Dne 11.3.2015 v 21:10 Martin Kosek napsal(a):
On 03/11/2015 06:33 PM, Gould, Joshua wrote:
We’re trying to setup RHEL7 with the latest updates. Our ipa-server shows
ipa-server-4.1.0-18.el7.x86_64.
On 3/11/15, 12:39 PM, "Dmitri Pal" <d...@redhat.com> wrote:
On 03/11/2015 11:13 AM, Gould, Joshua wrote:
We¹re trying to setup IPA with it acting as an intermediate CA against
our
test Active Directory environment.
The first part goes well:
# ipa-server-install -a admin-pass ‹hostname=server.domain.com -n
unix.test.osuwmc -p password -P password -r UNIX.TEST.OSUWMC
--external-ca ‹external-ca-type=mscs
We send our CSR off to our AD admin and he signs it on gives us the
cert.
We go to import the cert with:
# ipa-server-install --external-cert-file=/root/ipa.crt
It blows up when trying to create the RA cert.
2015-03-10T21:17:55Z DEBUG Process finished, return code=0
2015-03-10T21:17:55Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)
Common Name: IPA RA
Email: (not specified)
Organization: UNIX.TEST.OSUWMC
State: (not specified)
Country: (not specified)
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICcTCCAVkCAQAwLDEZMBcGA1UEChMQVU5JWC5URVNULk9TVVdNQzEPMA0GA1UE
AxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DavkHxe
PoY8q6UWCAHKWOCCv8PvU7J5scsmdLfjSyN8rIgq8pGoICAqawm9lZntD8G/7sJQ
H2bNDe08DooGbdTLHB2j3JViUUlQn2YlWw7IXm6mgwxStGLSS/G+CnyVPdGWV48X
GHb7GLLNYD8nhpzNzqVGsVMTyV/dqD7y8srbpPjmAqH+VjKLDSmr3pgV2IvOUEpW
wePYJW7h4FBQtwQpPgo30oXMqXa/ob8RJ4NQ74Uv6irq9G2IXNpKhAbHB1YZ+DGm
FJFlURdxey0FUbDn1WqMeVLa6SMURZI1zncMxB6bwgax/2VdYVeYHiVU9GgGmw0F
VgUjgpg0RMCaSQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAI1YCN5oS2o5+fky
jTNCeWFq+oEyHcuPtGzBAA5HMNEsoFvIY0sut+lf7Upw/ZHvV/F09DPwT+Xrm8yp
D0e6F6HawEV+NvKYk2kmpK9xxyOi0raBz1WuvlmqwGhiTOxpk+nIW5wiNhiOJmzd
xLojqGnkP5tBuYtHXUFqps7KDknsk5VxoAGe3/ZvsDvqlYXF93V+/nXv90X2yEKH
+wLUCDtS5WRWtnxTs1bWsMjBsTyDcv8XBdWqDO/4DVLs9HjHijfsUtUqg8bR5dU1
kVM+yLXVogJPBMN79SJQ1un8IWNMHCallsX3urNbXxYuSlqsh6UCdRLXFW44jJIK
xAmXvOg=
-----END NEW CERTIFICATE REQUEST-----
2015-03-10T21:17:55Z DEBUG stderr=
Generating key. This may take a few moments...
2015-03-10T21:17:55Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1149, in __request_ra_certificate
self.requestId = item_node[0].childNodes[0].data
IndexError: list index out of range
2015-03-10T21:17:55Z DEBUG [error] IndexError: list index out of
range
2015-03-10T21:17:55Z DEBUG File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 646, in run_script
return_value = main_function()
File "/sbin/ipa-server-install", line 1170, in main
ca_signing_algorithm=options.ca_signing_algorithm)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
520, in configure_instance
self.start_creation(runtime=210)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 382, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 372, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
1149, in __request_ra_certificate
self.requestId = item_node[0].childNodes[0].data
2015-03-10T21:17:55Z DEBUG The ipa-server-install command failed,
exception: IndexError: list index out of range
I¹ve looked at the debug log. I believe this is the part that¹s most
helpful.
[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup(): ENTERING . . .
[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup(): running "CAPresence"
[10/Mar/2015:17:17:24][localhost-startStop-1]:
SelfTestSubsystem::runSelfTestsAtStartup(): running
"SystemCertsVerification"
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:caSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
ai
lure][CertNickName=caSigningCert cert-pki-ca] CIMC certificate
verification
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=ocsp_signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:ocspSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
ai
lure][CertNickName=ocspSigningCert cert-pki-ca] CIMC certificate
verification
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=sslserver
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:Server-Cert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
ai
lure][CertNickName=Server-Cert cert-pki-ca] CIMC certificate
verification
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=subsystem
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() failed:subsystemCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=F
ai
lure][CertNickName=subsystemCert cert-pki-ca] CIMC certificate
verification
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCerts() cert tag=audit_signing
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname(): calling isCertValid()
[10/Mar/2015:17:17:24][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() passed:auditSigningCert cert-pki-ca
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=S
uc
cess][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate
verification
[10/Mar/2015:17:17:24][localhost-startStop-1]: SignedAuditEventFactory:
create()
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Fail
ur
e] self tests execution (see selftests.log for details)
The selftests.log contradicts itself and I¹m not really sure where to
look
next. Any ideas?
Joshua
Which version is it?
A similar problem have been seen with the early IPA 3.3 version and was
related to the format of the cert file returned by AD. AFAIR it contains
more certs that we expected.
Something along those lines.
I am CCing Jan Cholasta who was fixing very similar error in IPA 3.3.3
in RHEL-7.0 (should have been fixed in RHEL-7.1), he should have more
context.
I am also CCing Endi from Dogtag team, he may also have some idea from
PKI side.
HTH,
Martin
I would like to see /root/ipa.crt and /etc/pki/pki-tomcat/ca/CS.cfg.
Without them, I can't really tell what's wrong.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
