> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 23 February 2015 12:18 PM
> To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata;
> Jan Cholasta
> Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly
>
>
>
> > -----Original Message-----
> > From: Rob Crittenden [mailto:rcrit...@redhat.com]
> > Sent: Saturday, 21 February 2015 1:39 AM
> > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata;
> > Jan Cholasta
> > Subject: Re: [Freeipa-users] ipa-getcert list fails to report
> > correctly
> >
> > Martin Kosek wrote:
> > > On 02/20/2015 06:56 AM, Les Stott wrote:
> > >> Hi all,
> > >>
> > >> The following is blocking the ability for me to install a CA replica.
> > >>
> > >> Environment:
> > >>
> > >> RHEL 6.6
> > >>
> > >> IPA 3.0.0-42
> > >>
> > >> PKI 9.0.3-38
> > >>
> > >> On the master the following is happening:
> > >>
> > >> ipa-getcert list
> > >>
> > >> Number of certificates and requests being tracked: 5.
> > >>
> > >> (but it shows no certificate details in the output)
> > >>
> > >> Running "getcert list" shows complete output.
> > >>
> > >> Also, when trying to browse
> > >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed
> > >> response. The apache error logs on the master show....
> > >>
> > >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL
> > >> client cannot verify your certificate
> > >>
> > >> The reason I am trying to browse that address is because that's
> > >> what the ipa-ca-install setup is failing at (it complains that the
> > >> CA certificate is not in proper format, in fact it's not able to
> > >> get it at all).
> > >>
> > >> I know from another working ipa setup that ....
> > >>
> > >> Browsing to the above address provides valid xml content and
> > >> ipa-getcert list shows certificate details and not just the number
> > >> of tracked certificates.
> > >>
> > >> Been trying for a long time to figure out the issues without luck.
> > >>
> > >> I would greatly appreciate any help to troubleshoot and resolve the
> > >> above issues.
> > >>
> > >> Regards,
> > >>
> > >> Les
> > >
> > > Endi or JanC, would you have any advise for Les? To me, it looks
> > > like the Apache does not have proper certificate installed.
> > >
> > > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it
> > > in total of 8 certs tracked:
> > >
> > > # ipa-getcert list
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20141111000002':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > COM',nicknam
> > > e='Server-Cert',token='NSS
> > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-
> > COM',nicknam
> > > e='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > > expires: 2016-11-11 00:00:01 UTC
> > > key usage:
> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20141111000047':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> > > ,token='NSS Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> > > ,token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > > expires: 2016-11-11 00:00:46 UTC
> > > key usage:
> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20141111000302':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=
> > > 'N SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=
> > > 'N
> > > SS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=vm-086.example.com,O=EXAMPLE.COM
> > > expires: 2016-11-11 00:03:02 UTC
> > > key usage:
> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > >
> > >
> > > What is actually in your Apache NSS database?
> > >
> > > # certutil -L -d /etc/httpd/alias/
> > >
> > > Martin
> > >
> >
> > Remember ipa-getcert is just a shortcut for certificates using the
> > certmonger CA named IPA, so it's more a filter than anything else. I
> > don't know why it wouldn't display any output but I'd file a bug.
> >
> > I think we'd need to see the getcert list output to try to figure out
> > what is going on.
> >
> > As for the SSL error fetching the cert chain I think Martin may be
> > onto something. The request is proxied through Apache. I think the
> > client here might be the Apache proxy client.
> >
> > I believe this command replicates what Apache is doing, you might give
> > it a try on the master. This will get the chain directly from dogtag,
> > bypassing
> > Apache:
> >
> > $ curl -v --cacert /etc/ipa/ca.crt
> > https://`hostname`:9444/ca/ee/ca/getCertChain
> >
> > rob
>
> Certutil shows....
