Package: freeipa-server Version: 4.6.3-1 Severity: important
-- System Information: Debian Release: 9.4 APT prefers stable APT policy: (700, 'stable'), (650, 'unstable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeipa-server depends on: ii 389-ds-base 1.3.7.10-1 ii acl 2.2.52-3+b1 ii apache2 2.4.25-3+deb9u4 ii certmonger 0.79.5-2 ii custodia 0.5.0-3 ii fonts-font-awesome 4.7.0~dfsg-3 ii fonts-open-sans 1.11-1 ii freeipa-admintools 4.6.3-1 ii freeipa-client 4.6.3-1 ii freeipa-common 4.6.3-1 ii gssproxy 0.8.0-1 ii krb5-admin-server 1.16-2 ii krb5-kdc 1.16-2 ii krb5-kdc-ldap 1.16-2 ii krb5-otp 1.16-2 ii krb5-pkinit 1.16-2 ii ldap-utils 2.4.45+dfsg-1 ii libapache2-mod-auth-gssapi 1.6.0-1 ii libapache2-mod-lookup-identity 1.0.0-1 ii libapache2-mod-nss 1.0.14-1+b1 ii libapache2-mod-wsgi 4.5.17-1+b1 ii libc6 2.27-3 ii libcomerr2 1.44.1-2 ii libjs-dojo-core 1.11.0+dfsg-1 ii libjs-jquery 3.2.1-1 ii libk5crypto3 1.16-2 ii libkrad0 1.16-2 ii libkrb5-3 1.16-2 ii libldap-2.4-2 2.4.45+dfsg-1 ii libnspr4 2:4.19-1 ii libnss3 2:3.36.1-1 ii libnss3-tools 2:3.36.1-1 ii libsasl2-modules-gssapi-mit 2.1.27~101-g0780600+dfsg-3.1 ii libssl1.1 1.1.0f-3+deb9u2 ii libsss-nss-idmap0 1.16.1-1+b1 ii libtalloc2 2.1.10-2 ii libtevent0 0.9.34-1 ii libunistring2 0.9.8-1 ii libuuid1 2.29.2-1+deb9u1 ii libverto1 0.2.4-2.1 ii ntp 1:4.2.8p11+dfsg-1 ii oddjob 0.34.3-4 ii p11-kit 0.23.10-2 ii pki-ca 10.5.5-1 ii pki-kra 10.5.5-1 ii python 2.7.13-2 ii python-dateutil 2.6.1-1 ii python-gssapi 1.4.1-1 ii python-ipaserver 4.6.3-1 ii python-ldap 3.0.0-1 ii python-systemd 234-2 ii samba-libs 2:4.7.4+dfsg-2 ii slapi-nis 0.56.1-1 ii softhsm2 2.4.0-0.1 ii systemd-sysv 232-25+deb9u3 Versions of packages freeipa-server recommends: ii freeipa-server-dns 4.6.3-1 freeipa-server suggests no packages. -- no debconf information When installing freeipa server (ipa-server-install) with the preference to use a CA certificate signed by an external CA (--external-ca switch), the pki spawn will fail after you run the installation again to supply the signed certificate. Error shown in the terminal: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmp1Tdi5f' returned non-zero exit status 1 ipaserver.install.dogtaginstance: CRITICAL See the installation logs and the following files/directories for more information: ipaserver.install.dogtaginstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipapython.admintool: ERROR CA configuration failed. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Interestingly directory "/var/log/pki/pki-tomcat" didn't exist. All that did exist was a file at "/var/log/pki/pki-ca-spawn.20180502214514.log". It doesn't have any errors though, it just ends suddenly: 2018-05-02 21:45:17 pkispawn : INFO ....... existing SSL server cert is for <the system fqdn> 2018-05-02 21:45:17 pkispawn : INFO ....... executing '/etc/init.d/pki-tomcatd start pki-tomcat' 2018-05-02 21:45:17 pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><Version>10.5.5</Version></XMLResponse> 2018-05-02 21:45:18 pkispawn : INFO ....... constructing PKI configuration data. 2018-05-02 21:45:18 pkispawn : INFO ....... executing 'certutil -R -d /root/.dogtag/pki-tomcat/ca/alias -s cn=ipa-ca-agent,OU=Internal,O=<the O> -k rsa -g 2048 -z /root/.dogtag/pki-tomcat/ca/alias/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin' 2018-05-02 21:45:18 pkispawn : INFO ....... rm -f /root/.dogtag/pki-tomcat/ca/alias/noise 2018-05-02 21:45:18 pkispawn : INFO ....... BtoA /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin /root/.dogtag/pki-tomcat/ca/alias/admin_pkcs10.bin.asc 2018-05-02 21:45:18 pkispawn : INFO ....... loading caSigningCert External CA certificate 2018-05-02 21:45:18 pki.nssdb : DEBUG Command: certutil -L -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmpUCxF9r/password.txt -n caSigningCert External CA -a 2018-05-02 21:45:18 pkispawn : INFO ....... configuring PKI configuration data. This looks like a problem with the pki-tomcatd component. The exact error output from Tomcat (as in the ipa-server-install log file) is as follows: Starting pki-tomcatd (via systemctl): pki-tomcatd.service. Installation failed: <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 (Debian) - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca</h1><div class="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b></p><pre>org.jboss.resteasy.spi.UnhandledException: org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:77) org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:220) org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:175) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:418) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:742) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) </pre><p><b>root cause</b></p><pre>org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not found: caSigningCert cert-pki-ca org.mozilla.jss.CryptoManager.findCertByNicknameNative(Native Method) org.mozilla.jss.CryptoManager.findCertByNickname(CryptoManager.java:1307) org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:467) org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303) org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166) org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:742) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) </pre><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/8.0.46 (Debian) logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.46 (Debian)</h3></body></html> Please check the CA logs in /var/log/pki/pki-tomcat/ca. 2018-05-02T19:45:49Z DEBUG stderr=pkispawn : ERROR ....... subprocess.CalledProcessError: Command '['sysctl', 'crypto.fips_enabled', '-bn']' returned non-zero exit status 255! I've not found any useful answers to the specific error message "Certificate not found: caSigningCert cert-pki-ca". Output of `certutil -L -d /etc/pki/pki-tomcat/alias` is as follows: Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca CTu,Cu,Cu caSigningCert External CA CT,C,C <the correct cn of the CA certificate signed> CT,C,C ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu If I try to query for "caSigningCert cert-pki-ca" specifically it doesn't appear to be found Output of `certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' is as follows:` certutil: Could not find cert: caSigningCert cert-pki-ca : PR_FILE_NOT_FOUND_ERROR: File not found Perhaps this particular certificate isn't being installed when spawning the pki? This could possibly be resolved by installing caSigningCert manually then running the 2nd step of the `ipa-server-install` again. (If I knew how to do the former I'd try that.) Please let me know if there is any further information I can provide. -- * Adam Reece * Sven Co-op team * Email: a...@svencoop.com <mailto:a...@svencoop.com> * Web: www.svencoop.com <http://www.svencoop.com>
0x772BA858CF9CD88D.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature