Installing with an external CA fails with freeipa-server-3.2.1-1.fc19.x86_64
2013-07-10T15:42:28Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpyARqDb 2013-07-10T15:42:43Z DEBUG Process finished, return code=1 2013-07-10T15:42:43Z DEBUG stdout=Loading deployment configuration from /tmp/tmpyARqDb. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2013-07-10T15:42:43Z DEBUG stderr=pkispawn : ERROR ....... Exception from Java Configuration Servlet: Error in obtaining certificate chain from issuing CA: java.lang.NullPointerException
I have the feeling that the step 0, install the basic CA to get the CSR, is being skipped.
This is caused by a bug in pkispawn: https://bugzilla.redhat.com/show_bug.cgi?id=986901
The pkispawn bug has been fixed, however external CA installation now crashes in the second step:
2013-07-23T20:50:54Z DEBUG request 'https://vm-031.idm.lab.bos.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient' 2013-07-23T20:50:54Z DEBUG request body 'profileId=caIPAserviceCert&requestor_name=IPA+Installer&cert_request=MIICjjCCAXYCAQAwSTEfMB0GA1UEChMWSURNLkxBQi5CT1MuUkVESEFULkNPTTEm%0D%0AMCQGA1UEAxMddm0tMDMxLmlkbS5sYWIuYm9zLnJlZGhhdC5jb20wggEiMA0GCSqG%0D%0ASIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7zYgEau3uucg5l2nbP%2B2Bow8gSb24s5dG%0D%0AF86qD%2FlVPIoWhopjKtH1CLgRu2HVW91FivxRXzcHvvAiU9CpXEADK9aCmTuolmiI%0D%0ABNMNBB8PclEWi3nH713hJInTylWMbxV9y%2FrxmgOo5mhCNwTuM9WfFOWzhX8Twr%2Fw%0D%0AqrzrrZ%2BWu6qBYSiGLbYUHLPqlciv%2BZnMvGWfzt4J%2BOo5EC36ivRJFefs%2FjVr11Mf%0D%0Awkqis0G6s9kZ%2BPLLCaUGbC7ElIdH3aHxte%2FWqTeWqskIRu1Vfd9EjCnQsJ3ytC8v%0D%0AGDjMsnq0JkjkjULLDjAmeGjoVJgPDJFw9Mro2uzgXWKYR2YW9L17AgMBAAGgADAN%0D%0ABgkqhkiG9w0BAQUFAAOCAQEAAz%2FaUJDvC3YhIOK%2Bgk7w1Z%2Bqa4KqWINfNJIuOcKn%0D%0AsNdU1tZe2u%2FFtcftnpwzje3TgZ0ZtccUNj21VMLHs2gqi1XGOrG%2BRRm1E8dCxvzh%0D%0AZxHMjuWWXAvsWgSTZV4w3A7NUmGOy04%2FnxYt2PAhinv6OhBc4hmO2apeaYbsK76S%0D%0AjoUgQkNf8KHwqWwuynOy2qhMY9McHFF7x9fr1oYvRIhruKlbu%2FLuGF5u8kCYzTw4%0D%0AIa900ynPLDYXu6GSV5je5eUEENlkv2WWfylyuX1uAEwRfqLgw9ybTzVX117ZXQax%0D%0ATGMcLVe1%2Fu%2Bm1H%2BbU6qzxd8PH7%2Bfz0LjzHSVYrt4IgtOMQ%3D%3D%0A&cert_request_type=pkcs10&xmlOutput=true' 2013-07-23T20:50:54Z DEBUG NSSConnection init vm-031.idm.lab.bos.redhat.com 2013-07-23T20:50:54Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/sbin/ipa-server-install", line 1043, in main ds.enable_ssl() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 574, in enable_ssl nickname, self.fqdn, cadb) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 604, in create_server_cert cdb.issue_server_cert(self.certreq_fname, self.certder_fname) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 671, in issue_server_cert self.secdir, password, "ipaCert", **params) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 236, in https_request 'https', host, port, url, connection_factory, body) File "/usr/lib/python2.7/site-packages/ipapython/dogtag.py", line 295, in _httplib_request raise NetworkError(uri=uri, error=str(e)) 2013-07-23T20:50:54Z DEBUG The ipa-server-install command failed, exception: NetworkError: cannot connect to 'https://vm-031.idm.lab.bos.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXTENSION_NOT_FOUND) Certificate extension not found.
I reproduced this too (using the steps that worked for me ever since F19). I played with this issue for some time and found suspicious behavior.
ipa-server-install fails in https_request method, I tried to print all parameters we use for that call and see it's output:
[15/20]: requesting RA certificate from CA [16/20]: issuing RA agent certificate [17/20]: adding RA agent as a trusted user [18/20]: configure certificate renewals [19/20]: configure Server-Cert certificate renewal [20/20]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). try 0 =============================== https_request: host: vm-119.idm.lab.bos.redhat.com https_request: port: 8443 https_request: url: /ca/ee/ca/profileSubmitSSLClient https_request: secdir: /etc/httpd/alias https_request: password: df248116973a3012d61a https_request: nickname: ipaCert https_request: kw: {'profileId': 'caIPAserviceCert', 'requestor_name': 'IPA Installer', 'cert_request': 'MIICjjCCAXYCAQAwSTEfMB0GA1UEChMWSURNLkxBQi5CT1MuUkVESEFULkNPTTEm\r\nMCQGA1UEAxMddm0tMTE5LmlkbS5sYWIuYm9zLnJlZGhhdC5jb20wggEiMA0GCSqG\r\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6Cs6r9k+fUY2++LBvdf8L6TwsAZ7xiXGc\r\nYockAaMdGoKbjVai8v7iaHTTGDpvd9/zOd0wVyZRzbDdd0XjiEzobKYrDh6Aj1Ub\r\nIb8uRqqaZJxaSw+o6cFtjpkzRAwUiBYke379KVkalUIiCK6f4Ez2GqeXx9PyJtfr\r\nBr/xCmuxYj41aZ9l/WOtD4FqMPvTY1H2WaGaMnqYQsdwnwh0+SflTQdst4FN/2Eq\r\nYlByTguz7qSlOhJzqIPwFnQE1gADMhLNtZUFwQp8Jv0HMSHUqOiTKX4h47Lp5XIe\r\n0nEBJEe/aveHgtjU2rUQbG3IvUb2e9DiHZ2PY22ZgipO8SlZej7vAgMBAAGgADAN\r\nBgkqhkiG9w0BAQUFAAOCAQEAPQNCLQEOvw4R+S0q1F+1hwsCmFxdWBYVjCQ+9tVK\r\nN0g1Yt0Xm/Muovh+IZ7wTgpr2iXcyO1mgf2yD5u0I/vy9mOzSWYMcK6fWsLjsHUP\r\n982mqQcma8rXagJhQjQ+OplM/Y9mUgJN7oTWAJj2FS04NCNN0bxzLOwCrQzs43R3\r\nlT0T31K+dgW0XhdlkeW/zJM07Mjb6mHArcbDRLqZQysXavsD65GZyPGwVgUqqQob\r\nrAyKKfrriXvYHIN0k6IUMNppydd9sGuHF3Zt/qHRkb+4j0qmpvSwMtQDgg4qJwY7\r\nFMmQzV9z2WLg9Bh2eOVh5X4OrwtRoikQ8p4LvZZ2i+TRKg==\n', 'cert_request_type': 'pkcs10', 'xmlOutput': 'true'} =============================== Failed with cannot connect to 'https://vm-119.idm.lab.bos.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXTENSION_NOT_FOUND) Certificate extension not found. try 1
Then I tried to use the very same options to call https_request from a standalone script:
# /tmp/test.py =============================== https_request: host: vm-119.idm.lab.bos.redhat.com https_request: port: 8443 https_request: url: /ca/ee/ca/profileSubmitSSLClient https_request: secdir: /etc/httpd/alias/ https_request: password: df248116973a3012d61a https_request: nickname: ipaCert https_request: kw: {'profileId': 'caIPAserviceCert', 'requestor_name': 'IPA Installer', 'cert_request': 'MIICjjCCAXYCAQAwSTEfMB0GA1UEChMWSURNLkxBQi5CT1MuUkVESEFULkNPTTEm\r\nMCQGA1UEAxMddm0tMTE5LmlkbS5sYWIuYm9zLnJlZGhhdC5jb20wggEiMA0GCSqG\r\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVlXRBv+pUq+RZC4qkBjXYyFEzRfrt5rIU\r\nEV59owwC1HeFwjGSznt+DCbeGzOsIvVnETWsDDizqS1/7xOd2jqvmvDPF57gonnf\r\n2Qejqxlket4E8HC7PH7Zr02vk/2y5mDJa2fdA0uvPKUxexvFdbARO0sbh3cLJdFq\r\n5r1zAWV7HMm3DBJc2+IgWpbD/RHrJHRCKZQrX9XEpOvvTSguD/9HjDFUkw5Q+lHv\r\nX8YWB5vYRkePBdljWQvhnoFvyMxT96d5MVgxGdq52rCYCLlmAu588Dd9wxQWKGQ9\r\n89rxvbcZB57Z2XiXLH/KhhuHHU8vH/wY+93C4n8PUdQJjJlBLyHNAgMBAAGgADAN\r\nBgkqhkiG9w0BAQUFAAOCAQEAPoXK/k+un4/FL7nB30tSBL4rlw/LI1N4cy6XPRPR\r\n9965suvaZxVUUyEfHFymK/7c/FYG9apCMBre0IGJpGa9Qc72GrG8ZCUihgo6fQ2Q\r\niMYXT+K2A1xnIaNm1AmyXJOVhLCARGujWoZnaJbmGfp/fANPXI7OKAXg5C5VDlsz\r\ntDXpcIt8jBc6fn1rR+qwTWzC+ItPRy5jrSk2wSWDkYlsnCnDOjJmn4izRaOt+ExP\r\nzFgYa9M/ANW3KZMFu7RrFnK9YnOAopq2xXu2Z43p4Y7wIwmtBwvyCYv1R2UxBOSL\r\nXiqdh91fsT7+x87NAmCnDJlJgK/O1ZR4ptz/J31O8O3XIQ==\n', 