Hi list,

I successfully have IPA working with CA certs signed by an upstream Dogtag.

Now I'm trying to use a CA cert signed by a different type of CA - Vault.

Setup fails, using the same 2 step IPA setup process as used with upstream Dogtag. I've also tried the external-ca-type option.

Likely, IPA doesn't like the certificate - however, I can't pinpoint why.

Errors below.

thanks

James M

###
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL
BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5MDcGA1UEBRMwNjQ2Mjcx
MDAwODA3NTg1NjA0ODA0NzYyODExNzAyMTM0NDk5MDQ1ODM4NjM2OTEwMB4XDTE1
MTAxNTE0MzY1NloXDTE1MTAxNjAwMzY1NlowMDEOMAwGA1UEChMFTE9DQUwxHjAc
BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANMByCz97mhj8nG/R7T5K/lUlat4jnfFyo5/xn4eTzhcqDD/
NixixWqT6TPWBg5Mep7Wnn0EBwG9DjB2dq6+9Ai3TGMzFWkeKvMrZuTouLFoS9SR
6s5wybFfbAoTuV5lq0rIZClqi6ELnAyOccQEuV4UA0PBoe1UjycZf20eSU/52eH4
SiMbLYliDOuWbARgYYwtwc7HVPUwangk4toPH6h2FZ9+tTj8oB6Zxf3lK65IzyCT
IHj+53gyySB78CDV2FZ67cI5u1KKcpC/CyjkbO4DKHWWxzxuvUM4F0K20l+cMoP6
Kpr7aGYotY3B6uTocMg59Gwlsvgl0gE03LI9Vp0CAwEAAaNjMGEwHQYDVR0OBBYE
FLjG7oRluBaMxV5Wi6rBSvgHDzjuMB8GA1UdIwQYMBaAFCw0iwWuCOlUcS6ZIPM8
X50f1nLnMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3
DQEBCwUAA4IBAQBVAoAuZgu6RkY0ufVcNDDNORgOwSgNbvyt1rQNC5mxhLw0Ott+
XyxuzgycyEFCdQP1VChG5i0nOfrEixX7eSQVgN3LKaeiRVsGh1H+ucp/YVnhPvc1
lLtAHVwPn+OuvdJR68K3/twtZ4Fh0BtRFeAmuIOk+QomDhxsxt8LgbaPbdS/vuZw
Xn27REGErgT8bDWp447YU6pOb+rPj9ZNHdS1TeDG5h1A0ArH5IUVgyASFkM4SEVH
pKneAWEDy+Ik67FoYQbHpYyII1L7R5vskZZv1xhYkH8csJ8iTcrRCa+EiBvhtsWg
uuHzqst1ryPKdNtxPM+D96vRSJxCYBUFeKqh
-----END CERTIFICATE-----
###

###
  [19/27]: restarting certificate server
ipa : CRITICAL Failed to restart the certificate server. See the installation log for details.
  [20/27]: requesting RA certificate from CA
  [error] RuntimeError: Unable to submit RA cert request
###


###
2015-10-15T14:44:31Z DEBUG The CA status is: check interrupted
2015-10-15T14:44:31Z DEBUG Waiting for CA to start...
2015-10-15T14:44:32Z DEBUG request 'https://foo.local:8443/ca/admin/ca/getStatus'
2015-10-15T14:44:32Z DEBUG request body ''
2015-10-15T14:44:32Z DEBUG request status 404
2015-10-15T14:44:32Z DEBUG request reason_phrase u'Not Found'
2015-10-15T14:44:32Z DEBUG request headers {'date': 'Thu, 15 Oct 2015 14:44:32 GMT', 'content-length': '993', 'content-type': 'text/html;charset=utf-8', 'content-language': 'en', 'server': 'Apache-Coyote/1.1'} 2015-10-15T14:44:32Z DEBUG request body '<html><head><title>Apache Tomcat/7.0.54 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial, sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 404 - /ca/admin/ca/getStatus</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/admin/ca/getStatus</u></p><p><b>description</b> <u>The requested resource is not availa ble.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.54</h3></body></html>'
2015-10-15T14:44:32Z DEBUG The CA status is: check interrupted
2015-10-15T14:44:32Z DEBUG Waiting for CA to start...
2015-10-15T14:44:33Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 840, in __restart_instance
    self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 282, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 209, in restart
    self.wait_until_running()
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 197, in wait_until_running
    raise RuntimeError('CA did not start in %ss' % timeout)
RuntimeError: CA did not start in 300.0s

