Bug 1346433

Summary: Strange Certificate Error, ipa-server-install ERROR 'b64_cert'
Product: Red Hat Enterprise Linux 7 Reporter: J. M. Becker <j.becker>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED DUPLICATE QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: aakkiang, edewata, ftweedal, mharmsen, nkinder, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-22 09:07:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ipaserver-install.log
none
pki-ca-spawn.20160614152851.log
none
localhost.2016-06-14.log
none
catalina.2016-06-14.log
none
debug none

Description J. M. Becker 2016-06-14 19:44:39 UTC 
Created attachment 1167955 [details]
ipaserver-install.log

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/28]: creating certificate server user
  [2/28]: configuring certificate server instance
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: creating RA agent certificate database
  [10/28]: importing CA chain to RA certificate database
  [11/28]: fixing RA database permissions
  [12/28]: setting up signing cert profile
  [13/28]: setting audit signing renewal to 2 years
  [14/28]: restarting certificate server
  [15/28]: requesting RA certificate from CA
  [16/28]: issuing RA agent certificate
  [error] KeyError: 'b64_cert'
ipa.ipapython.install.cli.install_tool(Server): ERROR    'b64_cert'


Post CSR generation, not sure how to proceed.  Very unhappy about this not being a more module installation, as minor common problems demand a full uninstall and reinstall.. which then requires a resign every time, dramatically increasing troubleshooting time.
Comment 1 J. M. Becker 2016-06-14 19:46:04 UTC 
IPA packages are from RHEL 7 repository, versioned 4.2.0-15 el7_2.15
Comment 2 Rob Crittenden 2016-06-14 19:53:09 UTC 
Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to issue the agent certificate (it threw java.lang.NullPointerException).
Comment 3 J. M. Becker 2016-06-14 20:01:43 UTC 
Created attachment 1167958 [details]
pki-ca-spawn.20160614152851.log
Comment 4 J. M. Becker 2016-06-14 20:02:11 UTC 
Created attachment 1167959 [details]
localhost.2016-06-14.log
Comment 5 J. M. Becker 2016-06-14 20:03:21 UTC 
Created attachment 1167960 [details]
catalina.2016-06-14.log
Comment 7 J. M. Becker 2016-06-14 20:06:16 UTC 
Created attachment 1167961 [details]
debug
Comment 8 J. M. Becker 2016-06-14 20:14:22 UTC 
(In reply to Rob Crittenden from comment #2)
> Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to
> issue the agent certificate (it threw java.lang.NullPointerException).

I was unable to identify anything of significance, please let me know if more logs would be helpful.
Comment 9 J. M. Becker 2016-06-14 20:34:45 UTC 
The error appears to be related to the DN's in some manner, I was able to at least pass the CA Installation section by not adding this option when installing.


--subject 'C=US,ST=Ohio,O=AmTrust North America\, Inc.,OU=Servers,OU=Infrastructure,OU=IT'

As even when I used no external CA to sign, it still resulted in the error when I used that option. 

I'm now attempting to install using no subject, signing it anyway, and hoping that somehow it works anyway.
Comment 10 Rob Crittenden 2016-06-14 20:42:52 UTC 
I came to the same conclusion about the subject.

From the debug log:

[14/Jun/2016:15:30:07][http-bio-8443-exec-5]: java.io.IOException: Unknown AVA keyword 'INC.,ST'.

CCing a CA developer to see if he knows if this is a dogtag issue, an IPA issue or perhaps no escaping is needed.
Comment 11 Endi Sukma Dewata 2016-06-15 02:40:54 UTC 
It looks like while processing the subject DN the attribute order is reversed, then it is parsed incorrectly due to the comma in the O attribute causing the 'INC.,ST' to be considered an LDAP attribute, which is invalid.

Could you try again without the comma in the O attribute to confirm the problem?

Please reassign the bug to pki-core. Thanks.
Comment 12 J. M. Becker 2016-06-15 18:56:46 UTC 
I can confirm, the comma was the problem with the subject alternate. The installation worked as expected for this section using,

--subject 'C=US,ST=Ohio,O=AmTrust North America Inc.,OU=Servers,OU=Infrastructure,OU=IT'
Comment 13 Matthew Harmsen 2016-06-24 01:32:38 UTC 
Per PKI Bug Council of 06/23/2016: RHEL 7.4
Comment 14 Matthew Harmsen 2016-06-24 01:35:54 UTC 
Upstream ticket:
https://fedorahosted.org/pki/ticket/2379
Comment 18 Matthew Harmsen 2017-10-25 22:58:02 UTC 
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Comment 19 Fraser Tweedale 2018-02-22 09:05:45 UTC 
Upstream commit: e634316eb7f2aedc65fe528fb572b15e1bdc1eb2
Comment 20 Fraser Tweedale 2018-02-22 09:07:00 UTC 

*** This bug has been marked as a duplicate of bug 1541853 ***