[Pki-users] cloning a CA fails

Ade Lee alee at redhat.com
Thu Sep 8 15:47:45 UTC 2011 

The error you specify indicates that the certs and keys were in fact not
imported from the master.

You can confirm this by looking at which keys and certs are in your nss
db.

certutil -L -d /var/lib/clone_instance/alias

The right way to extract the keys from the master is to use
PKCS12Export.  Export the keys and place the resulting PK12 file in the
alias directory (/var/lib/clone_instance/alias) and make sure it is
readable by pkiuser.  I usually just chown the file to pkiuser.  You
will be prompted for the filename (just the base name - so for 
/var/lib/clone_instance/alias/foo.p12 -- you would enter foo.p12) and
password on the Key Restore Panel.

At this point, you will likely need to restart the clone installation
from scratch to make sure everything is clean. 

If that does not work, zip up and attach the full master and clone debug
logs.

Ade

  
On Thu, 2011-09-08 at 17:31 +0200, Alexander Jung wrote:
> Hello,
> 
> I try to clone a 1.3.6 dogtag on Fedora 13 to a 9.0.11.1 dogtag on
> Fedora 15 (in order to migrate the F13 to F15).
> 
> I hung at the ldap-setup until i read the documentation and entered
> the fqdn instead of localhost.
> 
> The next step, the creation of the local ssl server  certificate
> fails. The debuglog of the pki-instance on F15 says:
> [*10:26][http-9455-4]: panel name=subjectname
> [*10:26][http-9455-4]: total number of panels=19
> [*10:53][http-9455-4]: WizardServlet: process
> [*10:53][http-9455-4]: WizardServlet:service() uri
> = /ca/admin/console/config/wizard
> [*10:53][http-9455-4]: WizardServlet::service() param name='p'
> value='11'
> [*10:53][http-9455-4]: WizardServlet::service() param name='op'
> value='next'
> [*10:53][http-9455-4]: WizardServlet::service() param
> name='sslserver_nick' value='Server-Cert cert-ca4-test3'
> [*10:53][http-9455-4]: WizardServlet::service() param name='sslserver'
> value='CN=ca4p-adm3.ind.allianz,o=clone'
> [*10:53][http-9455-4]: WizardServlet: op=next
> [*10:53][http-9455-4]: WizardServlet: size=19
> [*10:53][http-9455-4]: WizardServlet: in next 11
> [*10:53][http-9455-4]: NamePanel: in update()
> [*10:53][http-9455-4]: NamePanel: clone configuration detected
> [*10:53][http-9455-4]: NamePanel: configCertWithTag start
> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=signing
> tag=sslserver
> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=ocsp_signing
> tag=sslserver
> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=sslserver
> tag=sslserver
> [*10:53][http-9455-4]: configCertWithTag: Setting nickname for
> sslserver to Server-Cert cert-ca4-test3
> [*10:53][http-9455-4]: NamePanel: configCert called
> [*10:53][http-9455-4]: NamePanel: in configCert caType is local
> [*10:53][http-9455-4]: NamePanel: subsystem ca
> [*10:53][http-9455-4]: NamePanel: updateConfig() for certTag sslserver
> [*10:53][http-9455-4]: NamePanel: updateConfig() done
> [*10:53][http-9455-4]: Creating local certificate... certTag=sslserver
> [*10:53][http-9455-4]: Repository: in getNextSerialNumber. 
> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
> [*10:53][http-9455-4]: masterConn is connected: true
> [*10:53][http-9455-4]: getConn: conn is connected true
> [*10:53][http-9455-4]: getConn: mNumConns now 2
> [*10:53][http-9455-4]: Repository: getSerialNumber.
> [*10:53][http-9455-4]: returnConn: mNumConns now 3
> [*10:53][http-9455-4]: Repository: in InitCache
> [*10:53][http-9455-4]: Repository: Instance of Certificate Repository.
> [*10:53][http-9455-4]: Repository: minSerial fec0001 maxSerial:
> fed0000
> [*10:53][http-9455-4]: CertificateRepository:  in
> getLastSerialNumberInRange: low 267124737 high 267190272
> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
> [*10:53][http-9455-4]: masterConn is connected: true
> [*10:53][http-9455-4]: getConn: conn is connected true
> [*10:53][http-9455-4]: getConn: mNumConns now 2
> [*10:53][http-9455-4]: In findCertRecordsInList with Jumpto 267190272
> [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey
