[Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)

Thibaut Pouzet thibaut.pouzet at lyra-network.com
Wed May 13 08:15:58 UTC 2015 

Le 12/05/2015 20:11, Nalin Dahyabhai a écrit :
> On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote:
>> After doing what you recommended, the CSR have changed in the debug log :
>>
>> Certificate Request:
>>     Data:
>>         Version: 0 (0x0)
>>         Subject: O=ipa_domain, CN=ipa_server
>>         Subject Public Key Info:
>>             Public Key Algorithm: rsaEncryption
>>                 Public-Key: (2048 bit)
>>                 Modulus:
>>                     00:b8:d6:d3:51:c0:4c:ce:2a:c1:1b:b7:60:a3:6a:
>>                     04:ec:6d:75:94:c4:b9:b5:4a:40:3a:be:d5:12:d8:
>>                     77:af:a2:8e:a4:5a:47:cf:3b:4d:7a:8a:13:2b:1a:
>>                     93:c0:f3:a5:ae:25:44:86:56:72:d9:73:9e:e3:22:
>>                     0e:7c:66:64:87:f7:b1:06:2f:c5:ca:7d:b6:3f:9e:
>>                     67:9e:b3:5b:72:56:bd:12:e6:65:65:8b:b3:5a:5d:
>>                     53:94:a2:d7:be:53:97:59:9d:c4:2e:1a:79:b5:c2:
>>                     d1:ac:85:90:04:0b:1b:c6:27:fb:82:46:88:c1:31:
>>                     38:83:1d:a8:83:bc:a3:a9:fa:3e:de:91:e0:84:d6:
>>                     00:cb:e1:80:38:61:55:4c:60:6b:d7:55:7c:5d:88:
>>                     f6:c2:bf:42:57:3b:82:30:2b:29:b9:84:93:90:60:
>>                     c6:1a:f4:3a:45:fa:04:69:60:c0:86:33:02:4d:69:
>>                     04:07:e0:37:36:b2:2f:ae:6d:28:5a:86:90:65:30:
>>                     b3:9b:5f:e4:8d:f2:d1:dd:1b:6a:02:23:fb:07:7e:
>>                     0d:e0:f0:64:1a:34:8c:2d:f5:db:63:22:82:6f:e4:
>>                     53:72:c1:dc:9a:e9:37:4c:f0:3b:39:d4:31:d6:b9:
>>                     62:c4:93:2d:30:47:f4:4a:2f:76:fc:08:f4:82:28:
>>                     1b:fb
>>                 Exponent: 65537 (0x10001)
>>         Attributes:
>>             a0:00
>>     Signature Algorithm: sha256WithRSAEncryption
>>          10:ef:cf:ff:6c:63:72:61:c3:b5:5e:8e:b0:20:f0:63:13:43:
>>          bb:3b:63:c8:4e:6f:34:63:33:cc:47:af:8a:dc:2d:13:2a:58:
>>          87:7c:d7:5e:e9:b3:e7:f4:47:b7:7b:eb:77:0b:7c:0e:58:20:
>>          dd:62:a8:a0:8b:31:1e:54:f0:dd:3f:44:4a:e7:a2:a6:64:85:
>>          9f:10:0e:06:75:33:94:82:f3:8f:89:66:e1:7f:65:21:85:b8:
>>          69:6d:e7:35:a5:a7:08:1d:51:55:48:13:b8:e3:2d:6f:99:c1:
>>          ce:1e:81:e3:fb:93:3a:f0:86:0d:43:96:31:93:fb:87:fb:53:
>>          46:02:e1:dd:05:55:85:72:35:fa:72:6d:c6:35:d4:6d:9e:be:
>>          db:ee:e6:8c:7b:b1:5a:cd:4d:cc:8e:3e:10:4e:a7:d3:61:36:
>>          ae:86:59:df:51:a3:0f:38:79:b8:e0:bd:eb:25:44:a4:43:b0:
>>          93:7f:1e:43:aa:d5:30:d3:e3:a0:bd:ee:08:b7:88:9a:cd:a0:
>>          8c:ac:2a:8f:71:ec:64:70:72:91:f8:d2:e8:55:5b:22:1f:2e:
>>          60:6c:a4:be:ee:42:09:a6:71:25:ec:37:43:a1:e6:15:63:8f:
>>          05:97:61:1d:8e:25:5d:76:df:8b:66:7f:85:27:8b:93:98:a9:
>>          3e:cc:cb:d8
>>
>> There is no more this weird "friendlyName             :unable to print
>> attribute" thing, but the NoSuchTokenException is still in the debug log
>> of pki-ca
>>
>> Thank you for you answer though, we've still made some progress in
>> identifying that I messed the CA used for this certificate !
> 
> Hmm, so what you've got there looks pretty normal for a renewal request.
> Just to rule out a problem with the request's signature or the encoding
> of the subject name in the request (the latter is a bug in versions of
> certmonger before 0.72), can you check the version of the certmonger
> package and show us the base64-encoded form of the signing request?

Before going further and asking the ML, I got these packages updated
'just in case' :
rpm -qa | egrep "certmonger|jss"
tomcatjss-2.1.0-3.el6.noarch
certmonger-0.75.13-1.el6.x86_64
jss-4.2.6-24.el6.x86_64

> 
> I'm just about grasping at straws here, but the NoSuchTokenException
> exception appears to be coming from the jss library, and is thrown when
> it can't find the software module that is used for accessing the
> server's keys.  Can you verify that your /etc/pki-ca/CS.cfg file
> contains these lines?
> 
>   jss.configDir=/var/lib/pki-ca/alias/
>   jss.enable=true
>   jss.secmodName=secmod.db
> 

These lines are exactly as is inside the CS.cfg file

> Is there a ca.requestVerify.token value set in /etc/pki-ca/CS.cfg?  I
> don't have one.  The Dogtag logic looks like it would try to use one set
> there rather than the default, but letting it use the default looks like
> the intended way of doing things.

I cannot find this line, this is all I've got that seems somehow related
to a token notion :

fgrep token /etc/pki-ca/CS.cfg
ca.audit_signing.tokenname=Internal Key Storage Token
ca.ocsp_signing.tokenname=Internal Key Storage Token
ca.signing.tokenname=Internal Key Storage Token
ca.sslserver.tokenname=Internal Key Storage Token
ca.subsystem.tokenname=Internal Key Storage Token
cloning.module.token=Internal Key Storage Token

> 
> Which version of the jss and tomcatjss packages are installed?  I'm
> using jss-4.2.6-24.el6 and tomcatjss-2.1.0-3.el6 here.
> 
> If none of this turns up anything, then I'm going to have to defer to
> the Dogtag team, too.
> 
> Nalin
> 

I do not wish to give away too much information on this ML, so I will
send the base64 CSR and CS.cfg file to you personally. I am sorry for
the other people watching this discussions... I will take care to submit
relevant information if anything is found with this.

Cheers,

-- 
Thibaut Pouzet
Lyra Network
Ingénieur Systèmes et Réseaux
(+33) 5 31 22 40 08
www.lyra-network.com

More information about the Freeipa-users mailing list