[Pki-users] cloning a CA fails
Kashyap Chamarthy
kchamart at redhat.com
Thu Sep 8 16:19:57 UTC 2011
On 09/08/2011 09:17 PM, Ade Lee wrote:
> The error you specify indicates that the certs and keys were in fact not
> imported from the master.
>
> You can confirm this by looking at which keys and certs are in your nss
> db.
>
> certutil -L -d /var/lib/clone_instance/alias
>
> The right way to extract the keys from the master is to use
> PKCS12Export. Export the keys and place the resulting PK12 file in the
> alias directory (/var/lib/clone_instance/alias) and make sure it is
> readable by pkiuser. I usually just chown the file to pkiuser. You
> will be prompted for the filename (just the base name - so for
> /var/lib/clone_instance/alias/foo.p12 -- you would enter foo.p12) and
> password on the Key Restore Panel.
>
> At this point, you will likely need to restart the clone installation
> from scratch to make sure everything is clean.
>
> If that does not work, zip up and attach the full master and clone debug
> logs.
yep.
Just to extend what Ade said above, I posted my cloning methodology here. Let us know if
that works for you.
https://www.redhat.com/archives/pki-users/2009-October/msg00006.html
--
/kashyap
>
> Ade
>
>
> On Thu, 2011-09-08 at 17:31 +0200, Alexander Jung wrote:
>> Hello,
>>
>> I try to clone a 1.3.6 dogtag on Fedora 13 to a 9.0.11.1 dogtag on
>> Fedora 15 (in order to migrate the F13 to F15).
>>
>> I hung at the ldap-setup until i read the documentation and entered
>> the fqdn instead of localhost.
>>
>> The next step, the creation of the local ssl server certificate
>> fails. The debuglog of the pki-instance on F15 says:
>> [*10:26][http-9455-4]: panel name=subjectname
>> [*10:26][http-9455-4]: total number of panels=19
>> [*10:53][http-9455-4]: WizardServlet: process
>> [*10:53][http-9455-4]: WizardServlet:service() uri
>> = /ca/admin/console/config/wizard
>> [*10:53][http-9455-4]: WizardServlet::service() param name='p'
>> value='11'
>> [*10:53][http-9455-4]: WizardServlet::service() param name='op'
>> value='next'
>> [*10:53][http-9455-4]: WizardServlet::service() param
>> name='sslserver_nick' value='Server-Cert cert-ca4-test3'
>> [*10:53][http-9455-4]: WizardServlet::service() param name='sslserver'
>> value='CN=ca4p-adm3.ind.allianz,o=clone'
>> [*10:53][http-9455-4]: WizardServlet: op=next
>> [*10:53][http-9455-4]: WizardServlet: size=19
>> [*10:53][http-9455-4]: WizardServlet: in next 11
>> [*10:53][http-9455-4]: NamePanel: in update()
>> [*10:53][http-9455-4]: NamePanel: clone configuration detected
>> [*10:53][http-9455-4]: NamePanel: configCertWithTag start
>> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=signing
>> tag=sslserver
>> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=ocsp_signing
>> tag=sslserver
>> [*10:53][http-9455-4]: NamePanel: configCertWithTag ct=sslserver
>> tag=sslserver
>> [*10:53][http-9455-4]: configCertWithTag: Setting nickname for
>> sslserver to Server-Cert cert-ca4-test3
>> [*10:53][http-9455-4]: NamePanel: configCert called
>> [*10:53][http-9455-4]: NamePanel: in configCert caType is local
>> [*10:53][http-9455-4]: NamePanel: subsystem ca
>> [*10:53][http-9455-4]: NamePanel: updateConfig() for certTag sslserver
>> [*10:53][http-9455-4]: NamePanel: updateConfig() done
>> [*10:53][http-9455-4]: Creating local certificate... certTag=sslserver
>> [*10:53][http-9455-4]: Repository: in getNextSerialNumber.
>> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
>> [*10:53][http-9455-4]: masterConn is connected: true
>> [*10:53][http-9455-4]: getConn: conn is connected true
>> [*10:53][http-9455-4]: getConn: mNumConns now 2
>> [*10:53][http-9455-4]: Repository: getSerialNumber.
>> [*10:53][http-9455-4]: returnConn: mNumConns now 3
>> [*10:53][http-9455-4]: Repository: in InitCache
>> [*10:53][http-9455-4]: Repository: Instance of Certificate Repository.