> pageSize filter: (certstatus=*) attrs: null pageSize -5 startFrom
> 09267190272
> [*10:53][http-9455-4]: returnConn: mNumConns now 3
> [*10:53][http-9455-4]: getEntries returning 6
> [*10:53][http-9455-4]: mTop 886
> [*10:53][http-9455-4]: Getting Virtual List size: 892
> [*10:53][http-9455-4]:
> CertificateRepository:getLastSerialNumberInRange: recList size 892
> [*10:53][http-9455-4]:
> CertificateRepository:getLastSerialNumberInRange: ltSize 892
> [*10:53][http-9455-4]: getElementAt: 0 mTop 886
> [*10:53][http-9455-4]: reverse direction getting index 5
> [*10:53][http-9455-4]:
> CertificateRepository:getLastCertRecordSerialNo:  serialno  10990
> [*10:53][http-9455-4]: getElementAt: 1 mTop 886
> [*10:53][http-9455-4]: reverse direction getting index 4
> [*10:53][http-9455-4]:
> CertificateRepository:getLastCertRecordSerialNo:  serialno  10989
> [*10:53][http-9455-4]: getElementAt: 2 mTop 886
> [*10:53][http-9455-4]: reverse direction getting index 3
> [*10:53][http-9455-4]:
> CertificateRepository:getLastCertRecordSerialNo:  serialno  10988
> [*10:53][http-9455-4]: getElementAt: 3 mTop 886
> [*10:53][http-9455-4]: reverse direction getting index 2
> [*10:53][http-9455-4]:
> CertificateRepository:getLastCertRecordSerialNo:  serialno  10987
> [*10:53][http-9455-4]: getElementAt: 4 mTop 886
> [*10:53][http-9455-4]: reverse direction getting index 1
> [*10:53][http-9455-4]:
> CertificateRepository:getLastCertRecordSerialNo:  serialno  10986
> [*10:53][http-9455-4]:
> CertificateRepository:getLastCertRecordSerialNo: returning 267124736
> [*10:53][http-9455-4]: Repository:  mLastSerialNo: 267124736
> [*10:53][http-9455-4]: Repository: getNextSerialNumber: returning
> retSerial 267124737
> [*10:53][http-9455-4]: Creating local certificate...
> issuerdn=CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer VI-Test
> [*10:53][http-9455-4]: Creating local certificate...
> dn=CN=ca4p-adm3.ind.allianz,o=clone
> [*10:53][http-9455-4]: Cert Template: [
>   Version: V3
>   Subject: CN=ca4p-adm3.ind.allianz,O=clone
>   Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
> 
>   Key:  RSA Public Key
>   Algorithm: RSA
>   modulus:
>     00b7c180 23fad71a ab335e29 88316908 2f9deaf3 7d3e5b0d 84872c66
> 10511ebd
>     aa3c6053 bd2d2c19 134ab3f6 33ef8d4f a424dba0 2ae2bcc6 637274fa
> be0219de
>     3e62b73a 490bd2b9 83fd4236 ccb50741 14308bbb 7d5566cc 80139961
> b39eb23a
>     9ab11c9b 08356428 665c54d0 c65c46c9 4d4a340d 1ac47688 86d425f6
> fc8b5521
>     1aa420be 8ac1aae4 3f870ac2 b31fa7b3 023c8cb9 10a6b60f a39282b5
> 49d33042
>     acf1deca 6c2b2bf3 44b0484f f02b8f4c 640d8822 f762e7f4 99fed751
> 43d05f34
>     fd54fedd 70d770f5 b4c52478 dda19027 18e94df3 3fc901e5 0182384c
> 8d61da0a
>     35a29bc4 3bd93836 246ebfdb b65853de 07d3d0bf eb103e85 0a4e3e89
> a7008207
>     3b
> 
>   publicExponent:
>     010001
> 
>   Validity: [From: *:10:53 CEST 2011,
>                To: *:10:53 CEST 2011]
>   Issuer: CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer
> VI-Test
>   SerialNumber: [    0fec0001 ]
> 
> ]
> [*10:53][http-9455-4]: CertUtil: createLocalRequest for serial:
> 267124737
> [*10:53][http-9455-4]: Repository: in getNextSerialNumber. 
> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
> [*10:53][http-9455-4]: masterConn is connected: true
> [*10:53][http-9455-4]: getConn: conn is connected true
> [*10:53][http-9455-4]: getConn: mNumConns now 2
> [*10:53][http-9455-4]: Repository: getSerialNumber.
> [*10:53][http-9455-4]: returnConn: mNumConns now 3
> [*10:53][http-9455-4]: Repository: in InitCache
> [*10:53][http-9455-4]: Repository: Instance of Request Repository or
> CRLRepository.
> [*10:53][http-9455-4]: Repository: minSerial 9800001 maxSerial:
> 9810000
> [*10:53][http-9455-4]: RequestRepository: in
> getLastSerialNumberInRange: min 9800001 max 9810000
> [*10:53][http-9455-4]: RequestRepository: mRequestQueue
> com.netscape.cmscore.request.RequestQueue at 5ee771f3
> [*10:53][http-9455-4]: RequestRepository: about to call
> mRequestQueue.getLastRequestIdInRange
