https://www.redhat.com/archives/freeipa-users/2015-July/msg00107.html
We are issued a wildcard cert for *.nwra.com from namecheap.com/COMODO SSL. They issue us a cert and a certificate chain file that provides two certs to chain back to:
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
This cert is in Firefox's certdb (and presumably other browsers) and so works.
FWIW - I don't seem to find this cert (or any AddTrust cert) in the openssl ca certs in /etc/pki.
I am able to get the install to work with it by extracting the 'AddTrust External CA Root' cert from firefox and then:
# openssl pkcs12 -export -in STAR_nwra_com.crt -inkey nwra.com.key -certfile STAR_nwra_com.ca-bundle -out nwra.com.p12
(The ca-bundle is the one issued by namecheap with the two intermediate certs)
# ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=AddTrustExternalCARoot --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX --idstart=8000
But then when I go to make a replica:
# ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX Directory Manager (existing master) password: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
Which looks like others are experiencing (with not resolution that I could see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html
Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help.
ipa-server-4.1.0-18.sl7_1.3.x86_64
moving to Future releases, should be re-prioritized when a reproducer is available.
I've be able to track it down to this line in ipalib/x509.py:
def load_certificate(data, datatype=PEM, dbdir=None): """ Given a base64-encoded certificate, with or without the header/footer, return a request object. Returns a nss.Certificate type """ if type(data) in (tuple, list): data = data[0] if (datatype == PEM): data = strip_header(data) data = base64.b64decode(data) if not nss.nss_is_initialized(): if dbdir is None: if 'in_tree' in api.env: if api.env.in_tree: dbdir = api.env.dot_ipa + os.sep + 'alias' else: dbdir = paths.HTTPD_ALIAS_DIR ---->> nss.nss_init(dbdir) else: nss.nss_init_nodb() else: nss.nss_init(dbdir) return nss.Certificate(buffer(data))
dbdir is set to /etc/httpd/alias.
Backtrace:
#0 PR_SetError (code=-8129, osErr=0) at ../../../nspr/pr/src/misc/prerror.c:24 #1 0x00007fffe5d36e5a in prng_instantiate (rng=rng@entry=0x7fffe5f9f620 <testContext>, bytes=bytes@entry=0x29df410 "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A@\364\235\002", len=len@entry=32) at drbg.c:163 #2 0x00007fffe5d370f3 in PRNGTEST_Instantiate ( entropy=entropy@entry=0x7fffe5d7d840 <entropy.6204> "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205Av\235mg", entropy_len=entropy_len@entry=32, nonce=nonce@entry=0x0, nonce_len=nonce_len@entry=0, personal_string=personal_string@entry=0x0, ps_len=ps_len@entry=0) at drbg.c:717 #3 0x00007fffe5d372d1 in PRNGTEST_RunHealthTests () at drbg.c:838 #4 0x00007fffe5d38f99 in freebl_fips_RNG_PowerUpSelfTest () at fipsfreebl.c:1512 #5 freebl_fipsPowerUpSelfTest (tests=3) at fipsfreebl.c:1567 #6 0x00007fffe5d26971 in bl_startup_tests () at fipsfreebl.c:1726 #7 0x00007ffff7dea503 in _dl_init_internal () from /lib64/ld-linux-x86-64.so.2 #8 0x00007ffff7deeb44 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2 #9 0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 #10 0x00007ffff7dee25b in _dl_open () from /lib64/ld-linux-x86-64.so.2 #11 0x00007ffff75f602b in dlopen_doit () from /lib64/libdl.so.2 #12 0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 #13 0x00007ffff75f662d in _dlerror_run () from /lib64/libdl.so.2 #14 0x00007ffff75f60c1 in dlopen@@GLIBC_2.2.5 () from /lib64/libdl.so.2 #15 0x00007fffeb3fdb2b in pr_LoadLibraryByPathname (flags=10, name=0x29c67d0 "/lib64/libfreeblpriv3.so") at ../../../nspr/pr/src/linking/prlink.c:803 #16 PR_LoadLibraryWithFlags (libSpec=..., flags=flags@entry=10) at ../../../nspr/pr/src/linking/prlink.c:418 #17 0x00007fffe628093f in loader_LoadLibInReferenceDir ( referencePath=referencePath@entry=0x2e129f0 "/lib64/libsoftokn3.so", name=name@entry=0x7fffe6289278 "libfreeblpriv3.so") at genload.c:104 #18 0x00007fffe62809a3 in loader_LoadLibrary (nameToLoad=0x7fffe6289278 "libfreeblpriv3.so") at genload.c:135 #19 0x00007fffe6280a8d in freebl_LoadDSO () at loader.c:46 #20 0x00007fffeb403a1a in PR_CallOnce (once=once@entry=0x7fffe6493a30 <loadFreeBLOnce>, func=func@entry=0x7fffe6280a80 <freebl_LoadDSO>) at ../../../nspr/pr/src/misc/prinit.c:775 #21 0x00007fffe6280b4f in freebl_RunLoaderOnce () at loader.c:80 #22 BL_Init () at loader.c:87 #23 0x00007fffe625b2fb in sftk_startup_tests () at fipstest.c:606 #24 0x00007ffff7dea503 in _dl_init_internal () from /lib64/ld-linux-x86-64.so.2 #25 0x00007ffff7deeb44 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2 #26 0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 #27 0x00007ffff7dee25b in _dl_open () from /lib64/ld-linux-x86-64.so.2 #28 0x00007ffff75f602b in dlopen_doit () from /lib64/libdl.so.2 #29 0x00007ffff7dea314 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 #30 0x00007ffff75f662d in _dlerror_run () from /lib64/libdl.so.2 #31 0x00007ffff75f60c1 in dlopen@@GLIBC_2.2.5 () from /lib64/libdl.so.2 #32 0x00007fffeb3fdb2b in pr_LoadLibraryByPathname (flags=26, name=0x11bb900 "/lib64/libsoftokn3.so") at ../../../nspr/pr/src/linking/prlink.c:803 #33 PR_LoadLibraryWithFlags (libSpec=..., flags=flags@entry=26) at ../../../nspr/pr/src/linking/prlink.c:418 #34 0x00007fffea83e25f in loader_LoadLibInReferenceDir ( referencePath=referencePath@entry=0xd67540 "/lib64/libnss3.so", name=name@entry=0x7fffeaf6fc73 "libsoftokn3.so") at secload.c:84 #35 0x00007fffea83e2bd in PORT_LoadLibraryFromOrigin ( existingShLibName=existingShLibName@entry=0x7fffeaf6fc82 "libnss3.so", staticShLibFunc=staticShLibFunc@entry=0x7fffeaeba7d0 <softoken_LoadDSO>, newShLibName=newShLibName@entry=0x7fffeaf6fc73 "libsoftokn3.so") at secload.c:150 #36 0x00007fffeaeba7ee in softoken_LoadDSO () at pk11load.c:365 #37 0x00007fffeb403a1a in PR_CallOnce (once=once@entry=0x7fffeb1a7e40 <loadSoftokenOnce>, func=func@entry=0x7fffeaeba7d0 <softoken_LoadDSO>) at ../../../nspr/pr/src/misc/prinit.c:775 #38 0x00007fffeaec23d7 in secmod_LoadPKCS11Module (mod=mod@entry=0x3381240, oldModule=oldModule@entry=0x7fffffffcfb0) at pk11load.c:397 #39 0x00007fffeaecdddb in SECMOD_LoadModule ( modulespec=modulespec@entry=0x1ade3b0 "name=\"NSS Internal Module\" parameters=\"configdir='/etc/httpd/alias' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly,optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updat"..., parent=parent@entry=0x0, recurse=recurse@entry=1) at pk11pars.c:1014 #40 0x00007fffeae9d3ab in nss_InitModules (isContextInit=0, optimizeSpace=<optimized out>, forceOpen=<optimized out>, noModDB=<optimized out>, noCertDB=<optimized out>, readOnly=<optimized out>, pwRequired=<optimized out>, configStrings=<optimized out>, configName=<optimized out>, updateName=<optimized out>, updateID=<optimized out>, updKeyPrefix=<optimized out>, updCertPrefix=<optimized out>, updateDir=0x7fffeaf6e0cd "", secmodName=<optimized out>, keyPrefix=0x7fffeaf6e0cd "", certPrefix=0x7fffeaf6e0cd "", configdir=<optimized out>) at nssinit.c:435 #41 nss_Init (configdir=<optimized out>, certPrefix=certPrefix@entry=0x7fffeaf6e0cd "", keyPrefix=keyPrefix@entry=0x7fffeaf6e0cd "", secmodName=secmodName@entry=0x7fffeaf6dbb5 "secmod.db", updateDir=updateDir@entry=0x7fffeaf6e0cd "", updCertPrefix=updCertPrefix@entry=0x7fffeaf6e0cd "", updKeyPrefix=updKeyPrefix@entry=0x7fffeaf6e0cd "", updateID=updateID@entry=0x7fffeaf6e0cd "", updateName=updateName@entry=0x7fffeaf6e0cd "", initContextPtr=initContextPtr@entry=0x0, initParams=initParams@entry=0x0, readOnly=readOnly@entry=1, noCertDB=noCertDB@entry=0, noModDB=noModDB@entry=0, forceOpen=forceOpen@entry=0, noRootInit=noRootInit@entry=0, optimizeSpace=optimizeSpace@entry=1, noSingleThreadedModules=noSingleThreadedModules@entry=0, allowAlreadyInitializedModules=allowAlreadyInitializedModules@entry=0, dontFinalizeModules=dontFinalizeModules@entry=0) at nssinit.c:639 #42 0x00007fffeae9db88 in NSS_Init (configdir=<optimized out>) at nssinit.c:748 #43 0x00007fffeb648225 in nss_nss_init (self=<optimized out>, args=<optimized out>) at src/py_nss.c:20534 #44 0x00007ffff7af5b74 in call_function (oparg=<optimized out>, pp_stack=0x7fffffffd2a0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4098 #45 PyEval_EvalFrameEx ( f=f@entry=Frame 0x18401c0, for file /usr/lib/python2.7/site-packages/ipalib/x509.py, line 114, in load_certificate (data='0\x82\x1b\xc9\x02\x01\x030\x82\x1b\x8f\x06\t*\x86H\x86\xf7\r\x01\x07\x01\xa0\x82\x1b\x80\x04\x82\x1b|0\x82\x1bx0\x82\x16/\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0\x82\x16 0\x82\x16\x1c\x02\x01\x000\x82\x16\x15\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1c\x06\n*\x86H\x86\xf7\r\x01\x0c\x01\x060\x0e\x04\x08\xc4\x97\x9b\xd2\x0b{\xb9\xdc\x02\x02\x08\x00\x80\x82\x15\xe8\xf9Ze\xfcZcV}\xe6\xe2`\xec64e\x1b\xe6\xfav\xc5\x0f\xee1\xbb\xad\xd9\x9dRG \x9b\x19\x8c\r\xa5\x1d\x96 \x89\xffq\x04\xdb\xfa\x84\xd1\x10\x9d\x05\x98\xe4kE\x8c\xf8\xe1\xc0Q\x87Tq\xf0\x99\xef\xf6\xd9J\xb7\x99^|\xec7X]T\xec\xe4\xf1!\x894$/v\xed\\\xda\x16!J\xc9\xa3\x1d\xca\xfc3.d\x1fcj\xc0\x84\x0e2X|\xe2\xe7A\xd5\xb1~P\xfe*\x8e\xed\x0e^_G\x1c\xe9R\xc00\xe7\x9e\x06\xe9\xd3x\x08\xed\x06)\xe9\xc3\xf0Rs\xddw\\.H\x88Ev@\x16\xec=\xa1_\x84\x9f\x07\xb6/\x08Si\xe5W\xd8\xba\xd1\x87\x9f}\x15\xf7U#\x18\xf5\xb0#\xce5l\xc0\xdbA\t\xd6G\x9e\xae\xfb@;\x04\xff\x1c,\x1a\x1...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740
Error is being thrown here in drbg.c:
static SECStatus prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len) { if (len < PRNG_SEEDLEN) { /* if the seedlen is to small, it's probably because we failed to get * enough random data */ --->> PORT_SetError(SEC_ERROR_NEED_RANDOM); return SECFailure; } prng_Hash_df(V(rng), VSize(rng), bytes, len, NULL, 0); rng->V_type = prngCGenerateType; prng_Hash_df(rng->C,sizeof rng->C,rng->V_Data,sizeof rng->V_Data,NULL,0); PRNG_RESET_RESEED_COUNT(rng) return SECSuccess; }
So it looks like my VM doesn't have enough entropy. Looks like prng_instantiate is being called 2-3 times and there just isn't enough entropy:
Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 <theGlobalRng>, bytes=bytes@entry=0x7fffffffc220 "\304(\336\350F8\375㨟\177\325\017+\302\230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263", len=110) at drbg.c:160 160 if (len < PRNG_SEEDLEN) { 1: len = 110 (gdb) c Continuing. Breakpoint 1, prng_instantiate (rng=rng@entry=0x7fffe5f9f620 <testContext>, bytes=bytes@entry=0x2153b70 "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002", len=len@entry=32) at drbg.c:160 160 if (len < PRNG_SEEDLEN) { 1: len = 32
PRNG_SEEDLEN is 55 I think.
I've tried running haveged to pump in some more entropy as well as a virtio-rng device, but this doesn't appear to help. Can we cut down on the number of calls to prng_instantiate?
First call is in /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 765, in load_pkcs12 -> /usr/lib/python2.7/site-packages/ipapython/certdb.py, line 306, in import_files
Second and third is: file /usr/lib/python2.7/site-packages/ipalib/x509.py, line 113
Moving back to Triage as new data appeared from orion.
Honza or John, does that helps uncovering the root case?
I wonder if low entropy is really the case, given comment:4. Orion, maybe you can try to see the entropy before your call ($ cat /proc/sys/kernel/random/entropy_avail) and see if it is at least, say 300 what what the number does when you call ipa-replica-prepare.
$ cat /proc/sys/kernel/random/entropy_avail
ipa-replica-prepare
/proc/sys/kernel/random/entropy_avail seems to bounce around changing very rapidly between around 1100 and 2400. If I write it out before the python calls I get:
2230 nss_init(/etc/httpd/alias) 1974
Sorry, the previous analysis was incorrect. I was breaking on the first couple PR_SetError() calls instead of the last. This is what looks like what's really breaking:
(gdb) bt #0 CERT_DecodeDERCertificate (derSignedCert=derSignedCert@entry=0x7fffffffd0c0, copyDER=copyDER@entry=1, nickname=nickname@entry=0x0) at certdb.c:865 #1 0x00007fffeaeec989 in nssDecodedPKIXCertificate_Create (arenaOpt=arenaOpt@entry=0x0, encoding=encoding@entry=0x3d0fa98) at pki3hack.c:492 #2 0x00007fffeaeecfbb in stan_GetCERTCertificate (c=c@entry=0x3d0fa38, forceUpdate=forceUpdate@entry=0) at pki3hack.c:865 #3 0x00007fffeaeed2b7 in STAN_GetCERTCertificate (c=c@entry=0x3d0fa38) at pki3hack.c:926 #4 0x00007fffeaee3c80 in CERT_NewTempCertificate (handle=handle@entry=0x35ced20, derCert=0x7fffffffd2e0, nickname=nickname@entry=0x0, isperm=isperm@entry=0, copyDER=copyDER@entry=1) at stanpcertdb.c:409 #5 0x00007fffeaedd964 in CERT_ImportCerts (certdb=certdb@entry=0x35ced20, usage=usage@entry=certUsageUserCertImport, ncerts=ncerts@entry=1, derCerts=derCerts@entry=0x7fffffffd2c0, retCerts=retCerts@entry=0x7fffffffd2c8, keepCerts=keepCerts@entry=0, caOnly=caOnly@entry=0, nickname=0x0) at certdb.c:2457 #6 0x00007fffeb63e927 in Certificate_init (self=0x7ffff7f6bed0, args=<optimized out>, kwds=<optimized out>) at src/py_nss.c:9986 #7 0x00007ffff7ab4e5f in type_call (type=<optimized out>, args=(<buffer at remote 0x1c27730>,), kwds=0x0) at /usr/src/debug/Python-2.7.5/Objects/typeobject.c:745 #8 0x00007ffff7a5f073 in PyObject_Call (func=func@entry=<type at remote 0x7fffeb89cfe0>, arg=arg@entry=(<buffer at remote 0x1c27730>,), kw=kw@entry=0x0) at /usr/src/debug/Python-2.7.5/Objects/abstract.c:2529 #9 0x00007ffff7af332c in do_call (nk=<optimized out>, na=1, pp_stack=0x7fffffffd4a0, func=<type at remote 0x7fffeb89cfe0>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4316 #10 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd4a0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4121 #11 PyEval_EvalFrameEx ( f=f@entry=Frame 0x1841510, for file /usr/lib/python2.7/site-packages/ipalib/x509.py, line 119, in load_certificate (data='0\x82\x05\xd80\x82\x03\xc0\xa0\x03\x02\x01\x02\x02\x10L\xaa\xf9\xca\xdbco\xe0\x1f\xf7N\xd8[\x03\x86\x9d0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0c\x05\x000\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\n\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO RSA Certification Authority0\x1e\x17\r100119000000Z\x17\r380118235959Z0\x81\x851\x0b0\t\x06\x03U\x04\x06\x13\x02GB1\x1b0\x19\x06\x03U\x04\x08\x13\x12Greater Manchester1\x100\x0e\x06\x03U\x04\x07\x13\x07Salford1\x1a0\x18\x06\x03U\x04\n\x13\x11COMODO CA Limited1+0)\x06\x03U\x04\x03\x13"COMODO RSA Certification Authority0\x82\x02"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\n\x02\x82\x02\x01\x00\x91\xe8T\x92\xd2\nV\xb1\xac\r$\xdd\xc5\xcfDgt\x99+7\xa3}#p\x00q\xbcS\xdf\xc4\xfa*\x12\x8fK\x7f\x10V\xbd\x9fpr\xb7a\x...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #12 0x00007ffff7af718d in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=locals@entry=0x0, args=<optimized out>, argcount=argcount@entry=2, kws=0x1ca4268, kwcount=0, defs=0xef5728, defcount=2, closure=closure@entry=0x0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330 #13 0x00007ffff7af583f in fast_function (nk=<optimized out>, na=2, n=2, pp_stack=0x7fffffffd6a0, func=<function at remote 0xfbc050>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4194 #14 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd6a0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #15 PyEval_EvalFrameEx ( f=f@entry=Frame 0x1ca4020, for file /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 789, in load_pkcs12 (cert_files=['nwra.com.p12'], key_password='ipa', key_nickname='*.nwra.com - COMODO CA Limited', ca_cert_files=['/etc/ipa/ca.crt'], host_name='ipa1.nwra.com', nssdb=<NSSDatabase(secdir='/tmp/tmpHGu6GT', _is_temporary=True) at remote 0x1b0f490>, db_password='(S%8n"[5{-((', db_pwdfile=<_TemporaryFileWrapper(name='/tmp/tmpu6bnS7', write=<built-in method write of file object at remote 0x2cabc00>, file=<file at remote 0x2cabc00>, flush=<built-in method flush of file object at remote 0x2cabc00>, close_called=False, delete=True) at remote 0x3561f38>, nickname='COMODO RSA Certification Authority - AddTrust AB', trust_flags=',,', trust_chain=['*.nwra.com - COMODO CA Limited', 'COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited', 'COMODO RSA Certification Authority - AddTrust AB'], ca_cert='0\x82\x06\x080\x82\x03\xf0\xa0\x03\x02\x01\x02\x02\x10+.n\xea\xd9u6l\x14\x8an\xdb\xa3|\x8c\x070\r\...