#7677 HSM: ipa ca-add fails with error in ipa-pki-retrieve-key
Opened 11 months ago by cheimes. Modified 11 months ago

Issue

The ipa-pki-retrieve-key helper does not yet know how to handle a Dogtag installation with HSM.

Steps to Reproduce

  1. Install Dogtag with NitroHSM integration (requires additional patches and configuration)
  2. ipa ca-add

Actual behavior

Command fails:

# ipa ca-add --subject="CN=testca1" testca1
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500

Dogtag debug logs:

2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: size: 911 bytes
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: subject DN: CN=Certificate Authority,O=HSM.EXAMPLE
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority: issuer DN: CN=Certificate Authority,O=HSM.EXAMPLE
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CA SigningUnit.init(ca, ca.signing, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a)
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Setting ca.signing.newNickname=UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-b
a5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Loading certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8
-ba5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: SigningUnit: Unable to find certificate UserPIN (SmartCard-HSM):UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c
31-43c8-ba5c-8c63860e374a
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] WARNING: CA signing key and cert not (yet) present in NSSDB
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: Starting KeyRetrieverRunner thread
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: CertificateAuthority init: initRequestQueue
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: In LdapBoundConnFactory::getConn()
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: masterConn is connected: true
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: conn is connected true
2018-08-22 11:51:37 [ajp-nio-127.0.0.1-8009-exec-2] FINE: getConn: mNumConns now 1
2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever
2018-08-22 11:51:37 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example]
...
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host.
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result.
2018-08-22 11:51:41 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 10 seconds
2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Running ExternalProcessKeyRetriever
2018-08-22 11:51:51 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca 89e791bd-6c31-43c8-ba5c-8c63860e374a, master.hsm.example]
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Failed to retrieve key from any host.
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] WARNING: KeyRetriever did not return a result.
2018-08-22 11:51:55 [KeyRetrieverRunner-89e791bd-6c31-43c8-ba5c-8c63860e374a] FINE: Retrying in 15 seconds

Login to comment on this ticket.

Metadata