-
Bug
-
Resolution: Done
-
Blocker
-
certsys-10.3
Description of problem:
KRA two-step installation fails on Non-HSM configured system
Version-Release number of selected component (if applicable):
pki-server-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch
pki-kra-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch
pki-base-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch
pki-ca-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7.noarch
How reproducible:
Always
Steps to Reproduce:
1. Install RHEL 8.5, install DS and CS packages
2. Install DS and CA
3. Perform two-step install of KRA
- pkispawn -s KRA -f /tmp/test_dir/kra.cfg --debug
Loading deployment configuration from /tmp/test_dir/kra.cfg.
Installation log: /var/log/pki/pki-kra-spawn.20210719075113.log
INFO: Connecting to LDAP server at ldaps://pki1.example.com:2636
INFO: Connecting to LDAP server at ldaps://pki1.example.com:2636
INFO: Connecting to security domain at https://pki1.example.com:20443
INFO: Getting security domain info
Installing KRA into /var/lib/pki/topology-cc-KRA.
INFO: BEGIN spawning KRA subsystem in topology-cc-KRA instance
INFO: Loading instance: topology-cc-KRA
.
.
.
.
INFO: Storing admin certificate into /opt/topology-cc-KRA/kra_admin.cert
DEBUG: saving KRA pki1.example.com 21443 Admin Certificate to file: /opt/topology-cc-KRA/kra_admin.cert
INFO: Importing admin certificate into /opt/topology-cc-KRA/kra/alias
DEBUG: Command: certutil -A -d /opt/topology-cc-KRA/kra/alias -f /opt/topology-cc-KRA/kra/password.conf -n PKI KRA Administrator for Example.Org -a -i /opt/topology-cc-KRA/kra_admin.cert -t ,,
certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.
CalledProcessError: Command '['certutil', '-A', '-d', '/opt/topology-cc-KRA/kra/alias', '-f', '/opt/topology-cc-KRA/kra/password.conf', '-n', 'PKI KRA Administrator for Example.Org', '-a', '-i', '/opt/topology-cc-KRA/kra_admin.cert', '-t', ',,']' returned non-zero exit status 255.
File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
scriptlet.spawn(deployer)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 744, in spawn
admin_cert = deployer.get_admin_cert(subsystem, client)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/_init_.py", line 966, in get_admin_cert
self.config_client.process_admin_cert(b64cert)
File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 2618, in process_admin_cert
admin_cert_file)
File "/usr/lib/python3.6/site-packages/pki/nssdb.py", line 511, in add_cert
subprocess.check_call(cmd)
File "/usr/lib64/python3.6/subprocess.py", line 311, in check_call
raise CalledProcessError(retcode, cmd)
Installation failed: Command failed: certutil -A -d /opt/topology-cc-KRA/kra/alias -f /opt/topology-cc-KRA/kra/password.conf -n PKI KRA Administrator for Example.Org -a -i /opt/topology-cc-KRA/kra_admin.cert -t ,,
Please check pkispawn logs in /var/log/pki/pki-kra-spawn.20210719075113.log
Expected results:
KRA two-step installation should succeed on Non-HSM configured system
Additional info:
Same procedure works on RHEl 8.4 bits: https://gitlab.cee.redhat.com/cpinjani/pki-pytest-ansible/-/jobs/4066118#L12992
