FreeIPA's external CA test is failing in step 2 because /root/.dogtag/pki-tomcat/ca/alias/noise is either missing or can't be created.
/root/.dogtag/pki-tomcat/ca/alias/noise
2018-10-26 08:58:31 configuration : INFO Creating temp SSL server cert for master.ipa.test 2018-10-26 08:58:31 pkispawn : INFO ....... generating '/etc/pki/pki-tomcat/pfile' 2018-10-26 08:58:31 pkispawn : INFO ....... executing 'certutil -S -d /etc/pki/pki-tomcat/alias -n Server-Cert cert-pki-ca -s cn=master.ipa.test,o=2018-10-26 08:58:28 -k rsa -g 2048 -m 0 -v 12 -c cn=master.ipa.test,o=2018-10-26 08:58:28 -t CTu,CTu,CTu -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x' 2018-10-26 08:58:31 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/ca/noise 2018-10-26 08:58:31 pkispawn : INFO ....... rm -f /etc/pki/pki-tomcat/pfile 2018-10-26 08:58:31 pkispawn : INFO Starting pki-tomcat instance 2018-10-26 08:58:31 pkispawn : DEBUG Command: systemctl daemon-reload 2018-10-26 08:58:31 pkispawn : DEBUG Command: systemctl start pki-tomcatd@pki-tomcat.service 2018-10-26 08:58:33 pkispawn : INFO ........... checking https://master.ipa.test:8443/ca 2018-10-26 08:58:34 pkispawn : INFO ........... waiting for server to start (1s) 2018-10-26 08:58:35 pkispawn : INFO ........... waiting for server to start (2s) 2018-10-26 08:58:44 pkispawn : DEBUG ........... status: running 2018-10-26 08:58:44 pkispawn : INFO Creating config request 2018-10-26 08:58:44 pkispawn : INFO Loading system cert: caSigningCert External CA 2018-10-26 08:58:44 pki.nssdb : DEBUG Command: certutil -L -d /var/lib/pki/pki-tomcat/alias -f /tmp/tmplqy2v3q7/password.txt -n caSigningCert External CA -r 2018-10-26 08:58:44 configuration : INFO Configuring CA subsystem 2018-10-26 08:59:20 configuration : INFO Configuring certificates 2018-10-26 08:59:22 configuration : INFO Setting up admin 2018-10-26 08:59:22 pkispawn : INFO Creating admin setup request 2018-10-26 08:59:22 pkispawn : DEBUG ....... Error Type: FileNotFoundError 2018-10-26 08:59:22 pkispawn : DEBUG ....... Error Message: [Errno 2] No such file or directory: '/root/.dogtag/pki-tomcat/ca/alias/noise' 2018-10-26 08:59:22 pkispawn : DEBUG ....... File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 702, in spawn admin_setup_request = deployer.config_client.create_admin_setup_request() File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 4093, in create_admin_setup_request self.set_admin_parameters(request) File "/usr/lib/python3.6/site-packages/pki/server/deployment/pkihelper.py", line 4532, in set_admin_parameters with open(noise_file, 'w') as f:
The code fails because /root/.dogtag/pki-tomcat/ca no longer exists. FreeIPA deletes /root/.dogtag/pki-tomcat/{subsystem}/ after every pki-spawn call, see https://pagure.io/freeipa/blob/552777293d7c0741e7f9302088ebccf1ee7ba27e/f/ipaserver/install/cainstance.py#_483 . FreeIPA doesn't need the files any more. Since we don't want to leave any potentially problematic data, we clean up and remove any DB that might contain private key bits.
/root/.dogtag/pki-tomcat/ca
/root/.dogtag/pki-tomcat/{subsystem}/
This hasn't been a problem before. Release 10.6.7 changed behavior and now fails when /root/.dogtag/pki-tomcat/ca is not available in step 2 of external CA installation. Either Dogtag didn't use the DB before or it no longer re-creates a missing /root/.dogtag/pki-tomcat/ca/alias database automatically.
/root/.dogtag/pki-tomcat/ca/alias
Metadata Update from @cheimes: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
FreeIPA has been removing the directory structure for about 2 years, see https://pagure.io/freeipa/c/a39effed7603d66acd238e3142f4df8081ff7bc8
Note, I used pki-core-10.6.7 with additional patches from https://github.com/dogtagpki/pki/commit/0fba3c2710ee14f2d4ddb2bd401ed6d592f3f2b8 and https://github.com/dogtagpki/pki/commit/54edd1a7dd4e7e49bff4ef4fde15fc4d97802b00 . Without both patches, you may see a different error message when installing with an external CA.
I think this is actually a problem in IPA.
Prior to PKI 10.6.7, pkispawn was calling the code that creates the admin NSS db twice, in step 1 and step 2. This is a bug since the admin NSS db should only be created once. IPA has been removing the admin NSS db after step 1 and step 2.
In PKI 10.6.7 the code was cleaned up (https://github.com/dogtagpki/pki/commit/9b402ff3d2deb1ac4c86cb2d2be92b5bb4c2ad20) so the admin NSS db is now only created in step 1. However, IPA keeps removing it after step 1, but pkispawn doesn't create it anymore in step 2, so the installation fails.
pkispawn needs to create the admin NSS db in step 1 in order to generate the admin CSR that can be signed by an external CA. This functionality is needed by PKI to support other important scenarios (i.e. external/standalone KRA/OCSP), so IPA should not interfere with that.
It should be addressed in the following IPA ticket: https://pagure.io/freeipa/issue/7742
Metadata Update from @edewata: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3193
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.