-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
Seen testing with HSMs but not likely related to that.
-
Yes
-
None
-
rhel-sst-idm-cs
-
0
-
QE ack, Dev ack
-
False
-
-
None
-
None
-
None
-
Automated
-
None
We have scenario in in our automation as following:
- Install CAless master
- Make caless master cafull with self signed ca ($ipa-ca-install )
- Renew self signed CA cert on master to external CA
- Renew external CA to self-signed on master
- Install replica with CA (--setup-ca) against the master
The import of this "chain" is failing with:
DEBUG: Command: pki -d /etc/pki/pki-tomcat/alias pkcs7-cert-import --pkcs7 /tmp/tmpo22mm2_y/cert_chain.p7b --input-file /tmp/tmpq3alxilv/cert.pem --append --debug
INFO: Initializing NSS
INFO: Using internal token
INFO: Loading certificates from /tmp/tmpo22mm2_y/cert_chain.p7b
INFO: - CN=CA,O=Example Organization España
INFO: Importing certificates from /tmp/tmpq3alxilv/cert.pem
INFO: - CN=Certificate Authority,O=TESTRELM.TEST
INFO: Storing certificates into /tmp/tmpo22mm2_y/cert_chain.p7b
java.lang.Exception: Multiple leaf certificates: [CN=CA, O=Example Organization España], [CN=Certificate Authority, O=TESTRELM.TEST]
at org.mozilla.jss.netscape.security.util.Cert.sortCertificateChain(Cert.java:308)
at org.mozilla.jss.netscape.security.x509.CertificateChain.sort(CertificateChain.java:111)
at org.mozilla.jss.netscape.security.x509.CertificateChain.toPKCS7(CertificateChain.java:234)
at com.netscape.cmstools.pkcs7.PKCS7CertImportCLI.execute(PKCS7CertImportCLI.java:119)
at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at org.dogtagpki.cli.CLI.execute(CLI.java:353)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698)
DEBUG: NSSDatabase.import_cert_chain(caSigningCert External CA) ends
ERROR: CalledProcessError: Command '['pki', '-d', '/etc/pki/pki-tomcat/alias', 'pkcs7-cert-import', '--pkcs7', '/tmp/tmpo22mm2_y/cert_chain.p7b', '--input-file', '/tmp/tmpq3alxilv/cert.pem', '--append', '--debug']' returned non-zero exit status 255.
File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 569, in main
deployer.spawn()
File "/usr/lib/python3.9/site-packages/pki/server/deployment/{}init{}.py", line 4854, in spawn
scriptlet.spawn(self)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 63, in spawn
deployer.import_system_certs(nssdb, subsystem)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/{}init{}.py", line 2248, in import_system_certs
self.import_cert_chain(nssdb)
File "/usr/lib/python3.9/site-packages/pki/server/deployment/{}init{}.py", line 2192, in import_cert_chain
nssdb.import_cert_chain(
File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 2314, in import_cert_chain
self.__convert_certs_into_pkcs7(pem_parts, input_file)
File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 2288, in __convert_certs_into_pkcs7
self.run(cmd, check=True)
File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 326, in run
result = subprocess.run(
File "/usr/lib64/python3.9/subprocess.py", line 528, in run
raise CalledProcessError(retcode, process.args,2023-12-06T07:59:50Z CRITICAL Failed to configure CA instance
2023-12-06T07:59:50Z CRITICAL See the installation logs and the following files/directories for more information:
2023-12-06T07:59:50Z CRITICAL /var/log/pki/pki-tomcat
2023-12-06T07:59:50Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 680, in __spawn_instance
DogtagInstance.spawn_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error
raise RuntimeError(
RuntimeError: CA configuration failed.2023-12-06T07:59:50Z DEBUG [error] RuntimeError: CA configuration failed.
2023-12-06T07:59:50Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
2023-12-06T07:59:50Z DEBUG File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/cli.py", line 344, in run
return cfgr.run()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 360, in run
return self.execute()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 386, in execute
for rval in self._executor():
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next
return next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 663, in _configure
next(executor)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 435, in __runner
exc_handler(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 468, in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 526, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 523, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 458, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 425, in __runner
step()
File "/usr/lib/python3.9/site-packages/ipapython/install/core.py", line 419, in step_next
return next(self.__gen)
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.9/site-packages/six.py", line 709, in reraise
raise value
File "/usr/lib/python3.9/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.9/site-packages/ipapython/install/common.py", line 65, in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/{}init{}.py", line 640, in main
replica_install(self)
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 383, in decorated
func(installer)
File "/usr/lib/python3.9/site-packages/ipaserver/install/server/replicainstall.py", line 1367, in install
ca.install(False, config, options, custodia=custodia)
File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 579, in install
install_step_0(standalone, replica_config, options, custodia=custodia)
File "/usr/lib/python3.9/site-packages/ipaserver/install/ca.py", line 659, in install_step_0
ca.configure_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 515, in configure_instance
self.start_creation(runtime=runtime)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/cainstance.py", line 680, in __spawn_instance
DogtagInstance.spawn_instance(
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 227, in spawn_instance
self.handle_setup_error(e)
File "/usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py", line 609, in handle_setup_error
raise RuntimeError(2023-12-06T07:59:50Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: CA configuration failed.
2023-12-06T07:59:50Z ERROR CA configuration failed.
2023-12-06T07:59:50Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
[root@replica ~]#
This same chain can be imported with 11.4.0 and before.
See https://issues.redhat.com/browse/FREEIPA-10630 for additional details
- links to
-
RHSA-2024:129966 pki-core security update