freeipa

Clone
Source Code
GIT

#7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
Opened 5 years ago by cheimes. Modified 2 years ago

Open
Close issue as:
fixed wontfix worksforme duplicate insufficientinfo invalid

Issue

The ipa-pki-retrieve-key helper does not yet know how to handle a Dogtag installation with HSM.

Steps to Reproduce

  1. Install Dogtag with NitroHSM integration (requires additional patches and configuration)
  2. ipa ca-add

Actual behavior

Command fails:

# ipa ca-add --subject="CN=testca1" testca1
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500

Dogtag debug logs:

2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: size: 911 bytes
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: subject DN: CN=Certificate Authority,O=HSM.EXAMPLE
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: issuer DN: CN=Certificate Authority,O=HSM.EXAMPLE
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CA SigningUnit.init(ca, ca.signing, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a)
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Setting ca.signing.newNickname=UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-b
a5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Loading certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8
-ba5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Unable to find certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c
31-43c8-ba5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] WARNING: CA signing key and cert not (yet) present in NSSDB
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Starting KeyRetrieverRunner thread
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority init: initRequestQueue
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: In LdapBoundConnFactory::getConn()
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: masterConn is connected: true
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: conn is connected true
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: mNumConns now 1
2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever
2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example]
...
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host.
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result.
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 10 seconds
2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever
2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example]
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host.
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result.
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 15 seconds

master:

  • 17c2e31 Don't move keys when key backup is disabled

ipa-4-8:

  • f6c2a9d Don't move keys when key backup is disabled

Metadata Update from @rcritten:
- Issue tagged with: hsm
2 years ago

I think a lot has change in the interim. The ca-add is successful but does not store the subca onto the HSM device. The NSS naming suggests that it may have tried to do the right thing. From the certutil output:

NSS Certificate DB:softhsm_token:caSigningCert cert-pki-ca c2c8a21b-21d7-4919-8ba2-9316b6ca61a5 u,u,u

The HSM (softhsm2) has no orphaned keys.

Based on the pki log I think that the token is being added to the nickname:

2022-08-29 19:27:08 [KeyRetrieverRunner-c2c8a21b-21d7-4919-8ba2-9316b6ca61a5] INFO: ExternalProcessKeyRetriever: Retrieving softhsm_token:caSigningCert cert-pki-ca c2c8a21b-21d7-4919-8ba2-9316b6ca61a5 ke

Login to comment on this ticket.

Metadata
None

hsm

None
None
low
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.