Re: [Freeipa-users] IPA with external CA signed certs

[Rob Crittenden]

James Masson wrote:
> 
> Hi list,
> 
> I successfully have IPA working with CA certs signed by an upstream Dogtag.
> 
> Now I'm trying to use a CA cert signed by a different type of CA - Vault.
> 
> Setup fails, using the same 2 step IPA setup process as used with
> upstream Dogtag. I've also tried the external-ca-type option.
> 
> Likely, IPA doesn't like the certificate - however, I can't pinpoint why.

I'm guessing you don't include the entire CA certchain of Vault. Dogtag
is failing to startup because it can't verify its own cert chain:

0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
CAPresence:  CA is present
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SystemCertsVerification: system certs verification failure
0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

rob

> 
> Errors below.
> 
> thanks
> 
> James M
> 
> ###
> -----BEGIN CERTIFICATE-----
> MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL
> BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5MDcGA1UEBRMwNjQ2Mjcx
> MDAwODA3NTg1NjA0ODA0NzYyODExNzAyMTM0NDk5MDQ1ODM4NjM2OTEwMB4XDTE1
> MTAxNTE0MzY1NloXDTE1MTAxNjAwMzY1NlowMDEOMAwGA1UEChMFTE9DQUwxHjAc
> BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
> ggEPADCCAQoCggEBANMByCz97mhj8nG/R7T5K/lUlat4jnfFyo5/xn4eTzhcqDD/
> NixixWqT6TPWBg5Mep7Wnn0EBwG9DjB2dq6+9Ai3TGMzFWkeKvMrZuTouLFoS9SR
> 6s5wybFfbAoTuV5lq0rIZClqi6ELnAyOccQEuV4UA0PBoe1UjycZf20eSU/52eH4
> SiMbLYliDOuWbARgYYwtwc7HVPUwangk4toPH6h2FZ9+tTj8oB6Zxf3lK65IzyCT
> IHj+53gyySB78CDV2FZ67cI5u1KKcpC/CyjkbO4DKHWWxzxuvUM4F0K20l+cMoP6
> Kpr7aGYotY3B6uTocMg59Gwlsvgl0gE03LI9Vp0CAwEAAaNjMGEwHQYDVR0OBBYE
> FLjG7oRluBaMxV5Wi6rBSvgHDzjuMB8GA1UdIwQYMBaAFCw0iwWuCOlUcS6ZIPM8
> X50f1nLnMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3
> DQEBCwUAA4IBAQBVAoAuZgu6RkY0ufVcNDDNORgOwSgNbvyt1rQNC5mxhLw0Ott+
> XyxuzgycyEFCdQP1VChG5i0nOfrEixX7eSQVgN3LKaeiRVsGh1H+ucp/YVnhPvc1
> lLtAHVwPn+OuvdJR68K3/twtZ4Fh0BtRFeAmuIOk+QomDhxsxt8LgbaPbdS/vuZw
> Xn27REGErgT8bDWp447YU6pOb+rPj9ZNHdS1TeDG5h1A0ArH5IUVgyASFkM4SEVH
> pKneAWEDy+Ik67FoYQbHpYyII1L7R5vskZZv1xhYkH8csJ8iTcrRCa+EiBvhtsWg
> uuHzqst1ryPKdNtxPM+D96vRSJxCYBUFeKqh
> -----END CERTIFICATE-----
> ###
> 
> ###
>   [19/27]: restarting certificate server
> ipa         : CRITICAL Failed to restart the certificate server. See the
> installation log for details.
>   [20/27]: requesting RA certificate from CA
>   [error] RuntimeError: Unable to submit RA cert request
> ###
> 
> 
> ###
> 2015-10-15T14:44:31Z DEBUG The CA status is: check interrupted
> 2015-10-15T14:44:31Z DEBUG Waiting for CA to start...
> 2015-10-15T14:44:32Z DEBUG request
> 'https://foo.local:8443/ca/admin/ca/getStatus'
> 2015-10-15T14:44:32Z DEBUG request body ''
> 2015-10-15T14:44:32Z DEBUG request status 404
> 2015-10-15T14:44:32Z DEBUG request reason_phrase u'Not Found'
> 2015-10-15T14:44:32Z DEBUG request headers {'date': 'Thu, 15 Oct 2015
> 14:44:32 GMT', 'content-length': '993', 'content-type':
> 'text/html;charset=utf-8', 'content-language': 'en', 'server':
> 'Apache-Coyote/1.1'}
> 2015-10-15T14:44:32Z DEBUG request body '<html><head><title>Apache
> Tomcat/7.0.54 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> H2 {font-family:Tahoma,Arial,
> sans-serif;color:white;background-color:#525D76;font-size:16px;} H3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
>  B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> P
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
> {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 404 - /ca/admin/ca/getStatus</h1><HR
> size="1" noshade="noshade"><p><b>type</b> Status
> report</p><p><b>message</b>
> <u>/ca/admin/ca/getStatus</u></p><p><b>description</b> <u>The requested
> resource is not availa
> ble.</u></p><HR size="1" noshade="noshade"><h3>Apache
> Tomcat/7.0.54</h3></body></html>'
> 2015-10-15T14:44:32Z DEBUG The CA status is: check interrupted
> 2015-10-15T14:44:32Z DEBUG Waiting for CA to start...
> 2015-10-15T14:44:33Z DEBUG Traceback (most recent call last):
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 840, in __restart_instance
>     self.restart(self.dogtag_constants.PKI_INSTANCE_NAME)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 282, in restart
>     self.service.restart(instance_name, capture_output=capture_output,
> wait=wait)
>   File
> "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 209, in restart
>     self.wait_until_running()
>   File
> "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line
> 197, in wait_until_running
>     raise RuntimeError('CA did not start in %ss' % timeout)
> RuntimeError: CA did not start in 300.0s
> 
> 2015-10-15T14:44:33Z CRITICAL Failed to restart the certificate server.
> See the installation log for details.
> 2015-10-15T14:44:33Z DEBUG   duration: 303 seconds
> 2015-10-15T14:44:33Z DEBUG   [20/27]: requesting RA certificate from CA
> 2015-10-15T14:44:33Z DEBUG Starting external process
> 2015-10-15T14:44:33Z DEBUG args='/usr/bin/certutil' '-d'
> '/etc/httpd/alias' '-f' XXXXXXXX '-R' '-k' 'rsa' '-g' '2048' '-s'
> 'CN=IPA RA,O=LOCAL' '-z' '/tmp/tmpKsFaxb' '-a'
> 2015-10-15T14:44:34Z DEBUG Process finished, return code=0
> 2015-10-15T14:44:34Z DEBUG stdout=
> Certificate request generated by Netscape certutil
> Phone: (not specified)
> 
> Common Name: IPA RA
> Email: (not specified)
> Organization: LOCAL
> State: (not specified)
> Country: (not specified)
> 
> 
> -----BEGIN NEW CERTIFICATE REQUEST-----
> MIICZjCCAU4CAQAwITEOMAwGA1UEChMFTE9DQUwxDzANBgNVBAMTBklQQSBSQTCC
> ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDlLPK38QR37gUAVj8GSXv/
> VdxsPkGpPuGrtvKbOXXH35I2que06JswL2i4Cj29v9ZgNQgN3EACVFvADv/zUumI