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #16 0x00007ffff7af718d in PyEval_EvalCodeEx (co=<optimized out>, globals=<optimized out>, locals=locals@entry=0x0, args=<optimized out>, argcount=argcount@entry=0, kws=0x3387210, kwcount=5, defs=0x0, defcount=0, closure=closure@entry=0x0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330 #17 0x00007ffff7af583f in fast_function (nk=<optimized out>, na=0, n=10, pp_stack=0x7fffffffd8a0, func=<function at remote 0x10e8938>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4194 #18 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd8a0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #19 PyEval_EvalFrameEx ( f=f@entry=Frame 0x3387070, for file /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 162, in load_pkcs12 (self=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=<Logger(name='ipa', parent=<RootLogger(name='root', parent=None, handlers=[], level=30, disabled=0, propagate=1, filters=[]) at remote 0x905150>, handlers=[<StreamHandler(stream=<file at remote 0x7ffff7fc61e0>, level=20, lock=<_RLock(_Verbose__verbose=False, _RLock__owner=None, _RLock__block=<thread.lock at remote 0x7ffff7f6cb10>, _RLock__count=0) at remote 0x1205750>, _name='console', filters=[], formatter=<Formatter(datefmt='%Y-%m-%dT%H:%M:%SZ', _fmt='%(message)s', converter=<built-in function gmtime>) at remote 0x1205790>) at remote 0x9056d0>], level=20, disabled=0, manager=<Manager(emittedNoHandlerWarning=0, disable=0, root=<...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #20 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=4, n=4, pp_stack=0x7fffffffda00, func=<function at remote 0x1210b90>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184 #21 call_function (oparg=<optimized out>, pp_stack=0x7fffffffda00) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #22 PyEval_EvalFrameEx ( f=f@entry=Frame 0x1c9fc80, for file /usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py, line 262, in ask_for_options (self=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=<Logger(name='ipa', parent=<RootLogger(name='root', parent=None, handlers=[], level=30, disabled=0, propagate=1, filters=[]) at remote 0x905150>, handlers=[<StreamHandler(stream=<file at remote 0x7ffff7fc61e0>, level=20, lock=<_RLock(_Verbose__verbose=False, _RLock__owner=None, _RLock__block=<thread.lock at remote 0x7ffff7f6cb10>, _RLock__count=0) at remote 0x1205750>, _name='console', filters=[], formatter=<Formatter(datefmt='%Y-%m-%dT%H:%M:%SZ', _fmt='%(message)s', converter=<built-in function gmtime>) at remote 0x1205790>) at remote 0x9056d0>], level=20, disabled=0, manager=<Manager(emittedNoHandlerWarning=0, disable=0, ro...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #23 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=1, n=1, pp_stack=0x7fffffffdb60, func=<function at remote 0x1210c08>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184 #24 call_function (oparg=<optimized out>, pp_stack=0x7fffffffdb60) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #25 PyEval_EvalFrameEx ( f=f@entry=Frame 0x11e9940, for file /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 169, in execute (self=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=<Logger(name='ipa', parent=<RootLogger(name='root', parent=None, handlers=[], level=30, disabled=0, propagate=1, filters=[]) at remote 0x905150>, handlers=[<StreamHandler(stream=<file at remote 0x7ffff7fc61e0>, level=20, lock=<_RLock(_Verbose__verbose=False, _RLock__owner=None, _RLock__block=<thread.lock at remote 0x7ffff7f6cb10>, _RLock__count=0) at remote 0x1205750>, _name='console', filters=[], formatter=<Formatter(datefmt='%Y-%m-%dT%H:%M:%SZ', _fmt='%(message)s', converter=<built-in function gmtime>) at remote 0x1205790>) at remote 0x9056d0>], level=20, disabled=0, manager=<Manager(emittedNoHandlerWarning=0, disable=0, root=<...>, loggerDict={'ipa...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #26 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=1, n=1, pp_stack=0x7fffffffdcc0, func=<function at remote 0x10716e0>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184 #27 call_function (oparg=<optimized out>, pp_stack=0x7fffffffdcc0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #28 PyEval_EvalFrameEx ( f=f@entry=Frame 0x7ae590, for file /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 148, in main (cls=<type at remote 0x874070>, argv=['/usr/sbin/ipa-replica-prepare', 'ipa1.nwra.com', '--dirsrv_pkcs12=nwra.com.p12', '--dirsrv_pin=', '--http_pkcs12=nwra.com.p12', '--http_pin='], options=<Values(http_cert_files=['nwra.com.p12'], wait_for_dns=True, verbose=False, ip_addresses=[], setup_pkinit=False, http_pin='ipa', quiet=False, log_file=None, dirsrv_cert_name=None, http_cert_name=None, dirsrv_cert_files=['nwra.com.p12'], ca_file='/root/cacert.p12', no_reverse=False, dirsrv_pin='ipa', password=None, pkinit_pin=False, pkinit_cert_files=False, reverse_zones=[]) at remote 0x1213128>, args=['ipa1.nwra.com'], command_class=<type at remote 0x874070>, command=<ReplicaPrepare(subject_base=<DN(rdns=[<RDN(avas=[<AVA(_value_unicode=u'NWRA.COM', _attr_unicode=u'O') at remote 0x1ae6cd0>]) at remote 0x1b0f1d0>]) at remote 0x1b0f790>, log=<Logger(name='ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare', parent=...