Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?
Andrea Bontempi wrote: Here the log /var/log/pki/pki-tomcat/ca/debug [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = /ca/ee/ca/profileSubmit [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='xmlOutput' value='true' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='profileId' value='caServerCert' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request' value='MIICazCCAVMCAQ...[omissis]' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start to service. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal false [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data provided in processing request: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 13:40:43 CET 2013 id=caProfileSubmit time=100 Log /var/log/pki/pki-tomcat/ca/system: 1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException Ok, I'm not sure if the caServerCert error is a red herring or not. Does /usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Does rpm -V pki-ca pass? I wonder if the certificate you're passing is valid. Can openssl x509 -text -in /path/to/ca.crt show the cert ok? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?
> /usr/share/pki/ca/profiles/ca/caServerCert.cfg exist? Yes > Does rpm -V pki-ca pass? No response > Can openssl x509 -text -in /path/to/ca.crt show the cert ok? Certificate: Data: Version: 3 (0x2) Serial Number: 1383914316 (0x527cdb4c) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=DBM Validity Not Before: Nov 8 12:38:37 2013 GMT Not After : Feb 16 12:38:38 2014 GMT Subject: O=DBMSRL.COM, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d9:4b... [omissis] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Alternative Name: email:d...@dbmsrl.com X509v3 Extended Key Usage: Code Signing, OCSP Signing, Time Stamping X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 2D:21:C5:07... [omissis] X509v3 Authority Key Identifier: keyid:2A:B7... [omissis] ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?
Here the log /var/log/pki/pki-tomcat/ca/debug [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet:service() uri = /ca/ee/ca/profileSubmit [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='xmlOutput' value='true' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='requestor_name' value='IPA Installer' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='profileId' value='caServerCert' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet::service() param name='cert_request' value='MIICazCCAVMCAQ...[omissis]' [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: caProfileSubmit start to service. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: xmlOutput true [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: isRenewal false [08/nov/2013:13:40:43][http-bio-8080-exec-2]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [08/nov/2013:13:40:43][http-bio-8080-exec-2]: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: ProfileSubmitServlet: bad data provided in processing request: Profile caServerCert Not Found [08/nov/2013:13:40:43][http-bio-8080-exec-2]: CMSServlet: curDate=Fri Nov 08 13:40:43 CET 2013 id=caProfileSubmit time=100 Log /var/log/pki/pki-tomcat/ca/system: 1434.http-bio-8443-exec-3 - [08/nov/2013:13:37:38 CET] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 1434.http-bio-8443-exec-7 - [08/nov/2013:13:40:19 CET] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException Thank you ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 3.3.* bug with external-ca?
Andrea Bontempi wrote: Hi, i'm trying to install FreeIPA with external CA (again) Now i use FreeIPA 3.3.* and i found a strange error on "[17/22]: requesting RA certificate from CA": 2013-11-08T11:07:38Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1096, in main subject_base=options.subject) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 478, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 364, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1089, in __request_ra_certificate self.requestId = item_node[0].childNodes[0].data 2013-11-08T11:07:38Z DEBUG The ipa-server-install command failed, exception: IndexError: list index out of range So, i open /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py on the line 1089: # Send the request to the CA conn = httplib.HTTPConnection( self.fqdn, self.dogtag_constants.UNSECURE_PORT) params = urllib.urlencode({'profileId': 'caServerCert', 'cert_request_type': 'pkcs10', 'requestor_name': 'IPA Installer', 'cert_request': csr, 'xmlOutput': 'true'}) headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"} conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers) res = conn.getresponse() if res.status == 200: data = res.read() conn.close() doc = xml.dom.minidom.parseString(data) item_node = doc.getElementsByTagName("RequestId") self.requestId = item_node[0].childNodes[0].data <-- exception: IndexError: list index out of range doc.unlink() self.requestId = self.requestId.strip() if self.requestId is None: raise RuntimeError("Unable to determine RA certificate requestId") I read the value of "data": 1 Profile caServerCert Not Found Can someone help me? I'd check out the CA logs in /var/log/pki/pki-tomcat/ca for more information. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users