Hi all,
I just bought a Nitrokey HSM and trying to set it up with the Freeipa; I'm
not sure it's quite supported yet.
`ipa-server-install` aborted everytime during CA configuration, reported
error was "pkihelper : ERROR Server unreachable due to SSL error:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure
(_ssl.c:1056)"
I wonder if the FreeIPA has some modifications that actually breaks HSM
support?
Environment:
OS: Fedora-30-Cloud-base
freeipa-4.7.90.pre1-4.fc30
opensc-0.19.0-6.fc30
Here's what I've done:
```sudo ipa-server-install -U \
--allow-zone-overlap \
--auto-forwarders \
--no-reverse \
-r DOMAN.TLD \
-a `pass ipa/admin` \
-p `pass ipa/dm` \
--setup-dns \
--ca-subject='CN=CA Subject Name' \
--pki-config-override=/etc/ipa/override.ini```
and in the `/etc/ipa/override.ini`:
```[DEFAULT]
ipa_key_algorithm=SHA256withEC
ipa_key_size=nistp384
ipa_key_type=ecc
ipa_signing_algorithm=SHA256withEC
pki_hsm_enable=True
pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so
pki_hsm_modulename=nitrohsm
pki_token_name=UserPIN (SmartCard-HSM)
pki_token_password=648219```
don't mind the password, it's the default and testing only.
I have modified the polkit[0] also:
```polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "pkiuser") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader").startsWith("Nitrokey Nitrokey
HSM") &&
subject.user == "pkiuser") {
return polkit.Result.YES;
}
});```
`sudo -u pkiuser` gives the right card info.
I have disabled p11-kit-proxy by hand:
``` #cat /etc/crypto-policies/local.d/nss-p11-kit.config
#name=p11-kit-proxy
#library=p11-kit-proxy.so
```
and added nitrohsm for it (maybe not necessary):
```/etc/crypto-policies/local.d/hsm.config
name=nitrohsm
library=opensc-pkcs11.so```
after that, I can successfully add the SmartCard-HSM to
`/etc/pki/pki-tomcat/alias` without a problem.
the original error snippet:
```Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/30]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command
['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpciwcfccp'] returned
non-zero exit status 1: 'pkihelper : ERROR Server unreachable due to
SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake
failure (_ssl.c:1056)\nconfiguration : ERROR Server failed to
restart\npkispawn : ERROR Exception: server failed to restart\n
File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line 547,
in main\n scriptlet.spawn(deployer)\n File
"/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py",
line 670, in spawn\n raise Exception("server failed to restart")\n\n')
See the installation logs and the following files/directories for more
information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.```
[0]: https://gist.github.com/tiran/af7c21882e1732227455a13c3b8ff380
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou...@gmail.com
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