(truncated), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #29 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=2, n=2, pp_stack=0x7fffffffde20, func=<function at remote 0x1071578>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184 #30 call_function (oparg=<optimized out>, pp_stack=0x7fffffffde20) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #31 PyEval_EvalFrameEx ( f=f@entry=Frame 0x10eca70, for file /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 124, in run_cli (cls=<type at remote 0x874070>), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #32 0x00007ffff7af5930 in fast_function (nk=<optimized out>, na=1, n=1, pp_stack=0x7fffffffdf80, func=<function at remote 0x1071500>) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4184 #33 call_function (oparg=<optimized out>, pp_stack=0x7fffffffdf80) at /usr/src/debug/Python-2.7.5/Python/ceval.c:4119 #34 PyEval_EvalFrameEx ( f=f@entry=Frame 0x6b8760, for file /usr/sbin/ipa-replica-prepare, line 23, in <module> (), throwflag=throwflag@entry=0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:2740 #35 0x00007ffff7af718d in PyEval_EvalCodeEx (co=co@entry=0x7ffff7f2edb0, globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, args=args@entry=0x0, argcount=argcount@entry=0, kws=kws@entry=0x0, kwcount=kwcount@entry=0, defs=defs@entry=0x0, defcount=defcount@entry=0, closure=closure@entry=0x0) at /usr/src/debug/Python-2.7.5/Python/ceval.c:3330 #36 0x00007ffff7af7292 in PyEval_EvalCode (co=co@entry=0x7ffff7f2edb0, globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}) at /usr/src/debug/Python-2.7.5/Python/ceval.c:689 #37 0x00007ffff7b106cf in run_mod (mod=<optimized out>, filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare", globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, flags=flags@entry=0x7fffffffe1e0, arena=arena@entry=0x673c50) at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:1373 #38 0x00007ffff7b1188e in PyRun_FileExFlags (fp=fp@entry=0x6d1500, filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare", start=start@entry=257, globals=globals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, locals=locals@entry={'ReplicaPrepare': <type at remote 0x874070>, '__builtins__': <module at remote 0x7ffff7fabb08>, '__file__': '/usr/sbin/ipa-replica-prepare', '__package__': None, '__name__': '__main__', '__doc__': None}, closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe1e0) at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:1359 #39 0x00007ffff7b12b19 in PyRun_SimpleFileExFlags (fp=fp@entry=0x6d1500, filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare", closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe1e0) at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:951 #40 0x00007ffff7b13033 in PyRun_AnyFileExFlags (fp=fp@entry=0x6d1500, filename=filename@entry=0x7fffffffe636 "/usr/sbin/ipa-replica-prepare", closeit=closeit@entry=1, flags=flags@entry=0x7fffffffe1e0) at /usr/src/debug/Python-2.7.5/Python/pythonrun.c:755 #41 0x00007ffff7b23b1f in Py_Main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/Python-2.7.5/Modules/main.c:640 #42 0x00007ffff6d50af5 in __libc_start_main () from /lib64/libc.so.6 #43 0x0000000000400721 in _start ()
Step sequence is:
784 rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate, (gdb) 785 &cert->derCert); (gdb) 784 rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate, (gdb) 787 if ( rv ) { (gdb) 862 PORT_FreeArena(arena, PR_FALSE);
So SEC_QuickDERDecodeItem is failing.
(gdb) print *arena $20 = {first = {next = 0x0, base = 0, limit = 0, avail = 0}, current = 0x0, arenasize = 0, mask = 0} (gdb) print *cert $21 = {arena = 0x3b4b8a0, subjectName = 0x0, issuerName = 0x0, signatureWrap = {data = { type = siBuffer, data = 0x35c6b84 "0\202\003\300\240\003\002\001\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 964}, signatureAlgorithm = { algorithm = {type = siBuffer, data = 0x35c6f4c "*\206H\206\367\r\001\001\f\005", len = 9}, parameters = {type = siBuffer, data = 0x35c6f55 "\005", len = 2}}, signature = {type = siBuffer, data = 0x35c6f5c "\n\361\325F\204\267\256Q\273l\262MA\024", len = 4096}}, derCert = {type = siBuffer, data = 0x35c6b80 "0\202\005\330\060\202\003\300\240\003\002\001\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 2900}, derIssuer = {type = siBuffer, data = 0x35c6bae "0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\036\027\r100119000000Z\027\r380118235959Z0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Great"..., len = 136}, derSubject = {type = siBuffer, data = 0x35c6c56 "0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 136}, derPublicKey = {type = siBuffer, data = 0x35c6cde "0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 550}, certKey = {type = siBuffer, data = 0x0, len = 0}, version = {type = siBuffer, data = 0x35c6b8c "\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 