> -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Les Stott > Sent: Monday, 23 February 2015 12:18 PM > To: Rob Crittenden; Martin Kosek; freeipa-users@redhat.com; Endi Dewata; > Jan Cholasta > Subject: Re: [Freeipa-users] ipa-getcert list fails to report correctly > > > > > -----Original Message----- > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > Sent: Saturday, 21 February 2015 1:39 AM > > To: Martin Kosek; Les Stott; freeipa-users@redhat.com; Endi Dewata; > > Jan Cholasta > > Subject: Re: [Freeipa-users] ipa-getcert list fails to report > > correctly > > > > Martin Kosek wrote: > > > On 02/20/2015 06:56 AM, Les Stott wrote: > > >> Hi all, > > >> > > >> The following is blocking the ability for me to install a CA replica. > > >> > > >> Environment: > > >> > > >> RHEL 6.6 > > >> > > >> IPA 3.0.0-42 > > >> > > >> PKI 9.0.3-38 > > >> > > >> On the master the following is happening: > > >> > > >> ipa-getcert list > > >> > > >> Number of certificates and requests being tracked: 5. > > >> > > >> (but it shows no certificate details in the output) > > >> > > >> Running "getcert list" shows complete output. > > >> > > >> Also, when trying to browse > > >> https://master.mydomain.com/ca/ee/ca/getCertChain i get a failed > > >> response. The apache error logs on the master show.... > > >> > > >> [Thu Feb 19 23:23:23 2015] [error] SSL Library Error: -12271 SSL > > >> client cannot verify your certificate > > >> > > >> The reason I am trying to browse that address is because that's > > >> what the ipa-ca-install setup is failing at (it complains that the > > >> CA certificate is not in proper format, in fact it's not able to > > >> get it at all). > > >> > > >> I know from another working ipa setup that .... > > >> > > >> Browsing to the above address provides valid xml content and > > >> ipa-getcert list shows certificate details and not just the number > > >> of tracked certificates. > > >> > > >> Been trying for a long time to figure out the issues without luck. > > >> > > >> I would greatly appreciate any help to troubleshoot and resolve the > > >> above issues. > > >> > > >> Regards, > > >> > > >> Les > > > > > > Endi or JanC, would you have any advise for Les? To me, it looks > > > like the Apache does not have proper certificate installed. > > > > > > My ipa-getcert on RHEL-6.6 shows 3 Server-Certs tracked, making it > > > in total of 8 certs tracked: > > > > > > # ipa-getcert list > > > Number of certificates and requests being tracked: 8. > > > Request ID '20141111000002': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT- > > COM',nicknam > > > e='Server-Cert',token='NSS > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT-COM/pwdfile.txt' > > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-IDM-LAB-BOS-REDHAT- > > COM',nicknam > > > e='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=vm-086.example.com,O=EXAMPLE.COM > > > expires: 2016-11-11 00:00:01 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20141111000047': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > > > ,token='NSS Certificate > > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > > > ,token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=vm-086.example.com,O=EXAMPLE.COM > > > expires: 2016-11-11 00:00:46 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > Request ID '20141111000302': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token= > > > 'N SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token= > > > 'N > > > SS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=vm-086.example.com,O=EXAMPLE.COM > > > expires: 2016-11-11 00:03:02 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > > > > > > > What is actually in your Apache NSS database? > > > > > > # certutil -L -d /etc/httpd/alias/ > > > > > > Martin > > > > > > > Remember ipa-getcert is just a shortcut for certificates using the > > certmonger CA named IPA, so it's more a filter than anything else. I > > don't know why it wouldn't display any output but I'd file a bug. > > > > I think we'd need to see the getcert list output to try to figure out > > what is going on. > > > > As for the SSL error fetching the cert chain I think Martin may be > > onto something. The request is proxied through Apache. I think the > > client here might be the Apache proxy client. > > > > I believe this command replicates what Apache is doing, you might give > > it a try on the master. This will get the chain directly from dogtag, > > bypassing > > Apache: > > > > $ curl -v --cacert /etc/ipa/ca.crt > > https://`hostname`:9444/ca/ee/ca/getCertChain > > > > rob > > Certutil shows.... > > certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > MYDOMAIN.COM IPA CA CT,C,C > ipaCert u,u,u > Signing-Cert u,u,u > Server-Cert u,u,u > > curl -v --cacert /etc/ipa/ca.crt > https://`hostname`:9444/ca/ee/ca/getCertChain > * About to connect() to `hostname` port 9444 (#0) > * Trying 192.168.1.1... connected > * Connected to `hostname` (192.168.1.1) port 