cert-fix issue see in IPA CI: org.mozilla.jss.crypto.ObjectNotFoundException: Private key not found #4355
Assignees
Labels
Triaged
Issue is acknowledge for Product Backlog
Comments
|
I've duplicated this on a RHEL 9.2 beta installation using a nCipher HSM. |
|
Related ticket https://issues.redhat.com/browse/RHCS-3690 |
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 2, 2023
Resolves: dogtagpki#4355
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 2, 2023
The PKISubsystem.temp_cert_create() has been updated to use the fullname of the CA signing cert such that it can find the cert and the key in HSM. The PKIServer.open_nssdb() has been modified to provide the password.conf, the user, and the group of PKI server to NSSDatabase object such that it can be used to access the HSM and create files with the proper ownership. A new test has been added to verify CA system certs renewal with HSM. Resolves: dogtagpki#4355
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 2, 2023
The PKISubsystem.temp_cert_create() has been updated to use the fullname of the CA signing cert such that it can find the cert and the key in HSM properly. A new test has been added to verify CA system certs renewal with HSM. Resolves: dogtagpki#4355
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 2, 2023
The PKISubsystem.temp_cert_create() has been updated to use the full name of the CA signing cert such that it can find the cert and the key properly in HSM. A new test has been added to verify CA system certs renewal with HSM. Resolves: dogtagpki#4355
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 2, 2023
The PKISubsystem.temp_cert_create() has been updated to use the full name of the CA signing cert such that it can find the cert and the key properly in HSM. A new test has been added to verify CA system certs renewal with HSM. Resolves: dogtagpki#4355
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 2, 2023
The PKISubsystem.temp_cert_create() has been updated to use the full name of the CA signing cert such that it can find the cert and the key properly in HSM. A new test has been added to verify CA system certs renewal with HSM. Resolves: dogtagpki#4355
edewata
added a commit
to edewata/pki
that referenced
this issue
Nov 3, 2023
The PKISubsystem.temp_cert_create() has been updated to use the full name of the CA signing cert such that it can find the cert and the key properly in HSM. A new test has been added to verify CA system certs renewal with HSM. Resolves: dogtagpki#4355
edewata
added a commit
that referenced
this issue
Nov 3, 2023
The PKISubsystem.temp_cert_create() has been updated to use the full name of the CA signing cert such that it can find the cert and the key properly in HSM. A new test has been added to verify CA system certs renewal with HSM. Resolves: #4355
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
IPA has a test which moves current time past expiration in order to test ipa-cert-fix for offline renewals when using SoftHSM2 as key storage. ipa-cert-fix is a wrapper around pki-server cert-fix.
From what I can tell a temporary server cert is issued but the key cannot be found. It is unclear whether the key is being generated on the HSM or the softoken but jss can't find it.
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info from CS.cfg
INFO: Getting sslserver cert info from NSS database
INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info from CS.cfg INFO: Getting sslserver cert info from NSS database
INFO: CSR for sslserver has been written to /tmp/tmpkkwzyjpn/sslserver.csr
INFO: Getting signing cert info from CS.cfg
INFO: Getting signing cert info from NSS database
INFO: CA cert written to /tmp/tmpkkwzyjpn/ca_certificate.crt
INFO: AKI: 0x4967980AD6D239CAF98A2753F54FBD6D97A5C70B
INFO: Initializing NSS
INFO: Logging into internal token
INFO: Using internal token
INFO: Creating AKID extension:
INFO: - keyid
INFO: - AKID: 0x4967980ad6d239caf98a2753f54fbd6d97a5c70b
INFO: Creating key usage extension:
INFO: - critical
INFO: - digitalSignature
INFO: - nonRepudiation
INFO: - keyEncipherment
INFO: - dataEncipherment
INFO: Creating extended key usage extension:
INFO: - serverAuth org.mozilla.jss.crypto.ObjectNotFoundException: Private key not found at org.mozilla.jss.CryptoManager.findPrivKeyByCertNative(Native Method) at org.mozilla.jss.CryptoManager.findPrivKeyByCert(CryptoManager.java:1111) at org.dogtagpki.nss.NSSDatabase.createCertificate(NSSDatabase.java:1138) at com.netscape.cmstools.nss.NSSCertIssueCLI.execute(NSSCertIssueCLI.java:115) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:658) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:697)
The full test output is available in http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/88ce8ca8-bc09-11ed-9737-fa163e46d29b/report.html
We also have the PKI logs in http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/88ce8ca8-bc09-11ed-9737-fa163e46d29b/test_integration-test_hsm.py-TestHSMcertFix-test_hsm_renew_expired_cert_on_master/master.ipa.test/
The text was updated successfully, but these errors were encountered: