IPA server installation with externally-signed CA fails (with @pki/master copr repo) #4745

flo-renaud · 2024-05-15T07:44:55Z

The installation of an IPA server with an externally-signed CA fails with PKI shipped in @pki/master copr repo.

Reproducer steps:

dnf copr enable -y @freeipa/freeipa-master-nightly
dnf copr enable -y @pki/master
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 --external-ca -U
This step generates a CSR in /root/ipa.csr. Create an external CA, sign the csr, and continue the installation with
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 --external-cert-file ca-chain.crt

The installation fails:

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.12.0.dev202405071236+git

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

Warning: skipping DNS resolution of host server.ipa.test
Checking DNS domain ipa.test., please wait ...
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.


NetBIOS domain name [IPA]: 

Do you want to configure chrony with NTP server or pool address? [no]: 

The IPA Master Server will be configured with:
Hostname:       server.ipa.test
IP address(es): 10.0.187.161
Domain name:    ipa.test
Realm name:     IPA.TEST

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=IPA.TEST
Subject base: O=IPA.TEST
Chaining:     externally signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.11.5.160, 10.2.70.215, 2620:52:0:aa0::dead:beef, 10.11.5.160, 10.2.70.215, 2620:52:0:aa0::dead:beef
Forward policy:   only
Reverse zone(s):  No reverse zone

Disabled p11-kit-proxy
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/31]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The logs from pki-ca-spawn contain the following message:

2024-05-15 03:32:17 DEBUG: Importing a PKCS #7 data without header/footer
2024-05-15 03:32:17 DEBUG: NSSDatabase.import_pkcs7()
2024-05-15 03:32:17 DEBUG: Command: pki -d /var/lib/pki/pki-tomcat/conf/alias pkcs7-cert-export --pkcs7 -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----
 --output-prefix /tmp/tmp1s8viaol/cert --output-suffix .crt --debug
2024-05-15 03:32:17 DEBUG: NSSDatabase.import_cert_chain(caSigningCert External CA) ends

and ipa-server-install log:

DEBUG: Importing a PKCS #7 data without header/footer
DEBUG: NSSDatabase.import_pkcs7()
DEBUG: Command: pki -d /var/lib/pki/pki-tomcat/conf/alias pkcs7-cert-export --pkcs7 -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----
 --output-prefix /tmp/tmp1s8viaol/cert --output-suffix .crt --debug
INFO: Loading PKCS #7 data from -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----

java.nio.file.FileSystemException: -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----
: File name too long
        at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
        at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
        at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
        at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
        at java.base/java.nio.file.Files.readAllBytes(Files.java:3288)
        at com.netscape.cmstools.pkcs7.PKCS7CertExportCLI.execute(PKCS7CertExportCLI.java:96)
        at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
        at org.dogtagpki.cli.CLI.execute(CLI.java:353)

It looks like the command expects a filename but is provided the certificate content.

ipaserver-install.log

pki-ca-spawn.20240515033215.log

The text was updated successfully, but these errors were encountered:

flo-renaud · 2024-05-15T07:50:29Z

Installed versions (fedora 39):

freeipa-server-4.12.0.dev202405071236+git-0.fc39.x86_64
pki-resteasy-core-3.0.26-31.fc39.noarch
dogtag-pki-server-11.6.0-0.1.alpha1.20240514231708UTC.09ea4f77.fc39.noarch

edewata · 2024-05-17T00:17:16Z

This issue should be fixed by this commit: abd605b

Could you try again?

flo-renaud · 2024-05-28T16:22:05Z

Hi @edewata
the tests from this week-end didn't hit the issue (PR 3701). Closing as fixed.

This was referenced May 15, 2024

Nightly test failure with @pki/master copr repo #4710

Closed

[testing_master_pki] Nightly PR freeipa-pr-ci2/freeipa#3662

Closed

amore17 mentioned this issue May 21, 2024

[testing_master_pki] Nightly PR freeipa-pr-ci2/freeipa#3682

Closed

flo-renaud closed this as completed May 28, 2024

amore17 mentioned this issue May 30, 2024

[testing_master_pki] Nightly PR freeipa-pr-ci2/freeipa#3701

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IPA server installation with externally-signed CA fails (with @pki/master copr repo) #4745

IPA server installation with externally-signed CA fails (with @pki/master copr repo) #4745

flo-renaud commented May 15, 2024

flo-renaud commented May 15, 2024

edewata commented May 17, 2024

flo-renaud commented May 28, 2024

IPA server installation with externally-signed CA fails (with @pki/master copr repo) #4745

IPA server installation with externally-signed CA fails (with @pki/master copr repo) #4745

Comments

flo-renaud commented May 15, 2024

flo-renaud commented May 15, 2024

edewata commented May 17, 2024

flo-renaud commented May 28, 2024