[Freeipa-users] IPA with external CA signed certs
James Masson
james.masson at jmips.co.uk
Thu Oct 15 15:10:16 UTC 2015
Hi list,
I successfully have IPA working with CA certs signed by an upstream Dogtag.
Now I'm trying to use a CA cert signed by a different type of CA - Vault.
Setup fails, using the same 2 step IPA setup process as used with
upstream Dogtag. I've also tried the external-ca-type option.
Likely, IPA doesn't like the certificate - however, I can't pinpoint why.
Errors below.
thanks
James M
###
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL
BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5MDcGA1UEBRMwNjQ2Mjcx
MDAwODA3NTg1NjA0ODA0NzYyODExNzAyMTM0NDk5MDQ1ODM4NjM2OTEwMB4XDTE1
MTAxNTE0MzY1NloXDTE1MTAxNjAwMzY1NlowMDEOMAwGA1UEChMFTE9DQUwxHjAc
BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANMByCz97mhj8nG/R7T5K/lUlat4jnfFyo5/xn4eTzhcqDD/
NixixWqT6TPWBg5Mep7Wnn0EBwG9DjB2dq6+9Ai3TGMzFWkeKvMrZuTouLFoS9SR
6s5wybFfbAoTuV5lq0rIZClqi6ELnAyOccQEuV4UA0PBoe1UjycZf20eSU/52eH4
SiMbLYliDOuWbARgYYwtwc7HVPUwangk4toPH6h2FZ9+tTj8oB6Zxf3lK65IzyCT
IHj+53gyySB78CDV2FZ67cI5u1KKcpC/CyjkbO4DKHWWxzxuvUM4F0K20l+cMoP6
Kpr7aGYotY3B6uTocMg59Gwlsvgl0gE03LI9Vp0CAwEAAaNjMGEwHQYDVR0OBBYE
FLjG7oRluBaMxV5Wi6rBSvgHDzjuMB8GA1UdIwQYMBaAFCw0iwWuCOlUcS6ZIPM8
X50f1nLnMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3
DQEBCwUAA4IBAQBVAoAuZgu6RkY0ufVcNDDNORgOwSgNbvyt1rQNC5mxhLw0Ott+
XyxuzgycyEFCdQP1VChG5i0nOfrEixX7eSQVgN3LKaeiRVsGh1H+ucp/YVnhPvc1
lLtAHVwPn+OuvdJR68K3/twtZ4Fh0BtRFeAmuIOk+QomDhxsxt8LgbaPbdS/vuZw
Xn27REGErgT8bDWp447YU6pOb+rPj9ZNHdS1TeDG5h1A0ArH5IUVgyASFkM4SEVH
pKneAWEDy+Ik67FoYQbHpYyII1L7R5vskZZv1xhYkH8csJ8iTcrRCa+EiBvhtsWg
uuHzqst1ryPKdNtxPM+D96vRSJxCYBUFeKqh
-----END CERTIFICATE-----
###
###
[19/27]: restarting certificate server
ipa : CRITICAL Failed to restart the certificate server. See the
installation log for details.
[20/27]: requesting RA certificate from CA
[error] RuntimeError: Unable to submit RA cert request
###
###
2015-10-15T14:44:31Z DEBUG The CA status is: check interrupted
2015-10-15T14:44:31Z DEBUG Waiting for CA to start...
2015-10-15T14:44:32Z DEBUG request
'https://foo.local:8443/ca/admin/ca/getStatus'
2015-10-15T14:44:32Z DEBUG request body ''
2015-10-15T14:44:32Z DEBUG request status 404
2015-10-15T14:44:32Z DEBUG request reason_phrase u'Not Found'
2015-10-15T14:44:32Z DEBUG request headers {'date': 'Thu, 15 Oct 2015
14:44:32 GMT', 'content-length': '993', 'content-type':
'text/html;charset=utf-8', 'content-language': 'en', 'server':
'Apache-Coyote/1.1'}
2015-10-15T14:44:32Z DEBUG request body '<html><head><title>Apache
Tomcat/7.0.54 - Error report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2 {font-family:Tahoma,Arial,
sans-serif;color:white;background-color:#525D76;font-size:16px;} H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 404 - /ca/admin/ca/getStatus</h1><HR
size="1" noshade="noshade"><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/admin/ca/getStatus</u></p><p><b>description</b> <u>The requested
resource is not availa
ble.</u></p><HR size="1" noshade="noshade"><h3>Apache
Tomcat/7.0.54</h3></body></html>'
2015-10-15T14:44:32Z DEBUG The CA status is: check interrupted
2015-10-15T14:44:32Z DEBUG Waiting for CA to start...