'cert_request_type': 'pkcs10', 'xmlOutput': 'true'} =============================== RETURN: 200 OK HEADERS: {'date': 'Thu, 25 Jul 2013 15:55:53 GMT', 'content-length': '1730', 'content-type': 'application/xml', 'server': 'Apache-Coyote/1.1'} BODY: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>0</Status><Requests><Request><Id>7</Id><SubjectDN>CN=vm-119.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM</SubjectDN><serialno>7</serialno><b64>MIIESDCCAzCgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBBMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTMwNzI1MTU1NTUzWhcNMTUwNzI2MTU1NTUzWjBJMR8wHQYDVQQKExZJRE0uTEFCLkJPUy5SRURIQVQuQ09NMSYwJAYDVQQDEx12bS0xMTkuaWRtLmxhYi5ib3MucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWVdEG/6lSr5FkLiqQGNdjIUTNF+u3mshQRXn2jDALUd4XCMZLOe34MJt4bM6wi9WcRNawMOLOpLX/vE53aOq+a8M8XnuCied/ZB6OrGWR63gTwcLs8ftmvTa+T/bLmYMlrZ90DS688pTF7G8V1sBE7SxuHdwsl0WrmvXMBZXscybcMElzb4iBalsP9EeskdEIplCtf1cSk6+9NKC4P/0eMMVSTDlD6Ue9fxhYHm9hGR48F2WNZC+GegW/IzFP3p3kxWDEZ2rnasJgIuWYC7nzwN33DFBYoZD3z2vG9txkHntnZeJcsf8qGG4cdTy8f/Bj73cLifw9R1AmMmUEvIc0CAwEAAaOCAUEwggE9MB8GA1UdIwQYMBaAFAYkcUOPLV/tPPkVyYE9iiGtCxDnMEgGCCsGAQUFBwEBBDwwOjA4BggrBgEFBQcwAYYsaHR0cDovL2lwYS1jYS5pZG0ubGFiLmJvcy5yZWRoYXQuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBgQYDVR0fBHoweDB2oD6gPIY6aHR0cDovL2lwYS1jYS5pZG0ubGFiLmJvcy5yZWRoYXQuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UEChMFaXBhY2ExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU65W+k58UbxFd+Llens1UTa/GtRowDQYJKoZIhvcNAQELBQADggEBAK9cswH0LTB+A1c4yKRMFeWlL4hYrePDgV5xbaRA0j1FiO4hUrpD2GcyYbHkhXCYonw429xb5Qcp0Yj1wG0vt0EjX6u2SyvjpdkF5hTBDiRy5VMLWlFh3y2HRv4ysL1ElHCxi7UXvHnqWjrrf74AyJvlI5NWDdDTVBM7wklYg/qX2ONyL8djm0iEQlG75LEhgFblwS24lOpOYtKB8JCIUo9HZmeywmUk7ob8OqLlNuGph/NfffUWxgfkEdv6BLht5NlRUyLLwwS1lhOuZZ91zhMhYCp1Yk0yfZXDgdMSKxb03ivGAdBUQb3+peQ3TW7JWJDouxSURClFDNuVr59szj8=</b64></Request></Requests></XMLResponse>
The call then worked. This really seems like something with NSS database. Adding Rob, John and Ade to CC in case they have some idea what shall be done with it.
After tiresome investigation I found out this is caused by ipa-server-install not freeing some of the nss objects in --external-ca code path which causes the subsequent crash.
--external-ca
I will send a patch soon.
attachment freeipa-mkosek-415-free-nss-objects-in-external-ca-scenario.patch
master:[[BR]] 6a0aabe Free NSS objects in --external-ca scenario[[BR]]
ipa-3-2:[[BR]] b8d296f Free NSS objects in --external-ca scenario[[BR]]
We really need to start using contexts and stop calling nss_shutdown, a lot of these problem in theory should go away. Theres an open ticket for this work.
Metadata Update from @rcritten: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.2.x - 2013/07 (bug fixing)
Login to comment on this ticket.