The ipa-pki-retrieve-key helper does not yet know how to handle a Dogtag installation with HSM.
ipa-pki-retrieve-key
Command fails:
# ipa ca-add --subject="CN=testca1" testca1 ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500
Dogtag debug logs:
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: size: 911 bytes 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: subject DN: CN=Certificate Authority,O=HSM.EXAMPLE 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: issuer DN: CN=Certificate Authority,O=HSM.EXAMPLE 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CA SigningUnit.init(ca, ca.signing, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a) 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Setting ca.signing.newNickname=UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-b a5c-8c63860e374a 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Loading certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8 -ba5c-8c63860e374a 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Unable to find certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c 31-43c8-ba5c-8c63860e374a 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] WARNING: CA signing key and cert not (yet) present in NSSDB 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Starting KeyRetrieverRunner thread 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority init: initRequestQueue 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: In LdapBoundConnFactory::getConn() 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: masterConn is connected: true 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: conn is connected true 2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: mNumConns now 1 2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever 2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example] ... 2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host. 2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result. 2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 10 seconds 2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever 2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example] 2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host. 2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result. 2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 15 seconds
master:
ipa-4-8:
Metadata Update from @rcritten: - Issue tagged with: hsm
I think a lot has change in the interim. The ca-add is successful but does not store the subca onto the HSM device. The NSS naming suggests that it may have tried to do the right thing. From the certutil output:
NSS Certificate DB:softhsm_token:caSigningCert cert-pki-ca c2c8a21b-21d7-4919-8ba2-9316b6ca61a5 u,u,u
The HSM (softhsm2) has no orphaned keys.
Based on the pki log I think that the token is being added to the nickname:
2022-08-29 19:27:08 [KeyRetrieverRunner-c2c8a21b-21d7-4919-8ba2-9316b6ca61a5] INFO: ExternalProcessKeyRetriever: Retrieving softhsm_token:caSigningCert cert-pki-ca c2c8a21b-21d7-4919-8ba2-9316b6ca61a5 ke
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.