Re: [Freeipa-users] ipa-server setup with external CA fails

Dmitri Pal Wed, 11 Mar 2015 09:43:01 -0700

On 03/11/2015 11:13 AM, Gould, Joshua wrote:

We¹re trying to setup IPA with it acting as an intermediate CA against our
test Active Directory environment.


The first part goes well:

# ipa-server-install -a admin-pass ‹hostname=server.domain.com -n
unix.test.osuwmc -p  password -P password  -r UNIX.TEST.OSUWMC
--external-ca ‹external-ca-type=mscs

We send our CSR off to our AD admin and he signs it on gives us the cert.
We go to import the cert with:

# ipa-server-install  --external-cert-file=/root/ipa.crt

It blows up when trying to create the RA cert.

2015-03-10T21:17:55Z DEBUG Process finished, return code=0
2015-03-10T21:17:55Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: IPA RA
Email: (not specified)
Organization: UNIX.TEST.OSUWMC
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE
AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe
PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ
H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X
GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW
wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm
FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F
VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky
jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp
D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd
xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH
+wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1
kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK
xAmXvOg=
-----END NEW CERTIFICATE REQUEST-----
2015-03-10T21:17:55Z DEBUG stderr=
Generating key.  This may take a few moments...
2015-03-10T21:17:55Z DEBUG Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
      run_step(full_msg, method)
    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
      method()
    File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1149, in __request_ra_certificate
      self.requestId = item_node[0].childNodes[0].data
IndexError: list index out of range
2015-03-10T21:17:55Z DEBUG   [error] IndexError: list index out of range
2015-03-10T21:17:55Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
      return_value = main_function()
    File "/sbin/ipa-server-install", line 1170, in main
      ca_signing_algorithm=options.ca_signing_algorithm)
    File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
520, in configure_instance
      self.start_creation(runtime=210)
    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
      run_step(full_msg, method)
    File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
      method()
    File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
1149, in __request_ra_certificate
      self.requestId = item_node[0].childNodes[0].data
2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed,
exception: IndexError: list index out of range


I¹ve looked at the debug log. I believe this is the part that¹s most
helpful.

[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup():  ENTERING . . .
[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup():    running "CAPresence"
[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup():    running
"SystemCertsVerification"
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:caSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=ocsp_signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate
verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=sslserver
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:Server-Cert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=subsystem
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:subsystemCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Fai
lure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=audit_signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() passed:auditSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Suc
cess][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate
verification

[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failur
e] self tests execution (see selftests.log for details)

The selftests.log contradicts itself and I¹m not really sure where to look
next. Any ideas?


   Joshua

Which version is it?

A similar problem have been seen with the early IPA 3.3 version and wasrelated to the format of the cert file returned by AD. AFAIR it containsmore certs that we expected.

Something along those lines.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-server setup with external CA fails

Reply via email to