9444 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /etc/ipa/ca.crt > CApath: none > * SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA > * Server certificate: > * subject: CN=`hostname`,O=MYDOMAIN.COM > * start date: Dec 13 01:21:30 2013 GMT > * expire date: Dec 03 01:21:30 2015 GMT > * common name: `hostname` > * issuer: CN=Certificate Authority,O=MYDOMAIN.COM > > GET /ca/ee/ca/getCertChain HTTP/1.1 > > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 > > NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > > Host: `hostname`:9444 > > Accept: */* > > > < HTTP/1.1 200 OK > < Server: Apache-Coyote/1.1 > < Content-Type: application/xml > < Content-Length: 1434 > < Date: Mon, 23 Feb 2015 01:04:29 GMT > < > <?xml version="1.0" encoding="UTF-8" > standalone="no"?><XMLResponse><Status>0</Status><ChainBase64>MIID > zwYJKoZIhvcNAQcCoIIDwDCCA7wCAQExADAPBgkqhkiG9w0BBwGgAgQAoII > DoDCCA5wwggKEoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwOjEYMBYGA1U > EChMPREVSSVZBVElWRVMuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSB > BdXRob3JpdHkwHhcNMTMxMjEzMDEyMTI5WhcNMzMxMjEzMDEyMTI5Wj > A6MRgwFgYDVQQKEw9ERVJJVkFUSVZFUy5DT00xHjAcBgNVBAMTFUNlcnRp > ZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCg > gEBAMAA8EaYhmpjSA8o3/1kB/W1+0K6+FrwCS+njOgRtXhiTdmtSddXSDVxH > OafFwqN26BR+QRPZbbpJY70gP3SG8W+J6+c37PMVNshWz6UfChGt6ubgFxlS > TGUUre2Osr9I4C836MXpGJvRx2VDEuMUxv8j7B9iDRnTDglseqPqrMct2No4w > k4cLtA9puBJb0Es76SOHP9edXlf6GBnuYwR8YMc1yJLqpP8IGpHhEkVxMsRpqk > EpuuRwEFa7uBcTDhqVV24BpFlseZVubpiOdEgfb3IRBTjvI1Mum9OCJbuj9P/W > mqMnrA0sQsmF/R3WBwFdMAsN3+bQCRw73+rwoeDNcCAwEAAaOBrDCBq > TAfBgNVHSMEGDAWgBSO8J+j2jAuyg3a0yE+3oVCQJCWUTAPBgNVHRMBAf8 > EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUjvCfo9owLsoN > 2tMhPt6FQkCQllEwRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHR > wOi8vc2I! > ybW9uMDEuZGVyaXZhdGl2ZXMuY29tOjgwL2* Connection #0 to host > `hostname` left intact > * Closing connection #0 > NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAKH8YkoTAzX2xNYMkZSDK84EK3 > e4FUixdXxc/EC5ehjrtaqXT1KT9Fl9DAF5/jYNKqgmEmtHnPGlfQ7/Y1ESdhEGcB > ZjU4qLe4HaFXuw5c9odDYxhtjQUd1g7ifY8SKOcHDCY+6Xx6F/rhFgzrXXMndn8 > ZaYryctPoOAj/5INnLrJq8S4XyLmb2BHM4e1ORQbOhDi8xjhfK2veYXvIu55Brhp > RSS/goz5oSE8e+QE/H9afRmeV2+WkS/YDhSyoUDb7CYjklRuONzX3GopKtp1y > yLXQZnBFjCvIJvja0mo3ik3AXxSZuOwUIlV23U8CyPU/rDeiV00iUyA/fLvdkEtZkx > AA==</ChainBase64></XMLResponse> > > > In any event, I've decided to rebuilt my DR IPA environment. Late last year > the master in DR had to be rebuilt due to a disk issue. While IPA was restored > manually and appeared to be working fine, CA replication hasn't worked. I > finally got CA replication working in Prod after enabling needed apache > modules and performing a yum update to update related packages, but > these things didn't help in DR. It's my strong suspicion that something got > missed when restoring the DR master IPA server and this is what is causing all > my grief. Therefore, I'm going to wipe it out and start from scratch in DR. > There are other benefits for me to do this anyway. >
Well things have gone from bad to worse. I removed IPA in DR. uninstalled all ipa clients, uninstalled replicas, removed replication agreements and removed the master. Ran pki-remove to clear any leftover pki instances and used certutil -D to remove left behind ipa entries in /etc/httpd/alias. So, clean slate to start again. This time, in order to mirror config with prod, I began an installation for the master on a different server, let's call it serverb. It was previously a replica (in my prod environment, serverb is the true master, servera, serverc, and serverd are replicas). So, trying to install a new fresh instance of IPA and it still fails to configure a CA. Attached is the relevant portion of the server install log file (ipa-server-install.txt). I have removed certificate and copyright info to reduce its size. Also my server to install is serverb.mydomain.com Apache logs at the time of the error show: [Mon Feb 23 03:05:31 2015] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate Certificate databases only show the following (note that "Server-Cert cert-pki-ca" got installed before the installer crashed). Prior to trying installation I had to manually remove server certs left behind from the previous installation via ... certutil -d /etc/httpd/alias -D -n "Server-Cert" certutil -d /etc/httpd/alias -D -n "MYDOMAIN.COM IPA CA" certutil -d /etc/httpd/alias -D -n ipaCert certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca CTu,Cu,Cu certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Selinux is in permissive mode. Ausearch -m avc does show some selinux issues, but its permissive mode so it should be ok right? In any event I have previously tried installing a CA replica with selinux disabled and it didn't help. I have tried removing ipa and pki rpms and reinstalling. Then rerunning the ipa server install script but the same error occurs. I noticed that /etc/ipa/ca.crt was still old, and referencing the original master. I removed that and again reran the installer but the same error occurred. Note also that /etc/ipa/cr.crt was not recreated when ipa-python was reinstalled. Other logs: /var/log/pki-ca/system shows 5042.main - [23/Feb/2015:03:05:12 EST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 5042.main - [23/Feb/2015:03:05:12 EST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value 5042.http-9445-1 - [23/Feb/2015:03:05:26 EST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 5042.http-9445-1 - [23/Feb/2015:03:05:35 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/catalina.out Feb 23, 2015 3:05:11 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ca 64-bit osutil library loaded 64-bit osutil library loaded CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value| Server is started. Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9180 Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9443 Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9445 Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9444 Feb 23, 2015 3:05:12 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9446 Feb 23, 2015 3:05:12 AM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:9447 Feb 23, 2015 3:05:12 AM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/25 config=null Feb 23, 2015 3:05:12 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 1655 ms I have no idea where to look next. There must be some remnant of the old system hanging around screwing things up but I cannot figure it out. This will drive me insane! I can provide more logs if needed. Thanks in advance for any help. Regards, Les
############################################# Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=12&op=next&xml=true&subsystem=-----BEGIN+CERTIFICATE----- -----END+CERTIFICATE-----&sslserver_cc= RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Mon, 23 Feb 2015 08:05:35 GMT RESPONSE HEADER: Connection: close <?xml version="1.0" encoding="UTF-8"?> <!-- BEGIN COPYRIGHT BLOCK <response> <panel>admin/console/config/backupkeycertpanel.vm</panel> <res/> <showApplyButton/> <pwdagain/> <updateStatus>failure</updateStatus> <dobackup/> <errorString/> <size>19</size> <title>Export Keys and Certificates</title> <pwd/> <panels> <Vector> <Panel> <Id>welcome</Id> <Name>Welcome</Name> </Panel> <Panel> <Id>module</Id> <Name>Key Store</Name> </Panel> <Panel> <Id>confighsmlogin</Id> <Name>ConfigHSMLogin</Name> </Panel> <Panel> <Id>securitydomain</Id> <Name>Security Domain</Name> </Panel> <Panel> <Id>securitydomain</Id> <Name>Display Certificate Chain</Name> </Panel> <Panel> <Id>subsystem</Id> <Name>Subsystem Type</Name> </Panel> <Panel> <Id>clone</Id> <Name>Display Certificate Chain</Name> </Panel> <Panel> <Id>restorekeys</Id> <Name>Import Keys and Certificates</Name> </Panel> <Panel> <Id>cahierarchy</Id> <Name>PKI Hierarchy</Name> </Panel> <Panel> <Id>database</Id> <Name>Internal Database</Name> </Panel> <Panel> <Id>size</Id> <Name>Key Pairs</Name> </Panel> <Panel> <Id>subjectname</Id> <Name>Subject Names</Name> </Panel> <Panel> <Id>certrequest</Id> <Name>Requests and Certificates</Name> </Panel> <Panel> <Id>backupkeys</Id> <Name>Export Keys and Certificates</Name> </Panel> <Panel> <Id>savepk12</Id> <Name>Save Keys and Certificates</Name> </Panel> <Panel> <Id>importcachain</Id> <Name>Import CA's Certificate Chain</Name> </Panel> <Panel> <Id>admin</Id> <Name>Administrator</Name> </Panel> <Panel> <Id>importadmincert</Id> <Name>Import Administrator's Certificate</Name> </Panel> <Panel> <Id>done</Id> <Name>Done</Name> </Panel> </Vector> </panels> <nobackup>checked</nobackup> <p>13</p> <name>CA Setup Wizard</name> <req/> <panelname>backupkeys</panelname> </response> Error in CertificatePanel(): updateStatus returns failure ERROR: ConfigureCA: CertificatePanel() failure ERROR: unable to create CA ####################################################################### 2015-02-23T08:05:35Z DEBUG stderr= 2015-02-23T08:05:35Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-kdz0jo -client_certdb_pwd XXXXXXXX -preop_pin OoJJTy7FnMTr0GTvNk8J -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=mydomain.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=mydomain.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=mydomain.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=mydomain.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=mydomain.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=mydomain.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=mydomain.COM -external false -clone false' returned non-zero exit status 255 2015-02-23T08:05:35Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 942, in main subject_base=options.subject) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 888, in __configure_instance raise RuntimeError('Configuration of CA failed') 2015-02-23T08:05:35Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project