> [*10:53][http-9455-4]: RequestQueue: getLastRequestId: low 9800001
> high 9810000
> [*10:53][http-9455-4]: RequestQueue: getLastRequestId: filter
> (requeststate=*) fromId 9810000
> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
> [*10:53][http-9455-4]: masterConn is connected: true
> [*10:53][http-9455-4]: getConn: conn is connected true
> [*10:53][http-9455-4]: getConn: mNumConns now 2
> [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey
> pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom
> 079810000
> [*10:53][http-9455-4]: returnConn: mNumConns now 3
> [*10:54][http-9455-4]: getEntries returning 6
> [*10:54][http-9455-4]: mTop 889
> [*10:54][http-9455-4]: Getting Virtual List size: 904
> [*10:54][http-9455-4]: RequestQueue: getLastRequestId: size   904
> [*10:54][http-9455-4]: RequestQueue: getSizeBeforeJumpTo: 895
> [*10:54][http-9455-4]: getElementAt: 0 mTop 889
> [*10:54][http-9455-4]: reverse direction getting index 4
> [*10:54][http-9455-4]: RequestQueue: curReqId: 894
> [*10:54][http-9455-4]: getElementAt: 2 mTop 889
> [*10:54][http-9455-4]: reverse direction getting index 3
> [*10:54][http-9455-4]: RequestQueue: curReqId: 893
> [*10:54][http-9455-4]: getElementAt: 3 mTop 889
> [*10:54][http-9455-4]: reverse direction getting index 2
> [*10:54][http-9455-4]: RequestQueue: curReqId: 892
> [*10:54][http-9455-4]: getElementAt: 4 mTop 889
> [*10:54][http-9455-4]: reverse direction getting index 1
> [*10:54][http-9455-4]: RequestQueue: curReqId: 891
> [*10:54][http-9455-4]:
> CertificateRepository:getLastCertRecordSerialNo: returning 9800000
> [*10:54][http-9455-4]: Repository:  mLastSerialNo: 9800000
> [*10:54][http-9455-4]: Repository: getNextSerialNumber: returning
> retSerial 9800001
> [*10:54][http-9455-4]: certUtil: newRequest called
> [*10:54][http-9455-4]: certUtil: calling setRequestStatus
> [*10:54][http-9455-4]: CertUtil profile name= serverCert.profile
> [*10:54][http-9455-4]: AuthInfoAccess: createExtension i=0
> [*10:54][http-9455-4]: CertUtil::createSelfSignedCert() - CA private
> key is null!
> java.io.IOException: CA private key is null
>         at
> com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:401)
>         at
> com.netscape.cms.servlet.csadmin.NamePanel.configCert(NamePanel.java:560)
>         at
> com.netscape.cms.servlet.csadmin.NamePanel.configCertWithTag(NamePanel.java:649)
>         at
> com.netscape.cms.servlet.csadmin.NamePanel.update(NamePanel.java:747)
>         at
> com.netscape.cms.servlet.wizard.WizardServlet.goNextApply(WizardServlet.java:315)
>         at
> com.netscape.cms.servlet.wizard.WizardServlet.goNext(WizardServlet.java:294)
>         at
> com.netscape.cms.servlet.wizard.WizardServlet.handleRequest(WizardServlet.java:490)
>         at
> org.apache.velocity.servlet.VelocityServlet.doRequest(VelocityServlet.java:365)
>         at
> org.apache.velocity.servlet.VelocityServlet.doPost(VelocityServlet.java:332)
>         at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>         at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>         at
> com.netscape.cms.servlet.filter.AdminRequestFilter.doFilter(AdminRequestFilter.java:105)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
>         at org.apache.coyote.http11.Http11Protocol
> $Http11ConnectionHandler.process(Http11Protocol.java:588)
>         at org.apache.tomcat.util.net.JIoEndpoint
> $Worker.run(JIoEndpoint.java:489)
>         at java.lang.Thread.run(Thread.java:679)
> [*10:54][http-9455-4]: NamePanel configCert() exception
> caught:java.io.IOException: CA private key is null
> [*10:54][http-9455-4]: NamePanel configCert: failed to add metainfo.
> Exception: java.lang.NullPointerException
> 
> 
> I imported all the certs from the master CA through the master
> p12-export and also by single cert&key export (pk12util)  and tried
> the setup several times from scratch.
> I have no idea how to fix that. Can somebody please give me a hint ?
> 
> Mit freundlichen Grüßen,
> 
> Alexander Jung
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list