James Masson wrote: > > Hi list, > > I successfully have IPA working with CA certs signed by an upstream Dogtag. > > Now I'm trying to use a CA cert signed by a different type of CA - Vault. > > Setup fails, using the same 2 step IPA setup process as used with > upstream Dogtag. I've also tried the external-ca-type option. > > Likely, IPA doesn't like the certificate - however, I can't pinpoint why.
I'm guessing you don't include the entire CA certchain of Vault. Dogtag is failing to startup because it can't verify its own cert chain: 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SystemCertsVerification: system certs verification failure 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! rob > > Errors below. > > thanks > > James M > > ### > -----BEGIN CERTIFICATE----- > MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL > BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5MDcGA1UEBRMwNjQ2Mjcx > MDAwODA3NTg1NjA0ODA0NzYyODExNzAyMTM0NDk5MDQ1ODM4NjM2OTEwMB4XDTE1 > MTAxNTE0MzY1NloXDTE1MTAxNjAwMzY1NlowMDEOMAwGA1UEChMFTE9DQUwxHjAc > BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD > ggEPADCCAQoCggEBANMByCz97mhj8nG/R7T5K/lUlat4jnfFyo5/xn4eTzhcqDD/ > NixixWqT6TPWBg5Mep7Wnn0EBwG9DjB2dq6+9Ai3TGMzFWkeKvMrZuTouLFoS9SR > 6s5wybFfbAoTuV5lq0rIZClqi6ELnAyOccQEuV4UA0PBoe1UjycZf20eSU/52eH4 > SiMbLYliDOuWbARgYYwtwc7HVPUwangk4toPH6h2FZ9+tTj8oB6Zxf3lK65IzyCT > IHj+53gyySB78CDV2FZ67cI5u1KKcpC/CyjkbO4DKHWWxzxuvUM4F0K20l+cMoP6 > Kpr7aGYotY3B6uTocMg59Gwlsvgl0gE03LI9Vp0CAwEAAaNjMGEwHQYDVR0OBBYE > FLjG7oRluBaMxV5Wi6rBSvgHDzjuMB8GA1UdIwQYMBaAFCw0iwWuCOlUcS6ZIPM8 > X50f1nLnMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3 > DQEBCwUAA4IBAQBVAoAuZgu6RkY0ufVcNDDNORgOwSgNbvyt1rQNC5mxhLw0Ott+ > XyxuzgycyEFCdQP1VChG5i0nOfrEixX7eSQVgN3LKaeiRVsGh1H+ucp/YVnhPvc1 > lLtAHVwPn+OuvdJR68K3/twtZ4Fh0BtRFeAmuIOk+QomDhxsxt8LgbaPbdS/vuZw > Xn27REGErgT8bDWp447YU6pOb+rPj9ZNHdS1TeDG5h1A0ArH5IUVgyASFkM4SEVH > pKneAWEDy+Ik67FoYQbHpYyII1L7R5vskZZv1xhYkH8csJ8iTcrRCa+EiBvhtsWg > uuHzqst1ryPKdNtxPM+D96vRSJxCYBUFeKqh > -----END CERTIFICATE----- > ### > > ### > [19/27]: restarting certificate server > ipa : CRITICAL Failed to restart the certificate server. See the > installation log for details. > [20/27]: requesting RA certificate from CA > [error] RuntimeError: Unable to submit RA cert request > ### > > > ### > 2015-10-15T14:44:31Z DEBUG The CA status is: check interrupted > 2015-10-15T14:44:31Z DEBUG Waiting for CA to start... > 2015-10-15T14:44:32Z DEBUG request > 'https://foo.local:8443/ca/admin/ca/getStatus' > 2015-10-15T14:44:32Z DEBUG request body '' > 2015-10-15T14:44:32Z DEBUG request status 404 > 2015-10-15T14:44:32Z DEBUG request reason_phrase u'Not Found' > 2015-10-15T14:44:32Z DEBUG request headers {'date': 'Thu, 15 Oct 2015 > 14:44:32 GMT', 'content-length': '993', 'content-type': > 'text/html;charset=utf-8', 'content-language': 'en', 'server': > 'Apache-Coyote/1.1'} > 2015-10-15T14:44:32Z DEBUG request body '<html><head><title>Apache > Tomcat/7.0.54 - Error report</title><style><!--H1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > H2 {font-family:Tahoma,Arial, > sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > BODY > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} > B > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} > P > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A > {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> > </head><body><h1>HTTP Status 404 - /ca/admin/ca/getStatus</h1><HR > size="1" noshade="noshade"><p><b>type</b> Status > report</p><p><b>message</b> > <u>/ca/admin/ca/getStatus</u></p><p><b>description</b> <u>The requested > resource is not availa > ble.</u></p><HR size="1" noshade="noshade"><h3>Apache > Tomcat/7.0.54</h3></body></html>' > 2015-10-15T14:44:32Z DEBUG The CA status is: check interrupted > 2015-10-15T14:44:32Z DEBUG Waiting for CA to start... > 2015-10-15T14:44:33Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 840, in __restart_instance > self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 282, in restart > self.service.restart(instance_name, capture_output=capture_output, > wait=wait) > File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line > 209, in restart > self.wait_until_running() > File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line > 197, in wait_until_running > raise RuntimeError('CA did not start in %ss' % timeout) > RuntimeError: CA did not start in 300.0s > > 2015-10-15T14:44:33Z CRITICAL Failed to restart the certificate server. > See the installation log for details. > 2015-10-15T14:44:33Z DEBUG duration: 303 seconds > 2015-10-15T14:44:33Z DEBUG [20/27]: requesting RA certificate from CA > 2015-10-15T14:44:33Z DEBUG Starting external process > 2015-10-15T14:44:33Z DEBUG args='/usr/bin/certutil' '-d' > '/etc/httpd/alias' '-f' XXXXXXXX '-R' '-k' 'rsa' '-g' '2048' '-s' > 'CN=IPA RA,O=LOCAL' '-z' '/tmp/tmpKsFaxb' '-a' > 2015-10-15T14:44:34Z DEBUG Process finished, return code=0 > 2015-10-15T14:44:34Z DEBUG stdout= > Certificate request generated by Netscape certutil > Phone: (not specified) > > Common Name: IPA RA > Email: (not specified) > Organization: LOCAL > State: (not specified) > Country: (not specified) > > > -----BEGIN NEW CERTIFICATE REQUEST----- > MIICZjCCAU4CAQAwITEOMAwGA1UEChMFTE9DQUwxDzANBgNVBAMTBklQQSBSQTCC > ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDlLPK38QR37gUAVj8GSXv/ > VdxsPkGpPuGrtvKbOXXH35I2que06JswL2i4Cj29v9ZgNQgN3EACVFvADv/zUumI > 9bdF6wrH+pK4HErRSjICPxXjYZZnPoUcprGQ+/vQiDsk4pt4EyWZZfD/kGKj7BV6 > 7A2kMumYmLGIH/A24s8qNix3Ho/Ttsogjrpgg+n9G4WkntQJefTrrDv3wt1+lmo4 > IIXUsmkLUB31iRifEf8umHhUcneL8uaxMCLY1X5uSkXVQmTK97bYqQu/EbrC4XZ/ > dFx6LS9FKukEGJnX9GaFF59TvTN8ImLc4aUOvErOutbiAttQrKacfcSPv7uGqpcC > AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAAJ0Hfvk315MKgL2/2e+A5M1NS7EBn > Ukqsnoo2onAa/8CXiFjcdUnpJ4fVn/FnH8ECRrMjUxB8mJ/EsZnuOym17+lNI0mp > wx5vkwL9kybawSEQSWMT80uefRzhZAze1vN/LgXZ4ysdRW5p2BQ3898M9HFrqE0s > 4XzLNTg07v0RbJ3veHt1wSWoy/v0zp3RRy/du3cczYTYwJ1P3GokFIuPT1fSAzBV > yovcJnB3FrrLvPyGAKmhKaoW3UejmE0G/8xpCaFp4+4LuVHNyiya79kzJMpkOoQ3 > 3MxVB6oLfL/QGnY+3025BXNwIhf4zfL4FlKhyaQ4R0pEUZeMoyksgsxb > -----END NEW CERTIFICATE REQUEST----- > > 2015-10-15T14:44:34Z DEBUG stderr= > > Generating key. This may take a few moments... > > > 2015-10-15T14:44:34Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 372, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 1156, in __request_ra_certificate > raise RuntimeError("Unable to submit RA cert request") > RuntimeError: Unable to submit RA cert request > > 2015-10-15T14:44:34Z DEBUG [error] RuntimeError: Unable to submit RA > cert request > 2015-10-15T14:44:34Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 646, in run_script > return_value = main_function() > > File "/sbin/ipa-server-install", line 1170, in main > ca_signing_algorithm=options.ca_signing_algorithm) > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 520, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 382, in start_creation > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 372, in run_step > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line > 1156, in __request_ra_certificate > raise RuntimeError("Unable to submit RA cert request") > > 2015-10-15T14:44:34Z DEBUG The ipa-server-install command failed, > exception: RuntimeError: Unable to submit RA cert request > ### > > > ### > 0.localhost-startStop-1 - [15/Oct/2015:14:39:26 UTC] [20] [1] > SelfTestSubsystem: Self test plugins have been successfully loaded! > 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] > SelfTestSubsystem: Running self test plugins specified to be executed at > startup: > 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] > CAPresence: CA is present > 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] > SystemCertsVerification: system certs verification failure > 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] > SelfTestSubsystem: The CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > ### > > ### > [15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory: > create() > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=subsystemCert > cert-pki-ca] CIMC certificate verification > > [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: > verifySystemCerts() cert tag=audit_signing > [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: > verifySystemCertByTag(audit_signing) > [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: > verifySystemCertByNickname(auditSigningCert cert-pki-ca,ObjectSigner) > [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: > verifySystemCertByNickname(): calling isCertValid() > [15/Oct/2015:14:39:27][localhost-startStop-1]: CertUtils: > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > [15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory: > create() > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$System$][Outcome=Success][CertNickName=auditSigningCert > cert-pki-ca] CIMC certificate verification > > java.lang.Exception: SystemCertsVerification: system certs verification > failure > at > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > at > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > at > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > at > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1738) > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1185) > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > [15/Oct/2015:14:39:27][localhost-startStop-1]: SignedAuditEventFactory: > create() > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > self tests execution (see selftests.log for details) > ##### > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project