Re: [Freeipa-users] Freeipa 3.3.3 and --external-ca
Hi Daniel,
Oh wow, you might be right!
I just checked the CA cert and the signed IPA cert, and openssl shows:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 33 (0x21)
Signature Algorithm: sha1WithRSAEncryption
Now that we know what the problem most likely is, we'll figure out how
we want to move forward from here. That might be to upgrade to SHA256
for our internal CA, apply the patch you provided, or go self-signed...
But good to know.
Thanks,
Martin.
On 12/30/2014 10:02 AM, Daniel Hjorth wrote:
Hi Martin,
I think I ran into the same problem. Do you know which signing algorithm
your external CA used? In my case the external CA is on Server 2003 which
only allowed SHA1 but IPA 3.3.3 seems to require SHA256.
I was not able to get my CA to use SHA256 so I applied the diff from the
commit below:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=081580779b2609c3a4
53077042f7d3fc7b25a57d
I then used the --ca-signing-algorithm= option when installing IPA.
This may not be the best solution but it worked and I haven¹t seen any
issues.
Hope this helps,
Daniel
On 12/29/14, 3:02 PM, Martin Minkus martin.min...@corp.sonic.net wrote:
Hi all,
I'm running Freeipa 3.3.3 on CentOS 7.0.
It worked fine self signed but I am having difficulty getting it to work
with --exernal-ca. I've seen a few other reports of this on the list
with no resolution, so I'm not sure whether this is simply broken in
this version or what? Maybe I'm just doing something wrong. :)
From /var/log/ipaserver-install.log
2014-12-29T21:25:19Z DEBUG Starting external process
2014-12-29T21:25:19Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN
2014-12-29T21:25:21Z DEBUG Process finished, return code=1
2014-12-29T21:25:21Z DEBUG stdout=Loading deployment configuration from
/tmp/tmp00n3qN.
Installing CA into /var/lib/pki/pki-tomcat.
loading external CA signing certificate from file: '/root/ipa.crt'
loading external CA signing certificate chain from file: '/tmp/tmpnVtMl7'
Installation failed.
2014-12-29T21:25:21Z DEBUG stderr=pkispawn: ERROR...
Exception from Java Configuration Servlet: Error in creating pkcs12 to
backup keys and certs: org.mozilla.jss.crypto.ObjectNotFoundException
2014-12-29T21:25:21Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN' returned non-zero exit
status 1
2014-12-29T21:25:21Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 638, in run_script
return_value = main_function()
File /sbin/ipa-server-install, line 1094, in main
subject_base=options.subject)
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
478, in configure_instance
self.start_creation(runtime=210)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 364, in start_creation
method()
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
615, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2014-12-29T21:25:21Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed
From /var/log/pki/pki-ca-spawn.20141229132519.log
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.infrastructure_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.instance_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.subsystem_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.selinux_setup'
2014-12-29 13:25:19 pkispawn: INFO ... skip deploying
'pki.deployment.webapp_deployment'
2014-12-29 13:25:19 pkispawn: INFO ... skip assigning slots for
'pki.deployment.slot_substitution'
2014-12-29 13:25:19 pkispawn: INFO ... skip generating
'pki.deployment.security_databases'
2014-12-29 13:25:19 pkispawn: INFO ... configuring
'pki.deployment.configuration'
2014-12-29 13:25:19 pkispawn: INFO ... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn: DEBUG... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn: INFO ... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn: DEBUG... chown 992:991
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn: INFO ... executing 'certutil
-N -d /tmp/tmp-s1tfK9 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn: INFO ... executing 'systemctl
start
[Freeipa-users] Freeipa 3.3.3 and --external-ca
Hi all,
I'm running Freeipa 3.3.3 on CentOS 7.0.
It worked fine self signed but I am having difficulty getting it to work
with --exernal-ca. I've seen a few other reports of this on the list
with no resolution, so I'm not sure whether this is simply broken in
this version or what? Maybe I'm just doing something wrong. :)
From /var/log/ipaserver-install.log
2014-12-29T21:25:19Z DEBUG Starting external process
2014-12-29T21:25:19Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN
2014-12-29T21:25:21Z DEBUG Process finished, return code=1
2014-12-29T21:25:21Z DEBUG stdout=Loading deployment configuration from
/tmp/tmp00n3qN.
