Trying to install freeipa signed by an external CA fails on step 2/28. Here is a transcript and attached are the full logfiles.
This is on CentOS 7 with freeipa 4.3.1 from CORP repo https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ but the same thing happens with freeipa-4.2.0 from EPEL7.
[root@corp-ldap-03: ~]# ipa-server-install --mkhomedir --external-ca ... The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate #sign /usr/bin/openssl ca -batch -passin env:SSLPASS -notext \ -config intermediate.cnf \ -name ca_ca \ -in "ipa.csr" \ -days 7200 -preserveDN -md sha256 -noemailDN ####### intermediate.cnf ######## [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ ca_ca ] dir = /root/.TinyCA/forthnet.prv certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/cacert.key RANDFILE = $dir/.rand x509_extensions = v3_intermediate_ca default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_ca unique_subject = yes ####### intermediate.cnf ######## [root@corp-ldap-03: ~]# ipa-server-install --external-cert-file=/root/ipa.pem --external-cert-file=/root/forthnet.prv-cacert.pem The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) The IPA Master Server will be configured with: Hostname: corp-ldap-03.cloud.forthnet.prv IP address(es): 10.24.4.11 Domain name: corp.local Realm name: CORP.LOCAL Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/28]: creating certificate server user [2/28]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpaOy1C7' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ########### ipaserver-install.log ############ 2016-04-08T07:46:54Z DEBUG Starting external process 2016-04-08T07:46:54Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpaOy1C7 2016-04-08T07:48:21Z DEBUG Process finished, return code=1 2016-04-08T07:48:21Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160408104654.log Loading deployment configuration from /tmp/tmpaOy1C7. Installing CA into /var/lib/pki/pki-tomcat. Installation failed. ########## pki-ca-spawn.20160408104654.log ############ 2016-04-08T07:48:21Z DEBUG stderr=pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Intern al Server Error pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassN ame":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.lang.NullPointerException"} 2016-04-08T07:48:21Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpaOy1C7' returned non-zer o exit status 1 2016-04-08T07:48:21Z CRITICAL See the installation logs and the following files/directories for more information: 2016-04-08T07:48:21Z CRITICAL /var/log/pki/pki-tomcat 2016-04-08T07:48:21Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 579, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 421, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-04-08 10:47:04 pkispawn : INFO ....... executing 'certutil -R -d /tmp/tmp-o_Edqx -s cn=ipa-ca-agent,O=CORP.LOCAL -k rsa -g 2048 -z /tmp/tmp-o_Edqx/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /tmp/tmp-o_Edqx/admin_pkcs10.bin' 2016-04-08 10:47:04 pkispawn : INFO ....... rm -f /tmp/tmp-o_Edqx/noise 2016-04-08 10:47:04 pkispawn : INFO ....... BtoA /tmp/tmp-o_Edqx/admin_pkcs10.bin /tmp/tmp-o_Edqx/admin_pkcs10.bin.asc 2016-04-08 10:47:04 pkispawn : INFO ....... loading external CA signing certificate from file: '/tmp/tmpcFjfap' 2016-04-08 10:47:04 pkispawn : INFO ....... loading external CA signing certificate chain from file: '/tmp/tmpefqr9i' 2016-04-08 10:47:04 pkispawn : INFO ....... configuring PKI configuration data. 2016-04-08 10:48:21 pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error 2016-04-08 10:47:04 pkispawn : INFO ....... configuring PKI configuration data. 2016-04-08 10:48:21 pkispawn : ERROR ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error 2016-04-08 10:48:21 pkispawn : ERROR ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.lang.NullPointerException"} 2016-04-08 10:48:21 pkispawn : DEBUG ....... Error Type: ParseError 2016-04-08 10:48:21 pkispawn : DEBUG ....... Error Message: not well-formed (invalid token): line 1, column 0 2016-04-08 10:48:21 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 524, in main rv = instance.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 248, in spawn json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3914, in configure_pki_data root = ET.fromstring(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML parser.feed(text) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed self._raiseerror(v) File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror raise err [root@corp-ldap-03: ~]# rpm -qa | egrep "ipa|pki" python2-ipalib-4.3.1-1.el7.centos.noarch ipa-admintools-4.3.1-1.el7.centos.noarch ipa-common-4.3.1-1.el7.centos.noarch pki-kra-10.3.0.a1-1.el7.centos.noarch ipa-server-common-4.3.1-1.el7.centos.noarch python2-ipaserver-4.3.1-1.el7.centos.noarch python-libipa_hbac-1.13.3-5.el7.centos.x86_64 pki-base-10.3.0.a1-1.el7.centos.noarch pki-ca-10.3.0.a1-1.el7.centos.noarch python-ipaddress-1.0.7-4.el7.centos.noarch python2-ipaclient-4.3.1-1.el7.centos.noarch sssd-ipa-1.13.3-5.el7.centos.x86_64 ipa-client-4.3.1-1.el7.centos.x86_64 pki-tools-10.3.0.a1-1.el7.centos.x86_64 python-iniparse-0.4-9.el7.noarch pki-server-10.3.0.a1-1.el7.centos.noarch libipa_hbac-1.13.3-5.el7.centos.x86_64 pki-base-java-10.3.0.a1-1.el7.centos.noarch ipa-server-4.3.1-1.el7.centos.x86_64 ipa-client-common-4.3.1-1.el7.centos.noarch krb5-pkinit-1.13.2-12.el7_2.x86_64
attachment ipaserver-install.log
attachment pki-ca-spawn.20160408104654.log
/var/log/pki/pki-tomcat/ca/debug debug
I have created a ticket in Dogtag's bug tracker, https://fedorahosted.org/pki/ticket/2276
The issue might be caused by a missing key usage. Your CA cert doesn't have Non Repudiation. FreeIPA's default CA has the flag.
Non Repudiation
closing this ticket, discussion/investigation is being done in the PKI ticket.
Please reopen if there is something to fix on IPA side.
Metadata Update from @stsimb: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Log in to comment on this ticket.