2015-10-15T14:44:33Z CRITICAL Failed to restart the certificate server. See the installation log for details.
2015-10-15T14:44:33Z DEBUG   duration: 303 seconds
2015-10-15T14:44:33Z DEBUG   [20/27]: requesting RA certificate from CA
2015-10-15T14:44:33Z DEBUG Starting external process
2015-10-15T14:44:33Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-f' XXXXXXXX '-R' '-k' 'rsa' '-g' '2048' '-s' 'CN=IPA RA,O=LOCAL' '-z' '/tmp/tmpKsFaxb' '-a'
2015-10-15T14:44:34Z DEBUG Process finished, return code=0
2015-10-15T14:44:34Z DEBUG stdout=
Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: LOCAL
State: (not specified)
Country: (not specified)


-----BEGIN NEW CERTIFICATE REQUEST-----
MIICZjCCAU4CAQAwITEOMAwGA1UEChMFTE9DQUwxDzANBgNVBAMTBklQQSBSQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDlLPK38QR37gUAVj8GSXv/
VdxsPkGpPuGrtvKbOXXH35I2que06JswL2i4Cj29v9ZgNQgN3EACVFvADv/zUumI
9bdF6wrH+pK4HErRSjICPxXjYZZnPoUcprGQ+/vQiDsk4pt4EyWZZfD/kGKj7BV6
7A2kMumYmLGIH/A24s8qNix3Ho/Ttsogjrpgg+n9G4WkntQJefTrrDv3wt1+lmo4
IIXUsmkLUB31iRifEf8umHhUcneL8uaxMCLY1X5uSkXVQmTK97bYqQu/EbrC4XZ/
dFx6LS9FKukEGJnX9GaFF59TvTN8ImLc4aUOvErOutbiAttQrKacfcSPv7uGqpcC
AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAAJ0Hfvk315MKgL2/2e+A5M1NS7EBn
Ukqsnoo2onAa/8CXiFjcdUnpJ4fVn/FnH8ECRrMjUxB8mJ/EsZnuOym17+lNI0mp
wx5vkwL9kybawSEQSWMT80uefRzhZAze1vN/LgXZ4ysdRW5p2BQ3898M9HFrqE0s
4XzLNTg07v0RbJ3veHt1wSWoy/v0zp3RRy/du3cczYTYwJ1P3GokFIuPT1fSAzBV
yovcJnB3FrrLvPyGAKmhKaoW3UejmE0G/8xpCaFp4+4LuVHNyiya79kzJMpkOoQ3
3MxVB6oLfL/QGnY+3025BXNwIhf4zfL4FlKhyaQ4R0pEUZeMoyksgsxb
-----END NEW CERTIFICATE REQUEST-----

2015-10-15T14:44:34Z DEBUG stderr=

Generating key.  This may take a few moments...


2015-10-15T14:44:34Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1156, in __request_ra_certificate
    raise RuntimeError("Unable to submit RA cert request")
RuntimeError: Unable to submit RA cert request

2015-10-15T14:44:34Z DEBUG [error] RuntimeError: Unable to submit RA cert request 2015-10-15T14:44:34Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
    return_value = main_function()

  File "/sbin/ipa-server-install", line 1170, in main
    ca_signing_algorithm=options.ca_signing_algorithm)

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 520, in configure_instance
    self.start_creation(runtime=210)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation
    run_step(full_msg, method)

File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step
    method()

File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1156, in __request_ra_certificate
    raise RuntimeError("Unable to submit RA cert request")

2015-10-15T14:44:34Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Unable to submit RA cert request
###


###
0.localhost-startStop-1 - [15/Oct/2015:14:39:26 UTC] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SystemCertsVerification: system certs verification failure 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
###

###
[15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=subsystemCert cert-pki-ca] CIMC certificate verification

[15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=audit_signing [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: verifySystemCertByTag(audit_signing) [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(auditSigningCert cert-pki-ca,ObjectSigner) [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling isCertValid() [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca [15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification

java.lang.Exception: SystemCertsVerification: system certs verification failure at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1738)
        at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1185)
        at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
[15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
#####

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to