Package: freeipa-server Version: 4.6.3-1 Severity: important
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (700, 'stable'), (650, 'unstable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages freeipa-server depends on:
ii 389-ds-base 1.3.7.10-1
ii acl 2.2.52-3+b1
ii apache2 2.4.25-3+deb9u4
ii certmonger 0.79.5-2
ii custodia 0.5.0-3
ii fonts-font-awesome 4.7.0~dfsg-3
ii fonts-open-sans 1.11-1
ii freeipa-admintools 4.6.3-1
ii freeipa-client 4.6.3-1
ii freeipa-common 4.6.3-1
ii gssproxy 0.8.0-1
ii krb5-admin-server 1.16-2
ii krb5-kdc 1.16-2
ii krb5-kdc-ldap 1.16-2
ii krb5-otp 1.16-2
ii krb5-pkinit 1.16-2
ii ldap-utils 2.4.45+dfsg-1
ii libapache2-mod-auth-gssapi 1.6.0-1
ii libapache2-mod-lookup-identity 1.0.0-1
ii libapache2-mod-nss 1.0.14-1+b1
ii libapache2-mod-wsgi 4.5.17-1+b1
ii libc6 2.27-3
ii libcomerr2 1.44.1-2
ii libjs-dojo-core 1.11.0+dfsg-1
ii libjs-jquery 3.2.1-1
ii libk5crypto3 1.16-2
ii libkrad0 1.16-2
ii libkrb5-3 1.16-2
ii libldap-2.4-2 2.4.45+dfsg-1
ii libnspr4 2:4.19-1
ii libnss3 2:3.36.1-1
ii libnss3-tools 2:3.36.1-1
ii libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3.1
ii libssl1.1 1.1.0f-3+deb9u2
ii libsss-nss-idmap0 1.16.1-1+b1
ii libtalloc2 2.1.10-2
ii libtevent0 0.9.34-1
ii libunistring2 0.9.8-1
ii libuuid1 2.29.2-1+deb9u1
ii libverto1 0.2.4-2.1
ii ntp 1:4.2.8p11+dfsg-1
ii oddjob 0.34.3-4
ii p11-kit 0.23.10-2
ii pki-ca 10.5.5-1
ii pki-kra 10.5.5-1
ii python 2.7.13-2
ii python-dateutil 2.6.1-1
ii python-gssapi 1.4.1-1
ii python-ipaserver 4.6.3-1
ii python-ldap 3.0.0-1
ii python-systemd 234-2
ii samba-libs 2:4.7.4+dfsg-2
ii slapi-nis 0.56.1-1
ii softhsm2 2.4.0-0.1
ii systemd-sysv 232-25+deb9u3
Versions of packages freeipa-server recommends:
ii freeipa-server-dns 4.6.3-1
freeipa-server suggests no packages.
-- no debconf information
When installing freeipa server (ipa-server-install) with the preference to use
a CA certificate signed by an external CA (--external-ca switch), the pki spawn
will fail after you run the installation again to supply the signed certificate.
Error shown in the terminal:
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/28]: configuring certificate server instance
ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA
instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp1Tdi5f' returned
non-zero exit status 1
ipaserver.install.dogtaginstance: CRITICAL See the installation logs
and the following files/directories for more information:
ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
ipapython.admintool: ERROR CA configuration failed.
ipapython.admintool: ERROR The ipa-server-install command failed.
See /var/log/ipaserver-install.log for more information
Interestingly directory "/var/log/pki/pki-tomcat" didn't exist. All that did
exist was a file at "/var/log/pki/pki-ca-spawn.20180502214514.log". It doesn't
have any errors though, it just ends suddenly:
2018-05-02 21:45:17 pkispawn : INFO ....... existing SSL server
cert is for <the system fqdn>
2018-05-02 21:45:17 pkispawn : INFO ....... executing
'/etc/init.d/pki-tomcatd start pki-tomcat'
2018-05-02 21:45:17 pkispawn : DEBUG ........... <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.5.5</Version></XMLResponse>
2018-05-02 21:45:18 pkispawn : INFO ....... constructing PKI
configuration data.