>> [*10:53][http-9455-4]: Repository: minSerial fec0001 maxSerial:
>> fed0000
>> [*10:53][http-9455-4]: CertificateRepository: in
>> getLastSerialNumberInRange: low 267124737 high 267190272
>> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
>> [*10:53][http-9455-4]: masterConn is connected: true
>> [*10:53][http-9455-4]: getConn: conn is connected true
>> [*10:53][http-9455-4]: getConn: mNumConns now 2
>> [*10:53][http-9455-4]: In findCertRecordsInList with Jumpto 267190272
>> [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey
>> pageSize filter: (certstatus=*) attrs: null pageSize -5 startFrom
>> 09267190272
>> [*10:53][http-9455-4]: returnConn: mNumConns now 3
>> [*10:53][http-9455-4]: getEntries returning 6
>> [*10:53][http-9455-4]: mTop 886
>> [*10:53][http-9455-4]: Getting Virtual List size: 892
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastSerialNumberInRange: recList size 892
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastSerialNumberInRange: ltSize 892
>> [*10:53][http-9455-4]: getElementAt: 0 mTop 886
>> [*10:53][http-9455-4]: reverse direction getting index 5
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastCertRecordSerialNo: serialno 10990
>> [*10:53][http-9455-4]: getElementAt: 1 mTop 886
>> [*10:53][http-9455-4]: reverse direction getting index 4
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastCertRecordSerialNo: serialno 10989
>> [*10:53][http-9455-4]: getElementAt: 2 mTop 886
>> [*10:53][http-9455-4]: reverse direction getting index 3
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastCertRecordSerialNo: serialno 10988
>> [*10:53][http-9455-4]: getElementAt: 3 mTop 886
>> [*10:53][http-9455-4]: reverse direction getting index 2
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastCertRecordSerialNo: serialno 10987
>> [*10:53][http-9455-4]: getElementAt: 4 mTop 886
>> [*10:53][http-9455-4]: reverse direction getting index 1
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastCertRecordSerialNo: serialno 10986
>> [*10:53][http-9455-4]:
>> CertificateRepository:getLastCertRecordSerialNo: returning 267124736
>> [*10:53][http-9455-4]: Repository: mLastSerialNo: 267124736
>> [*10:53][http-9455-4]: Repository: getNextSerialNumber: returning
>> retSerial 267124737
>> [*10:53][http-9455-4]: Creating local certificate...
>> issuerdn=CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer VI-Test
>> [*10:53][http-9455-4]: Creating local certificate...
>> dn=CN=ca4p-adm3.ind.allianz,o=clone
>> [*10:53][http-9455-4]: Cert Template: [
>> Version: V3
>> Subject: CN=ca4p-adm3.ind.allianz,O=clone
>> Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
>>
>> Key: RSA Public Key
>> Algorithm: RSA
>> modulus:
>> 00b7c180 23fad71a ab335e29 88316908 2f9deaf3 7d3e5b0d 84872c66
>> 10511ebd
>> aa3c6053 bd2d2c19 134ab3f6 33ef8d4f a424dba0 2ae2bcc6 637274fa
>> be0219de
>> 3e62b73a 490bd2b9 83fd4236 ccb50741 14308bbb 7d5566cc 80139961
>> b39eb23a
>> 9ab11c9b 08356428 665c54d0 c65c46c9 4d4a340d 1ac47688 86d425f6
>> fc8b5521
>> 1aa420be 8ac1aae4 3f870ac2 b31fa7b3 023c8cb9 10a6b60f a39282b5
>> 49d33042
>> acf1deca 6c2b2bf3 44b0484f f02b8f4c 640d8822 f762e7f4 99fed751
>> 43d05f34
>> fd54fedd 70d770f5 b4c52478 dda19027 18e94df3 3fc901e5 0182384c
>> 8d61da0a
>> 35a29bc4 3bd93836 246ebfdb b65853de 07d3d0bf eb103e85 0a4e3e89
>> a7008207
>> 3b
>>
>> publicExponent:
>> 010001
>>
>> Validity: [From: *:10:53 CEST 2011,
>> To: *:10:53 CEST 2011]
>> Issuer: CN=Certificate Authority,OU=ca4-test1,O=CA4 Test fuer
>> VI-Test
>> SerialNumber: [ 0fec0001 ]
>>
>> ]
>> [*10:53][http-9455-4]: CertUtil: createLocalRequest for serial:
>> 267124737
>> [*10:53][http-9455-4]: Repository: in getNextSerialNumber.
>> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
>> [*10:53][http-9455-4]: masterConn is connected: true
>> [*10:53][http-9455-4]: getConn: conn is connected true
>> [*10:53][http-9455-4]: getConn: mNumConns now 2
>> [*10:53][http-9455-4]: Repository: getSerialNumber.
>> [*10:53][http-9455-4]: returnConn: mNumConns now 3
>> [*10:53][http-9455-4]: Repository: in InitCache
>> [*10:53][http-9455-4]: Repository: Instance of Request Repository or
>> CRLRepository.