> 9bdF6wrH+pK4HErRSjICPxXjYZZnPoUcprGQ+/vQiDsk4pt4EyWZZfD/kGKj7BV6
> 7A2kMumYmLGIH/A24s8qNix3Ho/Ttsogjrpgg+n9G4WkntQJefTrrDv3wt1+lmo4
> IIXUsmkLUB31iRifEf8umHhUcneL8uaxMCLY1X5uSkXVQmTK97bYqQu/EbrC4XZ/
> dFx6LS9FKukEGJnX9GaFF59TvTN8ImLc4aUOvErOutbiAttQrKacfcSPv7uGqpcC
> AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAAJ0Hfvk315MKgL2/2e+A5M1NS7EBn
> Ukqsnoo2onAa/8CXiFjcdUnpJ4fVn/FnH8ECRrMjUxB8mJ/EsZnuOym17+lNI0mp
> wx5vkwL9kybawSEQSWMT80uefRzhZAze1vN/LgXZ4ysdRW5p2BQ3898M9HFrqE0s
> 4XzLNTg07v0RbJ3veHt1wSWoy/v0zp3RRy/du3cczYTYwJ1P3GokFIuPT1fSAzBV
> yovcJnB3FrrLvPyGAKmhKaoW3UejmE0G/8xpCaFp4+4LuVHNyiya79kzJMpkOoQ3
> 3MxVB6oLfL/QGnY+3025BXNwIhf4zfL4FlKhyaQ4R0pEUZeMoyksgsxb
> -----END NEW CERTIFICATE REQUEST-----
> 
> 2015-10-15T14:44:34Z DEBUG stderr=
> 
> Generating key.  This may take a few moments...
> 
> 
> 2015-10-15T14:44:34Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
>     run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 372, in run_step
>     method()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1156, in __request_ra_certificate
>     raise RuntimeError("Unable to submit RA cert request")
> RuntimeError: Unable to submit RA cert request
> 
> 2015-10-15T14:44:34Z DEBUG   [error] RuntimeError: Unable to submit RA
> cert request
> 2015-10-15T14:44:34Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 646, in run_script
>     return_value = main_function()
> 
>   File "/sbin/ipa-server-install", line 1170, in main
>     ca_signing_algorithm=options.ca_signing_algorithm)
> 
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 520, in configure_instance
>     self.start_creation(runtime=210)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
>     run_step(full_msg, method)
> 
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 372, in run_step
>     method()
> 
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1156, in __request_ra_certificate
>     raise RuntimeError("Unable to submit RA cert request")
> 
> 2015-10-15T14:44:34Z DEBUG The ipa-server-install command failed,
> exception: RuntimeError: Unable to submit RA cert request
> ###
> 
> 
> ###
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:26 UTC] [20] [1]
> SelfTestSubsystem: Self test plugins have been successfully loaded!
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
> SelfTestSubsystem: Running self test plugins specified to be executed at
> startup:
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
> CAPresence:  CA is present
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
> SystemCertsVerification: system certs verification failure
> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
> SelfTestSubsystem: The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
> ###
> 
> ###
> [15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=subsystemCert
> cert-pki-ca] CIMC certificate verification
> 
> [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
> verifySystemCerts() cert tag=audit_signing
> [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
> verifySystemCertByTag(audit_signing)
> [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
> verifySystemCertByNickname(auditSigningCert cert-pki-ca,ObjectSigner)
> [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
> verifySystemCertByNickname(): calling isCertValid()
> [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils:
> verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
> [15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=auditSigningCert
> cert-pki-ca] CIMC certificate verification
> 
> java.lang.Exception: SystemCertsVerification: system certs verification
> failure
>         at
> com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> 
>         at
> com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> 
>         at
> com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> 
>         at
> com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1738)
>         at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1185)
>         at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
>         at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
>         at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> 
>         at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>         at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>         at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>         at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> 
>         at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> 
>         at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> 
>         at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> 
>         at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>         at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> 
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> 
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>         at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> 
>         at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> 
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> 
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>         at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>         at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> 
>         at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> 
>         at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 
>         at java.lang.Thread.run(Thread.java:745)
> [15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory:
> create()
> message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
> self tests execution (see selftests.log for details)
> #####
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project