2018-05-02 21:45:18 pkispawn : INFO ....... executing 'certutil
-R -d /root/.dogtag/pki-tomcat/ca/alias -s cn=ipa-ca-agent,OU=Internal,O=<the
O> -k rsa -g 2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f
/root/.dogtag/pki-tomcat/ca/password.conf -o
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin'
2018-05-02 21:45:18 pkispawn : INFO ....... rm -f
/root/.dogtag/pki-tomcat/ca/alias/noise
2018-05-02 21:45:18 pkispawn : INFO ....... BtoA
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin
/root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc
2018-05-02 21:45:18 pkispawn : INFO ....... loading
caSigningCert External CA certificate
2018-05-02 21:45:18 pki.nssdb : DEBUG Command: certutil -L -d
/var/lib/pki/pki-tomcat/alias -f /tmp/tmpUCxF9r/password.txt -n caSigningCert
External CA -a
2018-05-02 21:45:18 pkispawn : INFO ....... configuring PKI
configuration data.
This looks like a problem with the pki-tomcatd component. The exact error
output from Tomcat (as in the ipa-server-install log file) is as follows:
Starting pki-tomcatd (via systemctl): pki-tomcatd.service.
Installation failed:
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 (Debian) - Error
report</title><style type="text/css">H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}.line {height: 1px; background-color:
#525D76; border: none;}</style> </head><body><h1>HTTP Status 500 -
org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found:
caSigningCert cert-pki-ca</h1><div class="line"></div><p><b>type</b> Exception
report</p><p><b>message</b> <u>org.mozilla.jss.crypto.ObjectNotFoundException:
Certificate not found: caSigningCert cert-pki-ca</u></p><p><b>description</b>
<u>The server encountered an internal error that prevented it from fulfilling
this
request.</u></p><p><b>exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException:
org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found:
caSigningCert cert-pki-ca
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77)
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220)
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>root
cause</b></p><pre>org.mozilla.jss.crypto.ObjectNotFoundException: Certificate
not found: caSigningCert cert-pki-ca
org.mozilla.jss.CryptoManager.findCertByNicknameNative(Native
Method)
org.mozilla.jss.CryptoManager.findCertByNickname(CryptoManager.java:1307)
org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:467)
org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166)
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>note</b> <u>The full stack trace of the root cause is
available in the Apache Tomcat/8.0.46 (Debian) logs.</u></p><hr
class="line"><h3>Apache Tomcat/8.0.46 (Debian)</h3></body></html>
Please check the CA logs in /var/log/pki/pki-tomcat/ca.
2018-05-02T19:45:49Z DEBUG stderr=pkispawn : ERROR .......
subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled',
'-bn']' returned non-zero exit status 255!
I've not found any useful answers to the specific error message "Certificate
not found: caSigningCert cert-pki-ca".
Output of `certutil -L -d /etc/pki/pki-tomcat/alias` is as follows:
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca CTu,Cu,Cu
caSigningCert External CA CT,C,C
<the correct cn of the CA certificate signed> CT,C,C
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
If I try to query for "caSigningCert cert-pki-ca" specifically it doesn't
appear to be found Output of `certutil -L -d /etc/pki/pki-tomcat/alias -n
'caSigningCert cert-pki-ca' is as follows:`
certutil: Could not find cert: caSigningCert cert-pki-ca
: PR_FILE_NOT_FOUND_ERROR: File not found
Perhaps this particular certificate isn't being installed when spawning the pki?
This could possibly be resolved by installing caSigningCert manually then
running the 2nd step of the `ipa-server-install` again. (If I knew how to do
the former I'd try that.)
Please let me know if there is any further information I can provide.
--
* Adam Reece
* Sven Co-op team
* Email: a...@svencoop.com <mailto:a...@svencoop.com>
* Web: www.svencoop.com <http://www.svencoop.com>
0x772BA858CF9CD88D.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
