subject:"\[Freeipa\-users\] FreeIPA 3.3.\* bug with external\-ca\?"

[Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi

Hi, i'm trying to install FreeIPA with external CA (again)

Now i use FreeIPA 3.3.* and i found a strange error on [17/22]: requesting RA 
certificate from CA:

2013-11-08T11:07:38Z DEBUG   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 
622, in run_script
return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1096, in main
subject_base=options.subject)

  File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
 line 478, in configure_instance
self.start_creation(runtime=210)

  File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 
 364, in start_creation
method()

  File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, 
 line 1089, in __request_ra_certificate
self.requestId = item_node[0].childNodes[0].data

2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: 
IndexError: list index out of range

So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on 
the line 1089:

  # Send the request to the CA
  conn = httplib.HTTPConnection(
  self.fqdn, self.dogtag_constants.UNSECURE_PORT)
  params = urllib.urlencode({'profileId': 'caServerCert',
  'cert_request_type': 'pkcs10',
  'requestor_name': 'IPA Installer',
  'cert_request': csr,
  'xmlOutput': 'true'})
  headers = {Content-type: application/x-www-form-urlencoded,
 Accept: text/plain}

  conn.request(POST, /ca/ee/ca/profileSubmit, params, headers)
  res = conn.getresponse()
  if res.status == 200:
  data = res.read()
  conn.close()
  doc = xml.dom.minidom.parseString(data)
  item_node = doc.getElementsByTagName(RequestId)
  self.requestId = item_node[0].childNodes[0].data   --  exception: 
 IndexError: list index out of range
  doc.unlink()
  self.requestId = self.requestId.strip()
  if self.requestId is None:
  raise RuntimeError(Unable to determine RA certificate requestId)

I read the value of data:

 ?xml version=1.0 encoding=UTF-8 standalone=no?
 XMLResponse
 Status1/Status
 ErrorProfile caServerCert Not Found/Error
 /XMLResponse

Can someone help me?

Thank you

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Rob Crittenden


Andrea Bontempi wrote:

Hi, i'm trying to install FreeIPA with external CA (again)

Now i use FreeIPA 3.3.* and i found a strange error on [17/22]: requesting RA 
certificate from CA:


2013-11-08T11:07:38Z DEBUG   File 
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, 
in run_script
return_value = main_function()

  File /usr/sbin/ipa-server-install, line 1096, in main
subject_base=options.subject)

  File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 
478, in configure_instance
self.start_creation(runtime=210)

  File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 
364, in start_creation
method()

  File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 
1089, in __request_ra_certificate
self.requestId = item_node[0].childNodes[0].data

2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: 
IndexError: list index out of range


So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on 
the line 1089:


  # Send the request to the CA
  conn = httplib.HTTPConnection(
  self.fqdn, self.dogtag_constants.UNSECURE_PORT)
  params = urllib.urlencode({'profileId': 'caServerCert',
  'cert_request_type': 'pkcs10',
  'requestor_name': 'IPA Installer',
  'cert_request': csr,
  'xmlOutput': 'true'})
  headers = {Content-type: application/x-www-form-urlencoded,
 Accept: text/plain}

  conn.request(POST, /ca/ee/ca/profileSubmit, params, headers)
  res = conn.getresponse()
  if res.status == 200:
  data = res.read()
  conn.close()
  doc = xml.dom.minidom.parseString(data)
  item_node = doc.getElementsByTagName(RequestId)
  self.requestId = item_node[0].childNodes[0].data   --  exception: 
IndexError: list index out of range
  doc.unlink()
  self.requestId = self.requestId.strip()
  if self.requestId is None:
  raise RuntimeError(Unable to determine RA certificate requestId)


I read the value of data:


?xml version=1.0 encoding=UTF-8 standalone=no?
XMLResponse
Status1/Status
ErrorProfile caServerCert Not Found/Error
/XMLResponse


Can someone help me?


I'd check out the CA logs in /var/log/pki/pki-tomcat/ca for more 
information.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi

Here the log /var/log/pki/pki-tomcat/ca/debug

[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = 
/ca/ee/ca/profileSubmit
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='xmlOutput' value='true'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='requestor_name' value='IPA Installer'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='profileId' value='caServerCert'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request_type' value='pkcs10'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request' value='MIICazCCAVMCAQ...[omissis]'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start 
to service.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal 
false
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data 
provided in processing request: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 
13:40:43 CET 2013 id=caProfileSubmit time=100

Log /var/log/pki/pki-tomcat/ca/system:

1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: 
Object certificate not found. Error 
org.mozilla.jss.crypto.ObjectNotFoundException

Thank you

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Andrea Bontempi

 /usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? 

Yes

 Does rpm -V pki-ca pass?

No response

 Can openssl x509 -text -in /path/to/ca.crt show the cert ok?

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1383914316 (0x527cdb4c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=DBM
Validity
Not Before: Nov  8 12:38:37 2013 GMT
Not After : Feb 16 12:38:38 2014 GMT
Subject: O=DBMSRL.COM, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:4b... [omissis]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name: 
email:d...@dbmsrl.com
X509v3 Extended Key Usage: 
Code Signing, OCSP Signing, Time Stamping
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier: 
2D:21:C5:07... [omissis]
X509v3 Authority Key Identifier: 
keyid:2A:B7... [omissis]


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

2013-11-08 Thread Rob Crittenden


Andrea Bontempi wrote:

Here the log /var/log/pki/pki-tomcat/ca/debug

[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = 
/ca/ee/ca/profileSubmit
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='xmlOutput' value='true'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='requestor_name' value='IPA Installer'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='profileId' value='caServerCert'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request_type' value='pkcs10'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param 
name='cert_request' value='MIICazCCAVMCAQ...[omissis]'
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start 
to service.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal 
false
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, 
authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use 
default authz mgr: {2}.
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data 
provided in processing request: Profile caServerCert Not Found
[08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 
13:40:43 CET 2013 id=caProfileSubmit time=100

Log /var/log/pki/pki-tomcat/ca/system:

1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA 
chain. Error java.security.cert.CertificateException: Certificate is not a PKCS 
#11 certificate
1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: 
Object certificate not found. Error 
org.mozilla.jss.crypto.ObjectNotFoundException


Ok, I'm not sure if the caServerCert error is a red herring or not. Does 
/usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Does rpm -V pki-ca 
pass?


I wonder if the certificate you're passing is valid. Can openssl x509 
-text -in /path/to/ca.crt show the cert ok?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA 3.3.* bug with external-ca?

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?

5 matches

Site Navigation

Mail list logo

Footer information