Hi list,

I'm trying to sign a service certificate but it's failing with "CA not found".
The CA does exist but for some reason the ipa cert-request can't find it:
$ ipa ca-show ipa
 Name: ipa
 Description: IPA CA
 Authority ID: 0cb513ea-6084-4144-a61c-7a0a8368d25c
 Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
 Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM

This was working in previous versions of freeipa but in our current
environment isn't working:
Cluster of four FreeIPA servers
CentOS Linux release 7.3.1611 (Core)
ipa-client-common-4.4.0-14.el7.centos.4.noarch
ipa-client-4.4.0-14.el7.centos.4.x86_64
ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64
ipa-server-trust-ad-4.4.0-14.el7.centos.4.x86_64
ipa-server-4.4.0-14.el7.centos.4.x86_64
ipa-admintools-4.4.0-14.el7.centos.4.noarch
ipa-server-common-4.4.0-14.el7.centos.4.noarch
ipa-common-4.4.0-14.el7.centos.4.noarch
ipa-server-dns-4.4.0-14.el7.centos.4.noarch
ipa-python-compat-4.4.0-14.el7.centos.4.noarch
389-ds-base-1.3.5.10-15.el7_3.x86_64
389-ds-base-libs-1.3.5.10-15.el7_3.x86_64
389-ds-base-snmp-1.3.5.10-15.el7_3.x86_64
389-ds-base-debuginfo-1.3.4.0-30.el7_2.x86_64
pki-base-java-10.3.3-16.el7_3.noarch
pki-base-10.3.3-16.el7_3.noarch
pki-server-10.3.3-16.el7_3.noarch
pki-ca-10.3.3-16.el7_3.noarch
pki-symkey-10.3.3-16.el7_3.x86_64
pki-kra-10.3.3-16.el7_3.noarch
pki-tools-10.3.3-16.el7_3.x86_64
krb5-libs-1.14.1-27.el7_3.x86_64
python-krbV-1.0.90-8.el7.x86_64
pam_krb5-2.4.8-6.el7.x86_64
krb5-workstation-1.14.1-27.el7_3.x86_64
krb5-pkinit-1.14.1-27.el7_3.x86_64
sssd-krb5-common-1.14.0-43.el7_3.11.x86_64
krb5-server-1.14.1-27.el7_3.x86_64
sssd-krb5-1.14.0-43.el7_3.11.x86_64

***********
This is the error (same result in all four servers):
$ ipa cert-request --principal=HTTP/host1.example.com host1.example.com.csr
ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not
found: 0cb513ea-6084-4144-a61c-7a0a8368d25c)

***********
>From /var/log/pki/pki-tomcat/ca/debug:
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
CMSServlet:service() uri = /ca/eeca/ca/profileSubmitSSLClient
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
CMSServlet::service() param name='xml' value='true'
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
CMSServlet::service() param name='profileId' value='caIPAserviceCert'
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
CMSServlet::service() param name='authorityId'
value='0cb513ea-6084-4144-a61c-7a0a8368d25c'
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
CMSServlet::service() param name='cert_request' value='(sensitive)'
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
CMSServlet::service() param name='cert_request_type' value='pkcs10'
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
caProfileSubmitSSLClient start to service.
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: xmlOutput true
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
ProfileSubmitServlet: isRenewal false
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: according to
ccMode, authorization for servlet: caProfileSubmit is LDAP based, not
XML {1}, use default authz mgr: {2}.
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
ProfileSubmitServlet: profile: caIPAserviceCert
CA not found: 0cb513ea-6084-4144-a61c-7a0a8368d25c
        at 
com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:239)
        at 
com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:515)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
        at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.GeneratedMethodAccessor71.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at 
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at 
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at 
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at 
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]:
ProfileSubmitServlet: error in processing request: CA not found:
0cb513ea-6084-4144-a61c-7a0a8368d25c
[07/Feb/2017:23:45:49][ajp-bio-127.0.0.1-8009-exec-86]: CMSServlet:
curDate=Tue Feb 07 23:45:49 EST 2017 id=caProfileSubmitSSLClient
time=8
***************

Any idea why this is happening?
It's using the caIPAserviceCert certificate profile which should be
fine. I also checked and "played" with the
hosts_services_caIPAserviceCert CA ACL with the same results.

Thanks in advance!

Guillermo

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to