>> [*10:53][http-9455-4]: Repository: minSerial 9800001 maxSerial:
>> 9810000
>> [*10:53][http-9455-4]: RequestRepository: in
>> getLastSerialNumberInRange: min 9800001 max 9810000
>> [*10:53][http-9455-4]: RequestRepository: mRequestQueue
>> com.netscape.cmscore.request.RequestQueue at 5ee771f3
>> [*10:53][http-9455-4]: RequestRepository: about to call
>> mRequestQueue.getLastRequestIdInRange
>> [*10:53][http-9455-4]: RequestQueue: getLastRequestId: low 9800001
>> high 9810000
>> [*10:53][http-9455-4]: RequestQueue: getLastRequestId: filter
>> (requeststate=*) fromId 9810000
>> [*10:53][http-9455-4]: In LdapBoundConnFactory::getConn()
>> [*10:53][http-9455-4]: masterConn is connected: true
>> [*10:53][http-9455-4]: getConn: conn is connected true
>> [*10:53][http-9455-4]: getConn: mNumConns now 2
>> [*10:53][http-9455-4]: In DBVirtualList filter attrs startFrom sortKey
>> pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom
>> 079810000
>> [*10:53][http-9455-4]: returnConn: mNumConns now 3
>> [*10:54][http-9455-4]: getEntries returning 6
>> [*10:54][http-9455-4]: mTop 889
>> [*10:54][http-9455-4]: Getting Virtual List size: 904
>> [*10:54][http-9455-4]: RequestQueue: getLastRequestId: size 904
>> [*10:54][http-9455-4]: RequestQueue: getSizeBeforeJumpTo: 895
>> [*10:54][http-9455-4]: getElementAt: 0 mTop 889
>> [*10:54][http-9455-4]: reverse direction getting index 4
>> [*10:54][http-9455-4]: RequestQueue: curReqId: 894
>> [*10:54][http-9455-4]: getElementAt: 2 mTop 889
>> [*10:54][http-9455-4]: reverse direction getting index 3
>> [*10:54][http-9455-4]: RequestQueue: curReqId: 893
>> [*10:54][http-9455-4]: getElementAt: 3 mTop 889
>> [*10:54][http-9455-4]: reverse direction getting index 2
>> [*10:54][http-9455-4]: RequestQueue: curReqId: 892
>> [*10:54][http-9455-4]: getElementAt: 4 mTop 889
>> [*10:54][http-9455-4]: reverse direction getting index 1
>> [*10:54][http-9455-4]: RequestQueue: curReqId: 891
>> [*10:54][http-9455-4]:
>> CertificateRepository:getLastCertRecordSerialNo: returning 9800000
>> [*10:54][http-9455-4]: Repository: mLastSerialNo: 9800000
>> [*10:54][http-9455-4]: Repository: getNextSerialNumber: returning
>> retSerial 9800001
>> [*10:54][http-9455-4]: certUtil: newRequest called
>> [*10:54][http-9455-4]: certUtil: calling setRequestStatus
>> [*10:54][http-9455-4]: CertUtil profile name= serverCert.profile
>> [*10:54][http-9455-4]: AuthInfoAccess: createExtension i=0
>> [*10:54][http-9455-4]: CertUtil::createSelfSignedCert() - CA private
>> key is null!
>> java.io.IOException: CA private key is null
>> at
>> com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:401)
>> at
>> com.netscape.cms.servlet.csadmin.NamePanel.configCert(NamePanel.java:560)
>> at
>> com.netscape.cms.servlet.csadmin.NamePanel.configCertWithTag(NamePanel.java:649)
>> at
>> com.netscape.cms.servlet.csadmin.NamePanel.update(NamePanel.java:747)
>> at
>> com.netscape.cms.servlet.wizard.WizardServlet.goNextApply(WizardServlet.java:315)
>> at
>> com.netscape.cms.servlet.wizard.WizardServlet.goNext(WizardServlet.java:294)
>> at
>> com.netscape.cms.servlet.wizard.WizardServlet.handleRequest(WizardServlet.java:490)
>> at
>> org.apache.velocity.servlet.VelocityServlet.doRequest(VelocityServlet.java:365)
>> at
>> org.apache.velocity.servlet.VelocityServlet.doPost(VelocityServlet.java:332)
>> at
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
>> at
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>> com.netscape.cms.servlet.filter.AdminRequestFilter.doFilter(AdminRequestFilter.java:105)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>> at
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
>> at org.apache.coyote.http11.Http11Protocol
>> $Http11ConnectionHandler.process(Http11Protocol.java:588)
>> at org.apache.tomcat.util.net.JIoEndpoint
>> $Worker.run(JIoEndpoint.java:489)
>> at java.lang.Thread.run(Thread.java:679)
>> [*10:54][http-9455-4]: NamePanel configCert() exception
>> caught:java.io.IOException: CA private key is null
>> [*10:54][http-9455-4]: NamePanel configCert: failed to add metainfo.
>> Exception: java.lang.NullPointerException
>>
>>
>> I imported all the certs from the master CA through the master
>> p12-export and also by single cert&key export (pk12util) and tried
>> the setup several times from scratch.
>> I have no idea how to fix that. Can somebody please give me a hint ?
>>
>> Mit freundlichen Grüßen,
>>
>> Alexander Jung
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list