Bug 1581134
Summary: | ECC installation for non CA subsystems needs improvement [rhel-7.5.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | pki-core | Assignee: | Jack Magne <jmagne> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | high | ||
Version: | 7.5 | CC: | akahat, cfu, enewland, gkapoor, jmagne, mharmsen, msauton |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.1-12.el7_5 | Doc Type: | Bug Fix |
Doc Text: |
Previously, due to a bug in the Certificate System installation procedure, installing a Key Recovery Authority (KRA) with ECC keys failed. To fix the problem, the installation process has been updated to handle both RSA and ECC subsystems automatically. As a result, installing subsystems with ECC keys no longer fail.
|
Story Points: | --- |
Clone Of: | 1568615 | Environment: | |
Last Closed: | 2018-06-26 16:47:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1568615 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2018-05-22 08:32:40 UTC
The first step of subordinate CA ECC install is failing with following error: pkispawn : INFO ....... executing 'certutil -N -d /opt/ECC_SubCA/certs_db -f /opt/ECC_SubCA/ca/password.conf' pkispawn : INFO ....... generating ca_signing CSR in ca_signing_ecc_subca_nontms.csr pki.nssdb : DEBUG Command: openssl rand -out /tmp/tmpN78KVo/noise.bin 2048 pki.nssdb : DEBUG Command: certutil -R -d /var/lib/pki/rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang/alias -h NHSM6000-OCS -f /tmp/tmpRAKzv5/password.txt -s cn=CA Signing Certificate,ou=rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang,o=Example-ECC-SubCA -o /tmp/tmpN78KVo/request.bin -z /tmp/tmpN78KVo/noise.bin -k ec -q nistp256 -Z SHA256 --keyUsage certSigning,crlSigning,critical,digitalSignature,nonRepudiation -2 pkispawn : DEBUG ....... Error Type: Exception pkispawn : DEBUG ....... Error Message: Failed to generate certificate request. RC: 255 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1039, in spawn self.generate_system_cert_requests(deployer, nssdb, subsystem) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 340, in generate_system_cert_requests self.generate_ca_signing_csr(deployer, nssdb, subsystem) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 164, in generate_ca_signing_csr generic_exts=generic_exts File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 115, in generate_csr generic_exts=generic_exts) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 417, in create_request 'Failed to generate certificate request. RC: %d' % rc) Installation failed: Failed to generate certificate request. RC: 255 ================================================ SubCA's pkispawn config file: [DEFAULT] pki_instance_name=rhcs93-ECC-NonTMS-SubCA-aakkiang pki_https_port=31443 pki_http_port=31080 #NSS DB Token Password pki_hsm_enable=True pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so pki_hsm_modulename=nfast pki_token_name=XXXXXXXX pki_token_password=XXXXXXXX pki_audit_signing_key_algorithm=SHA256withEC pki_audit_signing_key_size=nistp256 pki_audit_signing_key_type=ecc pki_audit_signing_signing_algorithm=SHA256withEC pki_audit_signing_token=XXXXXXXX pki_subsystem_key_algorithm=SHA256withEC pki_subsystem_key_size=nistp256 pki_subsystem_key_type=ecc pki_subsystem_signing_algorithm=SHA256withEC pki_subsystem_token=XXXXXXXX pki_subsystem_nickname=subsystemCert-NonTMS-SubCA-nocp11-aakkiang pki_sslserver_key_algorithm=SHA256withEC pki_sslserver_key_size=nistp256 pki_sslserver_key_type=ecc pki_sslserver_signing_algorithm=SHA256withEC pki_sslserver_token=XXXXXXXX pki_sslserver_nickname=Server-Cert-NonTMS-SubCA-nocp11-aakkiang #Admin pki_admin_key_algorithm=SHA256withEC pki_admin_key_size=nistp256 pki_admin_key_type=ecc pki_admin_password=SECret.123 #Security Domain pki_security_domain_hostname=XXXXXXXXXXXXXXXXXXXXXXX pki_security_domain_name=Example-ECC-SubCA pki_security_domain_password=SECret.123 #client Dir pki_client_dir=/opt/ECC_SubCA pki_client_admin_cert_p12=/opt/ECC_SubCA/subca_caadmincert.p12 pki_client_database_dir=/opt/ECC_SubCA/certs_db pki_client_database_password=SECret.123 pki_client_pkcs12_password=SECret.123 #LDAP pki_ds_ldap_port=1697 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=SECret.123 pki_ds_secure_connection=True pki_ds_ldaps_port=7636 pki_ds_secure_connection_ca_pem_file=/tmp/ldap2ca_cert.pem pki_ds_remove_data=True [Tomcat] pki_ajp_port=31009 pki_tomcat_server_port=31005 [CA] pki_admin_nickname=PKI ECC SUBCA Administrator pki_ca_signing_key_algorithm=SHA256withEC pki_ca_signing_key_size=nistp256 pki_ca_signing_key_type=ecc pki_ca_signing_signing_algorithm=SHA256withEC pki_ca_signing_token=XXXXXXXX pki_ca_signing_nickname=caSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang pki_ocsp_signing_key_algorithm=SHA256withEC pki_ocsp_signing_key_size=nistp256 pki_ocsp_signing_key_type=ecc pki_ocsp_signing_signing_algorithm=SHA256withEC pki_ocsp_signing_token=XXXXXXXX pki_ocsp_signing_nickname=ocspSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang pki_audit_signing_nickname=auditSigningCert-NonTMS-SubCA-nocp11-aakkiang pki_admin_name=caadmin pki_admin_uid=caadmin pki_admin_email=example pki_import_admin_cert=False pki_ds_hostname=XXXXXXXXXXXXXXXXXXXXXXX pki_ds_database=CC-ECC-NonTMS-SECOND-LDAP pki_ds_base_dn=dc=ECC-NonTMS-SubCA pki_external=True pki_external_step_two=False pki_ca_signing_csr_path=ca_signing_ecc_subca_nontms.csr # Enable random serial numbers pki_random_serial_numbers_enable=True A separate bug filed for the above issue, https://bugzilla.redhat.com/show_bug.cgi?id=1544843 Marking this bug ON_QA. I'm successfully able to install CA, RKA, OCSP and able to do key archival. But after TKS installation I'm able to see this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1588411 Becuase of this issue I'm not able to install TPS. Currently marking this bug varified for CA, KRA, OCSP. PKI Version: 10.5.1-13.1.el7_5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1979 |