[Pkg-freeipa-devel] Bug#897640: freeipa-server: ipa-server-install fails when using a CA certificate signed by an external CA (pki-tomcatd)
Adam Reece
adam at svencoop.com
Thu May 3 19:03:36 BST 2018
Package: freeipa-server
Version: 4.6.3-1
Severity: important
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (700, 'stable'), (650, 'unstable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages freeipa-server depends on:
ii 389-ds-base 1.3.7.10-1
ii acl 2.2.52-3+b1
ii apache2 2.4.25-3+deb9u4
ii certmonger 0.79.5-2
ii custodia 0.5.0-3
ii fonts-font-awesome 4.7.0~dfsg-3
ii fonts-open-sans 1.11-1
ii freeipa-admintools 4.6.3-1
ii freeipa-client 4.6.3-1
ii freeipa-common 4.6.3-1
ii gssproxy 0.8.0-1
ii krb5-admin-server 1.16-2
ii krb5-kdc 1.16-2
ii krb5-kdc-ldap 1.16-2
ii krb5-otp 1.16-2
ii krb5-pkinit 1.16-2
ii ldap-utils 2.4.45+dfsg-1
ii libapache2-mod-auth-gssapi 1.6.0-1
ii libapache2-mod-lookup-identity 1.0.0-1
ii libapache2-mod-nss 1.0.14-1+b1
ii libapache2-mod-wsgi 4.5.17-1+b1
ii libc6 2.27-3
ii libcomerr2 1.44.1-2
ii libjs-dojo-core 1.11.0+dfsg-1
ii libjs-jquery 3.2.1-1
ii libk5crypto3 1.16-2
ii libkrad0 1.16-2
ii libkrb5-3 1.16-2
ii libldap-2.4-2 2.4.45+dfsg-1
ii libnspr4 2:4.19-1
ii libnss3 2:3.36.1-1
ii libnss3-tools 2:3.36.1-1
ii libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3.1
ii libssl1.1 1.1.0f-3+deb9u2
ii libsss-nss-idmap0 1.16.1-1+b1
ii libtalloc2 2.1.10-2
ii libtevent0 0.9.34-1
ii libunistring2 0.9.8-1
ii libuuid1 2.29.2-1+deb9u1
ii libverto1 0.2.4-2.1
ii ntp 1:4.2.8p11+dfsg-1
ii oddjob 0.34.3-4
ii p11-kit 0.23.10-2
ii pki-ca 10.5.5-1
ii pki-kra 10.5.5-1
ii python 2.7.13-2
ii python-dateutil 2.6.1-1
ii python-gssapi 1.4.1-1
ii python-ipaserver 4.6.3-1
ii python-ldap 3.0.0-1
ii python-systemd 234-2
ii samba-libs 2:4.7.4+dfsg-2
ii slapi-nis 0.56.1-1
ii softhsm2 2.4.0-0.1
ii systemd-sysv 232-25+deb9u3
Versions of packages freeipa-server recommends:
ii freeipa-server-dns 4.6.3-1
freeipa-server suggests no packages.
-- no debconf information
When installing freeipa server (ipa-server-install) with the preference to use a CA certificate signed by an external CA (--external-ca switch), the pki spawn will fail after you run the installation again to supply the signed certificate.
Error shown in the terminal:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp1Tdi5f' returned non-zero exit status 1
ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Interestingly directory "/var/log/pki/pki-tomcat" didn't exist. All that did exist was a file at "/var/log/pki/pki-ca-spawn.20180502214514.log". It doesn't have any errors though, it just ends suddenly:
2018-05-02 21:45:17 pkispawn : INFO ....... existing SSL server cert is for <the system fqdn>
2018-05-02 21:45:17 pkispawn : INFO ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat'
2018-05-02 21:45:17 pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.5.5</Version></XMLResponse>
2018-05-02 21:45:18 pkispawn : INFO ....... constructing PKI configuration data.
2018-05-02 21:45:18 pkispawn : INFO ....... executing 'certutil -R -d /root/.dogtag/pki-tomcat/ca/alias -s cn=ipa-ca-agent,OU=Internal,O=<the O> -k rsa -g 2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
2018-05-02 21:45:18 pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise
2018-05-02 21:45:18 pkispawn : INFO ....... BtoA /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
2018-05-02 21:45:18 pkispawn : INFO ....... loading caSigningCert External CA certificate
2018-05-02 21:45:18 pki.nssdb : DEBUG Command: certutil -L -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpUCxF9r/password.txt -n caSigningCert External CA -a
2018-05-02 21:45:18 pkispawn : INFO ....... configuring PKI configuration data.
This looks like a problem with the pki-tomcatd component. The exact error output from Tomcat (as in the ipa-server-install log file) is as follows:
Starting pki-tomcatd (via systemctl): pki-tomcatd.service.
Installation failed:
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 (Debian) - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>root cause</b></p><pre>org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca
org.mozilla.jss.CryptoManager.findCertByNicknameNative(Native Method)
org.mozilla.jss.CryptoManager.findCertByNickname(CryptoManager.java:1307)
org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:467)
org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.46 (Debian) logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.46 (Debian)</h3></body></html>
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-05-02T19:45:49Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255!
I've not found any useful answers to the specific error message "Certificate not found: caSigningCert cert-pki-ca".
Output of `certutil -L -d /etc/pki/pki-tomcat/alias` is as follows:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca CTu,Cu,Cu
caSigningCert External CA CT,C,C
<the correct cn of the CA certificate signed> CT,C,C
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
If I try to query for "caSigningCert cert-pki-ca" specifically it doesn't appear to be found Output of `certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' is as follows:`
certutil: Could not find cert: caSigningCert cert-pki-ca
: PR_FILE_NOT_FOUND_ERROR: File not found
Perhaps this particular certificate isn't being installed when spawning the pki?
This could possibly be resolved by installing caSigningCert manually then running the 2nd step of the `ipa-server-install` again. (If I knew how to do the former I'd try that.)
Please let me know if there is any further information I can provide.
--
* Adam Reece
* Sven Co-op team
* Email: adam at svencoop.com <mailto:adam at svencoop.com>
* Web: www.svencoop.com <http://www.svencoop.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180503/e06d0506/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x772BA858CF9CD88D.asc
Type: application/pgp-keys
Size: 10697 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180503/e06d0506/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20180503/e06d0506/attachment-0001.sig>
More information about the Pkg-freeipa-devel
mailing list