1}, serialNumber = {type = siBuffer, data = 0x35c6b8f "L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 16}, signature = {algorithm = {type = siBuffer, data = 0x35c6ba3 "*\206H\206\367\r\001\001\f\005", len = 9}, parameters = { type = siBuffer, data = 0x35c6bac "\005", len = 2}}, issuer = {arena = 0x0, rdns = 0x3d12290}, validity = {arena = 0x0, notBefore = {type = siUTCTime, data = 0x35c6c3a "100119000000Z\027\r380118235959Z0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 13}, notAfter = {type = siUTCTime, data = 0x35c6c49 "380118235959Z0\201\205\061\v0\t\006\003U\004\006\023\002GB1\033\060\031\006\003U\004\b\023\022Greater Manchester1\020\060\016\006\003U\004\a\023\aSalford1\032\060\030\006\003U\004\n\023\021COMODO CA Limited1+0)\006\003U\004\003\023\"COMODO RSA Certification Authority0\202\002\"0\r\006\t*\206H\206\367\r\001\001\001\005", len = 13}}, subject = {arena = 0x0, rdns = 0x3d12428}, subjectPublicKeyInfo = {arena = 0x0, algorithm = {algorithm = { type = siBuffer, data = 0x35c6ce6 "*\206H\206\367\r\001\001\001\005", len = 9}, parameters = {type = siBuffer, data = 0x35c6cef "\005", len = 2}}, subjectPublicKey = { type = siBuffer, data = 0x35c6cf6 "0\202\002\n\002\202\002\001", len = 4208}}, issuerID = {type = siBuffer, data = 0x0, len = 0}, subjectID = {type = siBuffer, data = 0x0, len = 0}, extensions = 0x3d125c0, emailAddr = 0x0, dbhandle = 0x0, subjectKeyID = { type = siBuffer, data = 0x0, len = 0}, keyIDGenerated = 0, keyUsage = 0, rawKeyUsage = 0, keyUsagePresent = 0, nsCertType = 0, keepSession = 0, timeOK = 0, domainOK = 0x0, isperm = 0, istemp = 0, nickname = 0x0, dbnickname = 0x0, nssCertificate = 0x0, trust = 0x0, referenceCount = 0, subjectList = 0x0, authKeyID = 0x0, isRoot = 0, options = { apointer = 0x0, bits = {hasUnsupportedCriticalExt = 0}}, series = 0, slot = 0x0, pkcs11ID = 0, ownSlot = 0}
After getting my nss-util-debuginfo up to date, it looks like SEC_QuickDERDecodeItem is setting SEC_ERROR_EXTRA_INPUT - apparently because there is "extra" data at the end of the input buffer.
(gdb) print cert->derCert $5 = {type = siBuffer, data = 0x3d0d150 "0\202\005\330\060\202\003\300\240\003\002\001\002\002\020L\252\371\312\333co\340\037\367N\330[\003\206\235\060\r\006\t*\206H\206\367\r\001\001\f\005", len = 2900}
This is the certificate it is choking on:
certutil -L -n 'COMODO RSA Certification Authority - AddTrust AB' -d /etc/ipa/nssdb Certificate: Data: Version: 3 (0x2) Serial Number: 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22 Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ k,O=AddTrust AB,C=SE" Validity: Not Before: Tue May 30 10:48:38 2000 Not After : Sat May 30 10:48:38 2020 Subject: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L =Salford,ST=Greater Manchester,C=GB" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:44:67: 74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:c4:fa:2a: 12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:7f:c9:4b:0f: 17:a7:3d:e3:b0:04:61:ee:ff:11:97:c7:f4:86:3e:0a: fa:3e:5c:f9:93:e6:34:7a:d9:14:6b:e7:9c:b3:85:a0: 82:7a:76:af:71:90:d7:ec:fd:0d:fa:9c:6c:fa:df:b0: 82:f4:14:7e:f9:be:c4:a6:2f:4f:7f:99:7f:b5:fc:67: 43:72:bd:0c:00:d6:89:eb:6b:2c:d3:ed:8f:98:1c:14: ab:7e:e5:e3:6e:fc:d8:a8:e4:92:24:da:43:6b:62:b8: 55:fd:ea:c1:bc:6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69: 99:f8:78:48:30:45:d5:ad:e1:0d:3c:45:60:fc:32:96: 51:27:bc:67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1: 1f:65:de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8: cc:81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c: 22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:3e: 99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:b6:5c: af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:af:45:99: e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:ff:49:58:be: f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:f4:0b:3a:f9:e8: 43:42:1e:89:d8:84:cb:13:f1:d9:bb:e1:89:60:b8:8c: 28:56:ac:14:1d:9c:0a:e7:71:eb:cf:0e:dd:3d:a9:96: a1:48:bd:3c:f7:af:b5:0d:22:4c:c0:11:81:ec:56:3b: f6:d3:a2:e2:5b:b7:b2:04:22:52:95:80:93:69:e8:8e: 4c:65:f1:91:03:2d:70:74:02:ea:8b:67:15:29:69:52: 02:bb:d7:df:50:6a:55:46:bf:a0:a3:28:61:7f:70:d0: c3:a2:aa:2c:21:aa:47:ce:28:9c:06:45:76:bf:82:18: 27:b4:d5:ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6: df:16:86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a: 2e:5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7: 31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:98: aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:e5:ed: 1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:e5:84:53 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: ad:bd:98:7a:34:b4:26:f7:fa:c4:26:54:ef:03:bd:e0: 24:cb:54:1a Name: Certificate Subject Key ID Data: bb:af:7e:02:3d:fa:a6:f1:3c:84:8e:ad:ee:38:98:ec: d9:32:32:d4 Name: Certificate Key Usage Critical: True Usages: Digital Signature Certificate Signing CRL Signing Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Policies