freeipa

Clone
Source Code
GIT

#5790 Installation with external CA: step 2 fails with Error in creating admin user
Closed: Invalid None Opened 8 years ago by stsimb.

Closed: Invalid
Reopen Issue

Trying to install freeipa signed by an external CA fails on step 2/28. Here is a transcript and attached are the full logfiles.

This is on CentOS 7 with freeipa 4.3.1 from CORP repo https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
but the same thing happens with freeipa-4.2.0 from EPEL7.

[root@corp-ldap-03: ~]# ipa-server-install --mkhomedir --external-ca
...
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate

#sign
/usr/bin/openssl ca -batch -passin env:SSLPASS -notext \
 -config intermediate.cnf \
 -name ca_ca \
 -in "ipa.csr" \
-days 7200 -preserveDN -md sha256 -noemailDN

####### intermediate.cnf ########
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ ca_ca ]
dir = /root/.TinyCA/forthnet.prv
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/cacert.key
RANDFILE = $dir/.rand
x509_extensions = v3_intermediate_ca
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_ca
unique_subject = yes
####### intermediate.cnf ########

[root@corp-ldap-03: ~]# ipa-server-install --external-cert-file=/root/ipa.pem --external-cert-file=/root/forthnet.prv-cacert.pem

The log file for this installation can be found in /var/log/ipaserver-install.log
Directory Manager password:

==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)


The IPA Master Server will be configured with:
Hostname:       corp-ldap-03.cloud.forthnet.prv
IP address(es): 10.24.4.11
Domain name:    corp.local
Realm name:     CORP.LOCAL

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/28]: creating certificate server user
  [2/28]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpaOy1C7' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

########### ipaserver-install.log ############
2016-04-08T07:46:54Z DEBUG Starting external process
2016-04-08T07:46:54Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpaOy1C7
2016-04-08T07:48:21Z DEBUG Process finished, return code=1
2016-04-08T07:48:21Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.20160408104654.log
Loading deployment configuration from /tmp/tmpaOy1C7.
Installing CA into /var/lib/pki/pki-tomcat.

Installation failed.

########## pki-ca-spawn.20160408104654.log ############
2016-04-08T07:48:21Z DEBUG stderr=pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Intern
al Server Error
pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassN
ame":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.lang.NullPointerException"}

2016-04-08T07:48:21Z CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpaOy1C7' returned non-zer
o exit status 1
2016-04-08T07:48:21Z CRITICAL See the installation logs and the following files/directories for more information:
2016-04-08T07:48:21Z CRITICAL   /var/log/pki/pki-tomcat
2016-04-08T07:48:21Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 579, in __spawn_instance
    DogtagInstance.spawn_instance(self, cfg_file)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 181, in spawn_instance
    self.handle_setup_error(e)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 421, in handle_setup_error
    raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

2016-04-08 10:47:04 pkispawn    : INFO     ....... executing 'certutil -R -d /tmp/tmp-o_Edqx -s cn=ipa-ca-agent,O=CORP.LOCAL -k rsa -g 2048 -z /tmp/tmp-o_Edqx/noise -f /root/.dogtag/pki-tomcat/ca/password.conf -o /tmp/tmp-o_Edqx/admin_pkcs10.bin'
2016-04-08 10:47:04 pkispawn    : INFO     ....... rm -f /tmp/tmp-o_Edqx/noise
2016-04-08 10:47:04 pkispawn    : INFO     ....... BtoA /tmp/tmp-o_Edqx/admin_pkcs10.bin /tmp/tmp-o_Edqx/admin_pkcs10.bin.asc
2016-04-08 10:47:04 pkispawn    : INFO     ....... loading external CA signing certificate from file: '/tmp/tmpcFjfap'
2016-04-08 10:47:04 pkispawn    : INFO     ....... loading external CA signing certificate chain from file: '/tmp/tmpefqr9i'
2016-04-08 10:47:04 pkispawn    : INFO     ....... configuring PKI configuration data.
2016-04-08 10:48:21 pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error
2016-04-08 10:47:04 pkispawn    : INFO     ....... configuring PKI configuration data.
2016-04-08 10:48:21 pkispawn    : ERROR    ....... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error
2016-04-08 10:48:21 pkispawn    : ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in creating admin user: java.lang.NullPointerException"}
2016-04-08 10:48:21 pkispawn    : DEBUG    ....... Error Type: ParseError
2016-04-08 10:48:21 pkispawn    : DEBUG    ....... Error Message: not well-formed (invalid token): line 1, column 0
2016-04-08 10:48:21 pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 524, in main
    rv = instance.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 248, in spawn
    json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 3914, in configure_pki_data
    root = ET.fromstring(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1300, in XML
    parser.feed(text)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1642, in feed
    self._raiseerror(v)
  File "/usr/lib64/python2.7/xml/etree/ElementTree.py", line 1506, in _raiseerror
    raise err

[root@corp-ldap-03: ~]# rpm -qa | egrep "ipa|pki"
python2-ipalib-4.3.1-1.el7.centos.noarch
ipa-admintools-4.3.1-1.el7.centos.noarch
ipa-common-4.3.1-1.el7.centos.noarch
pki-kra-10.3.0.a1-1.el7.centos.noarch
ipa-server-common-4.3.1-1.el7.centos.noarch
python2-ipaserver-4.3.1-1.el7.centos.noarch
python-libipa_hbac-1.13.3-5.el7.centos.x86_64
pki-base-10.3.0.a1-1.el7.centos.noarch
pki-ca-10.3.0.a1-1.el7.centos.noarch
python-ipaddress-1.0.7-4.el7.centos.noarch
python2-ipaclient-4.3.1-1.el7.centos.noarch
sssd-ipa-1.13.3-5.el7.centos.x86_64
ipa-client-4.3.1-1.el7.centos.x86_64
pki-tools-10.3.0.a1-1.el7.centos.x86_64
python-iniparse-0.4-9.el7.noarch
pki-server-10.3.0.a1-1.el7.centos.noarch
libipa_hbac-1.13.3-5.el7.centos.x86_64
pki-base-java-10.3.0.a1-1.el7.centos.noarch
ipa-server-4.3.1-1.el7.centos.x86_64
ipa-client-common-4.3.1-1.el7.centos.noarch
krb5-pkinit-1.13.2-12.el7_2.x86_64

/var/log/pki/pki-tomcat/ca/debug
debug

I have created a ticket in Dogtag's bug tracker, https://fedorahosted.org/pki/ticket/2276

The issue might be caused by a missing key usage. Your CA cert doesn't have Non Repudiation. FreeIPA's default CA has the flag.

closing this ticket, discussion/investigation is being done in the PKI ticket.

Please reopen if there is something to fix on IPA side.

Metadata Update from @stsimb:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
7 years ago

Log in to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Installation
None
0
None
no
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.