>
> certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> MYDOMAIN.COM IPA CA CT,C,C
> ipaCert u,u,u
> Signing-Cert u,u,u
> Server-Cert u,u,u
>
> curl -v --cacert /etc/ipa/ca.crt
> https://`hostname`:9444/ca/ee/ca/getCertChain
> * About to connect() to `hostname` port 9444 (#0)
> * Trying 192.168.1.1... connected
> * Connected to `hostname` (192.168.1.1) port 9444 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/ipa/ca.crt
> CApath: none
> * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
> * Server certificate:
> * subject: CN=`hostname`,O=MYDOMAIN.COM
> * start date: Dec 13 01:21:30 2013 GMT
> * expire date: Dec 03 01:21:30 2015 GMT
> * common name: `hostname`
> * issuer: CN=Certificate Authority,O=MYDOMAIN.COM
> > GET /ca/ee/ca/getCertChain HTTP/1.1
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
> > NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: `hostname`:9444
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: Apache-Coyote/1.1
> < Content-Type: application/xml
> < Content-Length: 1434
> < Date: Mon, 23 Feb 2015 01:04:29 GMT
> <
> <?xml version="1.0" encoding="UTF-8"
> standalone="no"?><XMLResponse><Status>0</Status><ChainBase64>MIID
> zwYJKoZIhvcNAQcCoIIDwDCCA7wCAQExADAPBgkqhkiG9w0BBwGgAgQAoII
> DoDCCA5wwggKEoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwOjEYMBYGA1U
> EChMPREVSSVZBVElWRVMuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSB
> BdXRob3JpdHkwHhcNMTMxMjEzMDEyMTI5WhcNMzMxMjEzMDEyMTI5Wj
> A6MRgwFgYDVQQKEw9ERVJJVkFUSVZFUy5DT00xHjAcBgNVBAMTFUNlcnRp
> ZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCg
> gEBAMAA8EaYhmpjSA8o3/1kB/W1+0K6+FrwCS+njOgRtXhiTdmtSddXSDVxH
> OafFwqN26BR+QRPZbbpJY70gP3SG8W+J6+c37PMVNshWz6UfChGt6ubgFxlS
> TGUUre2Osr9I4C836MXpGJvRx2VDEuMUxv8j7B9iDRnTDglseqPqrMct2No4w
> k4cLtA9puBJb0Es76SOHP9edXlf6GBnuYwR8YMc1yJLqpP8IGpHhEkVxMsRpqk
> EpuuRwEFa7uBcTDhqVV24BpFlseZVubpiOdEgfb3IRBTjvI1Mum9OCJbuj9P/W
> mqMnrA0sQsmF/R3WBwFdMAsN3+bQCRw73+rwoeDNcCAwEAAaOBrDCBq
> TAfBgNVHSMEGDAWgBSO8J+j2jAuyg3a0yE+3oVCQJCWUTAPBgNVHRMBAf8
> EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUjvCfo9owLsoN
> 2tMhPt6FQkCQllEwRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHR
> wOi8vc2I!
> ybW9uMDEuZGVyaXZhdGl2ZXMuY29tOjgwL2* Connection #0 to host
> `hostname` left intact
> * Closing connection #0
> NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKH8YkoTAzX2xNYMkZSDK84EK3
> e4FUixdXxc/EC5ehjrtaqXT1KT9Fl9DAF5/jYNKqgmEmtHnPGlfQ7/Y1ESdhEGcB
> ZjU4qLe4HaFXuw5c9odDYxhtjQUd1g7ifY8SKOcHDCY+6Xx6F/rhFgzrXXMndn8
> ZaYryctPoOAj/5INnLrJq8S4XyLmb2BHM4e1ORQbOhDi8xjhfK2veYXvIu55Brhp
> RSS/goz5oSE8e+QE/H9afRmeV2+WkS/YDhSyoUDb7CYjklRuONzX3GopKtp1y
> yLXQZnBFjCvIJvja0mo3ik3AXxSZuOwUIlV23U8CyPU/rDeiV00iUyA/fLvdkEtZkx
> AA==</ChainBase64></XMLResponse>
>
>
> In any event, I've decided to rebuilt my DR IPA environment. Late last year
> the master in DR had to be rebuilt due to a disk issue. While IPA was restored
> manually and appeared to be working fine, CA replication hasn't worked. I
> finally got CA replication working in Prod after enabling needed apache
> modules and performing a yum update to update related packages, but
> these things didn't help in DR. It's my strong suspicion that something got
> missed when restoring the DR master IPA server and this is what is causing all
> my grief. Therefore, I'm going to wipe it out and start from scratch in DR.
> There are other benefits for me to do this anyway.
>
Well things have gone from bad to worse.
I removed IPA in DR. uninstalled all ipa clients, uninstalled replicas, removed
replication agreements and removed the master. Ran pki-remove to clear any
leftover pki instances and used certutil -D to remove left behind ipa entries
in /etc/httpd/alias.
So, clean slate to start again.
This time, in order to mirror config with prod, I began an installation for the
master on a different server, let's call it serverb. It was previously a
replica (in my prod environment, serverb is the true master, servera, serverc,
and serverd are replicas).
So, trying to install a new fresh instance of IPA and it still fails to
configure a CA.
Attached is the relevant portion of the server install log file
(ipa-server-install.txt). I have removed certificate and copyright info to
reduce its size. Also my server to install is serverb.mydomain.com
Apache logs at the time of the error show:
[Mon Feb 23 03:05:31 2015] [error] SSL Library Error: -12195 Peer does not
recognize and trust the CA that issued your certificate
Certificate databases only show the following (note that "Server-Cert
cert-pki-ca" got installed before the installer crashed). Prior to trying
installation I had to manually remove server certs left behind from the
previous installation via ...
certutil -d /etc/httpd/alias -D -n "Server-Cert"
certutil -d /etc/httpd/alias -D -n "MYDOMAIN.COM IPA CA"
certutil -d /etc/httpd/alias -D -n ipaCert
certutil -L -d /var/lib/pki-ca/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca CTu,Cu,Cu
certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Selinux is in permissive mode.
Ausearch -m avc does show some selinux issues, but its permissive mode so it
should be ok right? In any event I have previously tried installing a CA
replica with selinux disabled and it didn't help.
I have tried removing ipa and pki rpms and reinstalling. Then rerunning the ipa
server install script but the same error occurs.
I noticed that /etc/ipa/ca.crt was still old, and referencing the original
master. I removed that and again reran the installer but the same error
occurred.
Note also that /etc/ipa/cr.crt was not recreated when ipa-python was
reinstalled.
Other logs:
/var/log/pki-ca/system shows
5042.main - [23/Feb/2015:03:05:12 EST] [3] [3] Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate
5042.main - [23/Feb/2015:03:05:12 EST] [13] [3] authz instance DirAclAuthz
initialization failed and skipped, error=Property internaldb.ldapconn.port
missing value
5042.http-9445-1 - [23/Feb/2015:03:05:26 EST] [3] [3] Cannot build CA chain.
Error java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate
5042.http-9445-1 - [23/Feb/2015:03:05:35 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
/var/log/pki-ca/catalina.out
Feb 23, 2015 3:05:11 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
CMS Warning: FAILURE: Cannot build CA chain. Error
java.security.cert.CertificateException: Certificate is not a PKCS #11
certificate|FAILURE: authz instance DirAclAuthz initialization failed and
skipped, error=Property internaldb.ldapconn.port missing value|
Server is started.
Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Feb 23, 2015 3:05:12 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447
Feb 23, 2015 3:05:12 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/25 config=null
Feb 23, 2015 3:05:12 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1655 ms
I have no idea where to look next. There must be some remnant of the old system
hanging around screwing things up but I cannot figure it out. This will drive
me insane!
I can provide more logs if needed.
Thanks in advance for any help.
Regards,
Les
#############################################
Attempting to connect to: serverb.mydomain.com:9445
Connected.
