Алексей Иванов wrote: > Greetings, > > I found the following error in the log you've told
The profile used is in this message: INFO: CertProcessor: Submitting certificate request to caCACert profile Profiles on disk are not used. The CA uses those stored in LDAP. You're looking for: dn: cn=caCACert,ou=certificateProfiles,ou=ca,o=ipaca rob > > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - req_seq_num: 0 > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - profilesetid: caCertSet > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - req_authority_id: 80a77871-f53d-4154-ad3f-9b669ca9791f > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - req_subject_name.uid: > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - auth_token.authmanagerid: certUserDBAuthMgr > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - requesttype: enrollment > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - req_extensions: owIwAA== > > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > - req_subject_name: MA8xDTALBgNVBAMMBHRlc3Q= > > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: > Submitting certificate request to caCACert profile > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: LDAPSession: > Adding LDAP entry cn=32,ou=ca, ou=requests,o=ipaca > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint: > Key algorithnm: RSA > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint: > Key type: - > 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] WARNING: Certificate > request rejected: Key Parameters > 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched > Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched > at > com.netscape.cms.profile.constraint.KeyConstraint.validate(KeyConstraint.java:198) > at > com.netscape.cms.profile.constraint.EnrollConstraint.validate(EnrollConstraint.java:172) > at > com.netscape.cms.profile.common.Profile.validate(Profile.java:1309) > at > com.netscape.cms.profile.common.EnrollProfile.validate(EnrollProfile.java:2767) > at > com.netscape.cms.profile.common.EnrollProfile.submit(EnrollProfile.java:731) > at > com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:253) > at > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:207) > at > com.netscape.ca.CertificateAuthority.generateSigningCert(CertificateAuthority.java:1941) > at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1064) > at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1118) > at > org.dogtagpki.server.ca.rest.AuthorityService.createCA(AuthorityService.java:268) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:568) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:568) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:569) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:568) > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:712) > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187) > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) > at > java.base/java.security.AccessController.doPrivileged(AccessController.java:569) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660) > at > com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) > at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) > at > org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.base/java.lang.Thread.run(Thread.java:833) > > [root@mdc-ipa-2 ca]# ipa certprofile-find caCertSet > ------------------ > 0 profiles matched > ------------------ > ---------------------------- > Number of entries returned 0 > ---------------------------- > [root@mdc-ipa-2 ca]# find / -name *caCertSet* > find: ‘/proc/28227/task/28227/net’: Invalid argument > find: ‘/proc/28227/net’: Invalid argument > find: ‘/proc/28231/task/28231/net’: Invalid argument > find: ‘/proc/28231/net’: Invalid argument > find: ‘/proc/32516/task/32516/net’: Invalid argument > find: ‘/proc/32516/net’: Invalid argument > find: ‘/proc/32520/task/32520/net’: Invalid argument > find: ‘/proc/32520/net’: Invalid argument > find: ‘/proc/33513/task/33513/net’: Invalid argument > find: ‘/proc/33513/net’: Invalid argument > [root@mdc-ipa-2 ca]# ipa certprofile-find > ------------------ > 5 profiles matched > ------------------ > Profile ID: acmeIPAServerCert > Profile description: ACME IPA service certificate profile > Store issued certificates: False > > Profile ID: caIPAserviceCert > Profile description: Standard profile for network services > Store issued certificates: True > > Profile ID: IECUserRoles > Profile description: User profile that includes IECUserRoles extension > from request > Store issued certificates: True > > Profile ID: KDCs_PKINIT_Certs > Profile description: Profile for PKINIT support by KDCs > Store issued certificates: False > > Profile ID: server > Profile description: Default server certificate > Store issued certificates: True > ---------------------------- > Number of entries returned 5 > ---------------------------- > [root@mdc-ipa-2 ca]# > > Any idea where to find caCertSet profile? > > Regards, > Alex Ivanov. > > > On Fri, Mar 3, 2023 at 4:16 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Алексей Иванов via FreeIPA-users wrote: > > Greetings, > > > > During installation process I used following pki_override.cfg file > > > > [DEFAULT] > > pki_admin_key_algorithm=SHA512withRSA > > pki_admin_key_size=8192 > > pki_audit_signing_key_algorithm=SHA512withRSA > > pki_audit_signing_key_size=8192 > > pki_audit_signing_key_type=rsa > > pki_audit_signing_signing_algorithm=SHA512withRSA > > pki_ssl_server_key_algorithm=SHA512withRSA > > pki_ssl_server_key_size=8192 > > pki_sslserver_signing_algorithm=SHA512withRSA > > pki_subsystem_key_algorithm=SHA512withRSA > > pki_subsystem_signing_algorithm=SHA512withRSA > > pki_subsystem_key_size=8192 > > [CA] > > pki_ca_signing_key_size=8192 > > pki_ca_signing_key_algorithm=SHA512withRSA > > pki_ca_signing_signing_algorithm=SHA512withRSA > > pki_ocsp_signing_key_algorithm=SHA512withRSA > > pki_ocsp_signing_key_size=8192 > > pki_ocsp_signing_signing_algorithm=SHA512withRSA > > [KRA] > > pki_storage_key_algorithm=SHA512withRSA > > pki_storage_key_size=8192 > > pki_storage_signing_algorithm=SHA512withRSA > > pki_transport_key_algorithm=SHA512withRSA > > pki_transport_key_size=8192 > > pki_transport_signing_algorithm=SHA512withRSA > > [OCSP] > > pki_ocsp_signing_key_algorithm=SHA512withRSA > > pki_ocsp_signing_key_size=8192 > > pki_ocsp_signing_signing_algorithm=SHA512hRSA > > > > This lead to the following error when I'm trying to add subCA > > > > Request failed with status 400: Non-2xx response from CA REST API: > 400. > > Failed to issue CA certificate. Final status: rejected. Additional > info: > > Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not > Matched > > > > By default we have three certificate profiles caIPAserviceCert, > > KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this > > error. Could you please tell me where I can find a subCA certificate > > template? > > Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you > the profile it used. > > At one point subCA keys were hardcoded at 2048. I don't know if that is > still the case. > > 8k keys everywhere are going to tank performance, particularly the 8k > server-cert key. > > rob > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