2015-10-15T14:44:33Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
840, in __restart_instance
self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 282, in restart
self.service.restart(instance_name, capture_output=capture_output,
wait=wait)
File
"/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
209, in restart
self.wait_until_running()
File
"/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
197, in wait_until_running
raise RuntimeError('CA did not start in %ss' % timeout)
RuntimeError: CA did not start in 300.0s
2015-10-15T14:44:33Z CRITICAL Failed to restart the certificate server.
See the installation log for details.
2015-10-15T14:44:33Z DEBUG duration: 303 seconds
2015-10-15T14:44:33Z DEBUG [20/27]: requesting RA certificate from CA
2015-10-15T14:44:33Z DEBUG Starting external process
2015-10-15T14:44:33Z DEBUG args='/usr/bin/certutil' '-d'
'/etc/httpd/alias' '-f' XXXXXXXX '-R' '-k' 'rsa' '-g' '2048' '-s'
'CN=IPA RA,O=LOCAL' '-z' '/tmp/tmpKsFaxb' '-a'
2015-10-15T14:44:34Z DEBUG Process finished, return code=0
2015-10-15T14:44:34Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: IPA RA
Email: (not specified)
Organization: LOCAL
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICZjCCAU4CAQAwITEOMAwGA1UEChMFTE9DQUwxDzANBgNVBAMTBklQQSBSQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDlLPK38QR37gUAVj8GSXv/
VdxsPkGpPuGrtvKbOXXH35I2que06JswL2i4Cj29v9ZgNQgN3EACVFvADv/zUumI
9bdF6wrH+pK4HErRSjICPxXjYZZnPoUcprGQ+/vQiDsk4pt4EyWZZfD/kGKj7BV6
7A2kMumYmLGIH/A24s8qNix3Ho/Ttsogjrpgg+n9G4WkntQJefTrrDv3wt1+lmo4
IIXUsmkLUB31iRifEf8umHhUcneL8uaxMCLY1X5uSkXVQmTK97bYqQu/EbrC4XZ/
dFx6LS9FKukEGJnX9GaFF59TvTN8ImLc4aUOvErOutbiAttQrKacfcSPv7uGqpcC
AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAAJ0Hfvk315MKgL2/2e+A5M1NS7EBn
Ukqsnoo2onAa/8CXiFjcdUnpJ4fVn/FnH8ECRrMjUxB8mJ/EsZnuOym17+lNI0mp
wx5vkwL9kybawSEQSWMT80uefRzhZAze1vN/LgXZ4ysdRW5p2BQ3898M9HFrqE0s
4XzLNTg07v0RbJ3veHt1wSWoy/v0zp3RRy/du3cczYTYwJ1P3GokFIuPT1fSAzBV
yovcJnB3FrrLvPyGAKmhKaoW3UejmE0G/8xpCaFp4+4LuVHNyiya79kzJMpkOoQ3
3MxVB6oLfL/QGnY+3025BXNwIhf4zfL4FlKhyaQ4R0pEUZeMoyksgsxb
-----END NEW CERTIFICATE REQUEST-----
2015-10-15T14:44:34Z DEBUG stderr=
Generating key. This may take a few moments...
2015-10-15T14:44:34Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1156, in __request_ra_certificate
raise RuntimeError("Unable to submit RA cert request")
RuntimeError: Unable to submit RA cert request
2015-10-15T14:44:34Z DEBUG [error] RuntimeError: Unable to submit RA
cert request
2015-10-15T14:44:34Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
return_value = main_function()
File "/sbin/ipa-server-install", line 1170, in main
ca_signing_algorithm=options.ca_signing_algorithm)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
520, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1156, in __request_ra_certificate
raise RuntimeError("Unable to submit RA cert request")
2015-10-15T14:44:34Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Unable to submit RA cert request
###
###
0.localhost-startStop-1 - [15/Oct/2015:14:39:26 UTC] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully loaded!
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be executed at
startup:
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence: CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!
###
###
[15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=subsystemCert
cert-pki-ca] CIMC certificate verification
[15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=audit_signing
[15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
verifySystemCertByTag(audit_signing)
[15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(auditSigningCert cert-pki-ca,ObjectSigner)
[15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
[15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=auditSigningCert
cert-pki-ca] CIMC certificate verification
java.lang.Exception: SystemCertsVerification: system certs verification
failure
at
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
at
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
at
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1738)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1185)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
self tests execution (see selftests.log for details)
#####
More information about the Freeipa-users
mailing list