Installing CA into /var/lib/pki/pki-tomcat.
loading external CA signing certificate from file: '/root/ipa.crt'
loading external CA signing certificate chain from file: '/tmp/tmpnVtMl7'
Installation failed.
2014-12-29T21:25:21Z DEBUG stderr=pkispawn: ERROR...
Exception from Java Configuration Servlet: Error in creating pkcs12 to
backup keys and certs: org.mozilla.jss.crypto.ObjectNotFoundException
2014-12-29T21:25:21Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN' returned non-zero exit status 1
2014-12-29T21:25:21Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 638, in run_script
return_value = main_function()
File /sbin/ipa-server-install, line 1094, in main
subject_base=options.subject)
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
478, in configure_instance
self.start_creation(runtime=210)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 364, in start_creation
method()
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
615, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2014-12-29T21:25:21Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed
From /var/log/pki/pki-ca-spawn.20141229132519.log
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.infrastructure_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.instance_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.subsystem_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.selinux_setup'
2014-12-29 13:25:19 pkispawn: INFO ... skip deploying
'pki.deployment.webapp_deployment'
2014-12-29 13:25:19 pkispawn: INFO ... skip assigning slots for
'pki.deployment.slot_substitution'
2014-12-29 13:25:19 pkispawn: INFO ... skip generating
'pki.deployment.security_databases'
2014-12-29 13:25:19 pkispawn: INFO ... configuring
'pki.deployment.configuration'
2014-12-29 13:25:19 pkispawn: INFO ... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn: DEBUG... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn: INFO ... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn: DEBUG... chown 992:991
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn: INFO ... executing 'certutil
-N -d /tmp/tmp-s1tfK9 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn: INFO ... executing 'systemctl
start pki-tomcatd@pki-tomcat.service'
2014-12-29 13:25:19 pkispawn: DEBUG... ?xml
version=1.0 encoding=UTF-8
standalone=no?XMLResponseState0/StateTypeCA/TypeStatusrunning/StatusVersion10.0.5-3.el7/Version/XMLResponse
2014-12-29 13:25:20 pkispawn: INFO ... constructing PKI
configuration data.
2014-12-29 13:25:20 pkispawn: INFO ... generating noise file
called '/tmp/tmp-s1tfK9/noise' and filling it with '2048' random bytes
2014-12-29 13:25:20 pkispawn: DEBUG... chmod 660
/tmp/tmp-s1tfK9/noise
2014-12-29 13:25:20 pkispawn: DEBUG... chown 992:991
/tmp/tmp-s1tfK9/noise
2014-12-29 13:25:20 pkispawn: INFO ... executing
'['certutil', '-R', '-d', '/tmp/tmp-s1tfK9', '-s',
'cn=ipa-ca-agent,O=IPA.SONIC.NET', '-g', '2048', '-z',
'/tmp/tmp-s1tfK9/noise', '-f',
'/root/.dogtag/pki-tomcat/ca/password.conf', '-o',
'/tmp/tmp-s1tfK9/admin_pkcs10.bin']'
2014-12-29 13:25:20 pkispawn: INFO ... ['BtoA',
'/tmp/tmp-s1tfK9/admin_pkcs10.bin', '/tmp/tmp-s1tfK9/admin_pkcs10.bin.asc']
2014-12-29 13:25:21 pkispawn: INFO ... configuring PKI
configuration data.
2014-12-29 13:25:21 pkispawn: ERROR... Exception from Java
Configuration Servlet: Error in creating pkcs12 to backup keys and
certs:
Re: [Freeipa-users] Freeipa 3.3.3 and --external-ca
Hi Martin,
I think I ran into the same problem. Do you know which signing algorithm
your external CA used? In my case the external CA is on Server 2003 which
only allowed SHA1 but IPA 3.3.3 seems to require SHA256.
