pkispawn OCSP with external CMC certs in HSM environment shows import error.
Steps to Reproduce:
1. Tested the procedure in http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates with HSM token and cmc issued certificates. 2. pkispawn of ocsp external during step 2 configuration shows following issue: pkispawn : INFO ....... modifying '/opt/pki-rootOCSP/ocsp/pkcs12_password.conf' pkispawn : DEBUG ........... chmod 660 /opt/pki-rootOCSP/ocsp/pkcs12_password.conf pkispawn : DEBUG ........... chown 17:17 /opt/pki-rootOCSP/ocsp/pkcs12_password.conf pkispawn : INFO ....... Security databases '/opt/pki-rootOCSP/ocsp/alias/cert8.db', '/opt/pki-rootOCSP/ocsp/alias/key3.db', and/or '/opt/pki-rootOCSP/ocsp/alias/secmod.db' already exist! pkispawn : INFO ....... importing ca_signing certificate from ca_signing.crt certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in. pkispawn : INFO ....... importing ocsp_signing certificate from ocsp_signing.crt Error: Incorrect client security database password. pkispawn : DEBUG ....... Error Type: CalledProcessError pkispawn : DEBUG ....... Error Message: Command '['pki', '-d', '/var/lib/pki/rhcs93-OCSP-aakkiang/alias', '-C', '/tmp/tmpi8IsdP/password.txt', 'client-cert-import', '--pkcs7', 'ocsp_signing.crt', '--trust', ',,', 'ocsp_signing']' returned non-zero exit status 255 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 533, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1031, in spawn self.import_system_certs(deployer, nssdb, subsystem) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 603, in import_system_certs self.import_ocsp_signing_cert(deployer, nssdb) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 557, in import_ocsp_signing_cert trust_attributes=',,') File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 715, in import_cert_chain output_format='base64') File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 754, in import_pkcs7 nickname File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) Installation failed: Command '['pki', '-d', '/var/lib/pki/rhcs93-OCSP-aakkiang/alias', '-C', '/tmp/tmpi8IsdP/password.txt', 'client-cert-import', '--pkcs7', 'ocsp_signing.crt', '--trust', ',,', 'ocsp_signing']' returned non-zero exit status 255
Expected results:
pkispawn should be successful.
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1532933 - Custom field type adjusted to None - Custom field version adjusted to None
Metadata Update from @edewata: - Issue priority set to: blocker (was: critical)
Metadata Update from @mharmsen: - Issue assigned to edewata
Fixed in master:
Fixed in 10.5 branch:
Metadata Update from @edewata: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.5 (was: 10.5)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.5-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3019
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.