Posting Query =
https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=12&op=next&xml=true&subsystem=-----BEGIN+CERTIFICATE-----
-----END+CERTIFICATE-----&sslserver_cc=
RESPONSE STATUS: HTTP/1.1 200 OK
RESPONSE HEADER: Server: Apache-Coyote/1.1
RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8
RESPONSE HEADER: Date: Mon, 23 Feb 2015 08:05:35 GMT
RESPONSE HEADER: Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<!-- BEGIN COPYRIGHT BLOCK
<response>
<panel>admin/console/config/backupkeycertpanel.vm</panel>
<res/>
<showApplyButton/>
<pwdagain/>
<updateStatus>failure</updateStatus>
<dobackup/>
<errorString/>
<size>19</size>
<title>Export Keys and Certificates</title>
<pwd/>
<panels>
<Vector>
<Panel>
<Id>welcome</Id>
<Name>Welcome</Name>
</Panel>
<Panel>
<Id>module</Id>
<Name>Key Store</Name>
</Panel>
<Panel>
<Id>confighsmlogin</Id>
<Name>ConfigHSMLogin</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Security Domain</Name>
</Panel>
<Panel>
<Id>securitydomain</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>subsystem</Id>
<Name>Subsystem Type</Name>
</Panel>
<Panel>
<Id>clone</Id>
<Name>Display Certificate Chain</Name>
</Panel>
<Panel>
<Id>restorekeys</Id>
<Name>Import Keys and Certificates</Name>
</Panel>
<Panel>
<Id>cahierarchy</Id>
<Name>PKI Hierarchy</Name>
</Panel>
<Panel>
<Id>database</Id>
<Name>Internal Database</Name>
</Panel>
<Panel>
<Id>size</Id>
<Name>Key Pairs</Name>
</Panel>
<Panel>
<Id>subjectname</Id>
<Name>Subject Names</Name>
</Panel>
<Panel>
<Id>certrequest</Id>
<Name>Requests and Certificates</Name>
</Panel>
<Panel>
<Id>backupkeys</Id>
<Name>Export Keys and Certificates</Name>
</Panel>
<Panel>
<Id>savepk12</Id>
<Name>Save Keys and Certificates</Name>
</Panel>
<Panel>
<Id>importcachain</Id>
<Name>Import CA's Certificate Chain</Name>
</Panel>
<Panel>
<Id>admin</Id>
<Name>Administrator</Name>
</Panel>
<Panel>
<Id>importadmincert</Id>
<Name>Import Administrator's Certificate</Name>
</Panel>
<Panel>
<Id>done</Id>
<Name>Done</Name>
</Panel>
</Vector>
</panels>
<nobackup>checked</nobackup>
<p>13</p>
<name>CA Setup Wizard</name>
<req/>
<panelname>backupkeys</panelname>
</response>
Error in CertificatePanel(): updateStatus returns failure
ERROR: ConfigureCA: CertificatePanel() failure
ERROR: unable to create CA
#######################################################################
2015-02-23T08:05:35Z DEBUG stderr=
2015-02-23T08:05:35Z CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com
-cs_port 9445 -client_certdb_dir /tmp/tmp-kdz0jo -client_certdb_pwd XXXXXXXX
-preop_pin OoJJTy7FnMTr0GTvNk8J -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=mydomain.COM -ldap_host serverb.mydomain.com -ldap_port 7389
-bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name
ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true
-backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=mydomain.COM
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=mydomain.COM
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=mydomain.COM
-ca_server_cert_subject_name CN=serverb.mydomain.com,O=mydomain.COM
-ca_audit_signing_cert_subject_name CN=CA Audit,O=mydomain.COM
-ca_sign_cert_subject_name CN=Certificate Authority,O=mydomain.COM -external
false -clone false' returned non-zero exit status 255
2015-02-23T08:05:35Z INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614,
in run_script
return_value = main_function()
File "/usr/sbin/ipa-server-install", line 942, in main
subject_base=options.subject)
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
626, in configure_instance
self.start_creation(runtime=210)
File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line
358, in start_creation
method()
File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line
888, in __configure_instance
raise RuntimeError('Configuration of CA failed')
2015-02-23T08:05:35Z INFO The ipa-server-install command failed, exception:
RuntimeError: Configuration of CA failed
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
