Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-57039

pkispawn fails on systems where TPM devices are available.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.4
    • pki-core
    • None
    • No
    • Moderate
    • rhel-sst-idm-cs
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      pkispawn fails on systems where TPM devices are available.

      [root@rhel94-ipa1 pki]# ls /dev/tpm*
/dev/tpm0  /dev/tpmrm0
[root@rhel94-ipa1 pki]# rpm -qa | grep tpm2
tpm2-tss-3.2.2-2.el9.x86_64
tpm2-tools-5.2-3.el9.x86_64
tpm2-pkcs11-tools-1.5.0-9.el9.x86_64
tpm2-pkcs11-1.5.0-9.el9.x86_64

- /var/log/ipaserver-install.log --
2024-09-04T08:49:40Z DEBUG args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpc4abprae', '--debug', '--log-file', 
'/var/log/pki/pki-ca-spawn.20240904174940.log']
:
DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpr_2jlb3e/password.txt -n Server-Cert cert-pki-ca -
a
DEBUG: stdout: -1
ERROR: Exception: Could not find cert: Server-Cert cert-pki-ca: b'ERROR: Listing FAPI token objects failed.\ncertutil:
 Could not find cert: Server-Cert cert-pki-ca\n: PR_FILE_NOT_FOUND_ERROR: File not found'
  File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 568, in main
    deployer.spawn()
  File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 4985, in spawn
    scriptlet.spawn(self)
  File "/usr/lib/python3.9/site-packages/pki/server/deployment/scriptlets/configuration.py", line 70, in spawn
    deployer.update_sslserver_cert_nickname(subsystem)
  File "/usr/lib/python3.9/site-packages/pki/server/deployment/__init__.py", line 3203, in update_sslserver_cert_nickname
    sslserver = subsystem.get_subsystem_cert('sslserver')
  File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 357, in get_subsystem_cert
    cert_info = self.get_nssdb_cert_info(tag)
  File "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line 386, in get_nssdb_cert_info
    return nssdb.get_cert_info(nickname, token=token)
  File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 2052, in get_cert_info
    cert_pem = self.get_cert(nickname=nickname, token=token)
  File "/usr/lib/python3.9/site-packages/pki/nssdb.py", line 2025, in get_cert
    raise Exception('Could not find cert: %s: %s' % (fullname, std_err.strip()))

      pkispawn checks for certificates using the certutil command.

       

       -- pki-ca-spawn.20240903165513.log --
  2024-09-03 16:55:24 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpisd04yi9/password.txt -n Server-Cert cert-pki-ca -a

       

      The check is expected to be a stderr starting with “certutil: Could not find cert: ”.

       

      -- /usr/lib/python3.9/site-packages/pki/nssdb.py --
    def get_cert(self, nickname, token=None, output_format='pem',
                 output_text=False):
:
            if std_err:
                # certutil returned an error
                # raise exception unless its not cert not found
                if std_err.startswith(b'certutil: Could not find cert: '):
                    logger.debug('Cert not found: %s', nickname)
                    return None
                raise Exception('Could not find cert: %s: %s' % (fullname, std_err.strip()))

       

      However, when the TPM device is available and the tpm2 packages are installed, the error throws as follows.

       

        [root@rhel94-ipa1 tmp]# certutil -L -d . -n Server-Cert -f pwdfile.txt 
  WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK 
  ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List 
  ERROR: Listing FAPI token objects failed.
  certutil: Could not find cert: Server-Cert
  : PR_FILE_NOT_FOUND_ERROR: File not found

      I think that pkispawn should have another way to check for certificates, not an error message.

      Please provide the package NVR for which bug is seen:

      • idm-pki-server

        How reproducible:

      Always

      Steps to reproduce

      1. Attach the TPM device to the system. (QEMU virtual environment can test virtual TPM device).
      2. Install TPM packages: `yum install tpm2-pkcs11 tpm2-tss`
      3. Run pkispawn directly or run ipa-server-install to install the IPA server along with the integrated CA.

      Expected results

      pkispawn can complete CA creation and IPA server installation without terminating.

      Actual results

       pkispawn exits after executing the certutil command.

       

      -- pki-ca-spawn.XXXXX.log --  
:
   369  2024-09-03 16:55:24 INFO: Getting sslserver cert info from NSS database    370  2024-09-03 16:55:24 DEBUG: NSSDatabase.get_cert_info(Server-Cert cert-pki-ca) begins    371  2024-09-03 16:55:24 DEBUG: NSSDatabase.get_cert(Server-Cert cert-pki-ca) begins    372  2024-09-03 16:55:24 DEBUG: Command: certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/tmpisd04yi9/password.txt -n Server-Cert cert-pki-ca -a    373  2024-09-03 16:55:24 DEBUG: stdout: -1

       

       

              no-user-match-found no-user-match-found
              rhn-support-kyoneyam Kazushige Yoneyama
              no-user-match-found no-user-match-found
              IdM CS QE IdM CS QE
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: