log for details)
>>>>
>>>> The selftests.log contradicts itself and I¹m not really sure where to
>>>> look
>>>> next. Any ideas?
>>>>
>>>>
>>>>     Joshua
>>>>
>>>>
>>>>
>>> Which version is it?
>>> A similar problem have been seen with the early IPA 3.3 version and was
>>> related to the format of the cert file returned by AD. AFAIR it contains
>>> more certs that we expected.
>>> Something along those lines.
>
> I am CCing Jan Cholasta who was fixing very similar error in IPA 3.3.3
> in RHEL-7.0 (should have been fixed in RHEL-7.1), he should have more
> context.
>
> I am also CCing Endi from Dogtag team, he may also have some idea from
> PKI side.
>
> HTH,
> Martin

I would like to see /root/ipa.crt and /etc/pki/pki-tomcat/ca/CS.cfg. 
Without them, I can't really tell what's wrong.

-- 
Jan Cholasta

More information about the Freeipa-users mailing list