I was not able to get my CA to use SHA256 so I applied the diff from the
commit below:
https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=081580779b2609c3a4
53077042f7d3fc7b25a57d
I then used the --ca-signing-algorithm= option when installing IPA.
This may not be the best solution but it worked and I haven¹t seen any
issues.
Hope this helps,
Daniel
On 12/29/14, 3:02 PM, Martin Minkus martin.min...@corp.sonic.net wrote:
Hi all,
I'm running Freeipa 3.3.3 on CentOS 7.0.
It worked fine self signed but I am having difficulty getting it to work
with --exernal-ca. I've seen a few other reports of this on the list
with no resolution, so I'm not sure whether this is simply broken in
this version or what? Maybe I'm just doing something wrong. :)
From /var/log/ipaserver-install.log
2014-12-29T21:25:19Z DEBUG Starting external process
2014-12-29T21:25:19Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN
2014-12-29T21:25:21Z DEBUG Process finished, return code=1
2014-12-29T21:25:21Z DEBUG stdout=Loading deployment configuration from
/tmp/tmp00n3qN.
Installing CA into /var/lib/pki/pki-tomcat.
loading external CA signing certificate from file: '/root/ipa.crt'
loading external CA signing certificate chain from file: '/tmp/tmpnVtMl7'
Installation failed.
2014-12-29T21:25:21Z DEBUG stderr=pkispawn: ERROR...
Exception from Java Configuration Servlet: Error in creating pkcs12 to
backup keys and certs: org.mozilla.jss.crypto.ObjectNotFoundException
2014-12-29T21:25:21Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmp00n3qN' returned non-zero exit
status 1
2014-12-29T21:25:21Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line 638, in run_script
return_value = main_function()
File /sbin/ipa-server-install, line 1094, in main
subject_base=options.subject)
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
478, in configure_instance
self.start_creation(runtime=210)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 364, in start_creation
method()
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line
615, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2014-12-29T21:25:21Z DEBUG The ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed
From /var/log/pki/pki-ca-spawn.20141229132519.log
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.infrastructure_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.instance_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.subsystem_layout'
2014-12-29 13:25:19 pkispawn: INFO ... skip populating
'pki.deployment.selinux_setup'
2014-12-29 13:25:19 pkispawn: INFO ... skip deploying
'pki.deployment.webapp_deployment'
2014-12-29 13:25:19 pkispawn: INFO ... skip assigning slots for
'pki.deployment.slot_substitution'
2014-12-29 13:25:19 pkispawn: INFO ... skip generating
'pki.deployment.security_databases'
2014-12-29 13:25:19 pkispawn: INFO ... configuring
'pki.deployment.configuration'
2014-12-29 13:25:19 pkispawn: INFO ... modifying
'/root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn: DEBUG... chown 0:0
/root/.dogtag/pki-tomcat/ca/password.conf
2014-12-29 13:25:19 pkispawn: INFO ... modifying
'/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf'
2014-12-29 13:25:19 pkispawn: DEBUG... chmod 660
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn: DEBUG... chown 992:991
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
2014-12-29 13:25:19 pkispawn: INFO ... executing 'certutil
-N -d /tmp/tmp-s1tfK9 -f /root/.dogtag/pki-tomcat/ca/password.conf'
2014-12-29 13:25:19 pkispawn: INFO ... executing 'systemctl
start pki-tomcatd@pki-tomcat.service'
2014-12-29 13:25:19 pkispawn: DEBUG... ?xml
version=1.0 encoding=UTF-8
standalone=no?XMLResponseState0/StateTypeCA/TypeStatusrunni
ng/StatusVersion10.0.5-3.el7/Version/XMLResponse
2014-12-29 13:25:20 pkispawn: INFO ... constructing PKI
configuration data.
2014-12-29 13:25:20 pkispawn: INFO ... generating noise file
called '/tmp/tmp-s1tfK9/noise' and filling it with '2048' random bytes
2014-12-29 13:25:20 pkispawn: DEBUG... chmod 660
/tmp/tmp-s1tfK9/noise
2014-12-29 13:25:20 pkispawn: DEBUG... chown 992:991
/tmp/tmp-s1tfK9/noise
2014-12-29