Data: Policy Name: Certificate Policies AnyPolicy Name: CRL Distribution Points Distribution point: URI: "http://crl.usertrust.com/AddTrustExternalCARoot.crl" Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ocsp.usertrust.com" Signature Algorithm: PKCS #1 SHA-384 With RSA Encryption Signature: 64:bf:83:f1:5f:9a:85:d0:cd:b8:a1:29:57:0d:e8:5a: f7:d1:e9:3e:f2:76:04:6e:f1:52:70:bb:1e:3c:ff:4d: 0d:74:6a:cc:81:82:25:d3:c3:a0:2a:5d:4c:f5:ba:8b: a1:6d:c4:54:09:75:c7:e3:27:0e:5d:84:79:37:40:13: 77:f5:b4:ac:1c:d0:3b:ab:17:12:d6:ef:34:18:7e:2b: e9:79:d3:ab:57:45:0c:af:28:fa:d0:db:e5:50:95:88: bb:df:85:57:69:7d:92:d8:52:ca:73:81:bf:1c:f3:e6: b8:6e:66:11:05:b3:1e:94:2d:7f:91:95:92:59:f1:4c: ce:a3:91:71:4c:7c:47:0c:3b:0b:19:f6:a1:b1:6c:86: 3e:5c:aa:c4:2e:82:cb:f9:07:96:ba:48:4d:90:f2:94: c8:a9:73:a2:eb:06:7b:23:9d:de:a2:f3:4d:55:9f:7a: 61:45:98:18:68:c7:5e:40:6b:23:f5:79:7a:ef:8c:b5: 6b:8b:b7:6f:46:f4:7b:f1:3d:4b:04:d8:93:80:59:5a: e0:41:24:1d:b2:8f:15:60:58:47:db:ef:6e:46:fd:15: f5:d9:5f:9a:b3:db:d8:b8:e4:40:b3:cd:97:39:ae:85: bb:1d:8e:bc:dc:87:9b:d1:a6:ef:f1:3b:6f:10:38:6f Fingerprint (SHA-256): 4F:32:D5:DC:00:F7:15:25:0A:BC:C4:86:51:1E:37:F5:01:A8:99:DE:B3:BF:7E:A8:AD:BB:D3:AE:F1:C4:12:DA Fingerprint (SHA1): F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0 Certificate Trust Flags: SSL Flags: Email Flags: Object Signing Flags:
After some more debugging, it looks like ipa-replica-prepare is first opening the nwra.com.p12 file I give it, then also importing the /etc/ipa/ca.crt file which contains all three certs in the root chain. After it does this the nssdb has a duplicate entry for 'COMODO RSA Certification Authority - AddTrust AB':
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI AddTrust External CA Root - AddTrust AB ,, COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited ,, *.nwra.com u,u,u COMODO RSA Certification Authority - AddTrust AB ,, COMODO RSA Certification Authority - AddTrust AB ,,
So then I tried an install with the pk12 file only containing the server cert and the root-ca-file containing all of the chain certs, but I still end up with duplicate certs after importing /etc/ipa/ca.crt:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,, *.nwra.com - COMODO CA Limited u,u,u CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,, CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB ,,
It looks like in ipapython/certdb.py:import_files() you first load the PEM entries directly from the file, AND added it to extracted_certs:
try: x509.load_certificate(match.group(2)) except NSPRError as e: if label != 'CERTIFICATE': root_logger.warning( "Skipping certificate in %s at line %s: %s", filename, line, e) continue else: extracted_certs += body + '\n' loaded = True continue
Then later call:
nss_certs = x509.load_certificate_list(extracted_certs)
Which again loads all of the certs in ca.crt that were stuffed into extracted_certs. Why you are loading the certificates twice, and why this results it duplicate certs in the nssdb, I really don't know. But then when that certificate is extracted, it has two certs it in which I suspect is the trigger for the EXTRA_INFO error.
No, not quite right. They aren't added to the nssdb until:
for nss_cert in nss_certs: nickname = str(nss_cert.subject) sys.stderr.write('adding = <%s>\n' % nickname) self.add_cert(nss_cert.der_data, nickname, ',,')
Added debug line reveals:
adding = <CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB> adding = <CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB> adding = <CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB>
Subjects shouldn't be the same:
# certutil -L -n 'AddTrust External CA Root - AddTrust AB' -d tmpdb | grep -F Subject: Subject: "CN=AddTrust External CA Root,OU=AddTrust External TTP Netwo # certutil -L -n 'COMODO RSA Certification Authority - AddTrust AB' -d tmpdb | grep -F Subject: Subject: "CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L
It looks like /etc/ipa/ca.crt is ending up with the duplicated/funny named certs somehow.
If I run 'ipa-certupdate' it writes out a correct /etc/ipa/ca.crt file with the three root-CA chain certs. But whatever writes out the initial /etc/ipa/ca.crt file (can't figure that out) is creating a bad file.
Fixing #4322 and/or further refactoring is needed.
I experience the same issue on latest FreeIPA 4.2.0 on CentOS 7.2. Due this no replica can be created, which is pretty bad. Is there any work around I missed in the comments above?
orion, do I understand comments 15 and 16 correctly that running ipa-certupdate on IPA server fixed your issue in a way that ipa-replica-prepare run correctly and so replica could be installed?
ipa-certupdate
I can confirm that running ipa-certupdate helps and everything works fine then.
Replying to [comment:20 pvoborni]:
Yes
I've hit the same issue on FreeIPA 4.2/Centos 7.2.
ipa-4-2:
ipa-4-3:
master:
fixed together with #5720, moving to 4.2.4
Metadata Update from @orion: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.