Issue #2901: Installing subsystems with external CMC certificates in HSM environment shows import error - dogtagpki

dogtagpki

#2901 Installing subsystems with external CMC certificates in HSM environment shows import error

Closed: fixed 6 years ago Opened 6 years ago by mharmsen.

pkispawn OCSP with external CMC certs in HSM environment shows import error.

Steps to Reproduce:

1. Tested the procedure in http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates with HSM token and cmc issued certificates.

2. pkispawn of ocsp external during step 2 configuration shows following issue:

pkispawn    : INFO     ....... modifying '/opt/pki-rootOCSP/ocsp/pkcs12_password.conf'
pkispawn    : DEBUG    ........... chmod 660 /opt/pki-rootOCSP/ocsp/pkcs12_password.conf
pkispawn    : DEBUG    ........... chown 17:17 /opt/pki-rootOCSP/ocsp/pkcs12_password.conf
pkispawn    : INFO     ....... Security databases '/opt/pki-rootOCSP/ocsp/alias/cert8.db', '/opt/pki-rootOCSP/ocsp/alias/key3.db', and/or '/opt/pki-rootOCSP/ocsp/alias/secmod.db' already exist!
pkispawn    : INFO     ....... importing ca_signing certificate from ca_signing.crt
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.
pkispawn    : INFO     ....... importing ocsp_signing certificate from ocsp_signing.crt
Error: Incorrect client security database password.
pkispawn    : DEBUG    ....... Error Type: CalledProcessError
pkispawn    : DEBUG    ....... Error Message: Command '['pki', '-d', '/var/lib/pki/rhcs93-OCSP-aakkiang/alias', '-C', '/tmp/tmpi8IsdP/password.txt', 'client-cert-import', '--pkcs7', 'ocsp_signing.crt', '--trust', ',,', 'ocsp_signing']' returned non-zero exit status 255
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 533, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1031, in spawn
    self.import_system_certs(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 603, in import_system_certs
    self.import_ocsp_signing_cert(deployer, nssdb)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 557, in import_ocsp_signing_cert
    trust_attributes=',,')
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 715, in import_cert_chain
    output_format='base64')
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 754, in import_pkcs7
    nickname
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)


Installation failed: Command '['pki', '-d', '/var/lib/pki/rhcs93-OCSP-aakkiang/alias', '-C', '/tmp/tmpi8IsdP/password.txt', 'client-cert-import', '--pkcs7', 'ocsp_signing.crt', '--trust', ',,', 'ocsp_signing']' returned non-zero exit status 255

Expected results:

pkispawn should be successful.

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1532933
- Custom field type adjusted to None
- Custom field version adjusted to None

6 years ago

Metadata Update from @edewata:
- Issue priority set to: blocker (was: critical)

6 years ago

Metadata Update from @mharmsen:
- Issue assigned to edewata

6 years ago

edewata commented 6 years ago

Fixed in master:

Fixed in 10.5 branch:

Metadata Update from @edewata:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5.5 (was: 10.5)

6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.5-1.fc27

6 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3019

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

edewata

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

10.5.5

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1532933

type

None

version

None

keywords

None

estimate

None

feature

None

origin

None

proposedpriority

None

fixedinversion

pki-core-10.5.5-1.fc27

platforms

None

blockedby

None

blocking

None

reviewer

None

component

None

proposedmilestone

None

dogtagpki

Source Code

#2901 Installing subsystems with external CMC certificates in HSM environment shows import error Closed: fixed 6 years ago Opened 6 years ago by mharmsen.

Metadata

#2901 Installing subsystems with external CMC certificates in HSM environment shows import error

Closed: fixed 6 years ago Opened 6 years ago by mharmsen.