Bug 1707009

Summary: pki-spawn fails installing IdM in FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED DUPLICATE QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: ascheel, mharmsen
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-13 18:25:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ca spawn log none

Description Rob Crittenden 2019-05-06 15:33:43 UTC 
Created attachment 1564575 [details]
ca spawn log

Description of problem:
Installing IdM with a dogtag CA fails.

Version-Release number of selected component (if applicable):
ipa-server-4.7.1-11.module+el8+2842+7481110c.x86_64
pki-ca-10.6.9-2.module+el8+2728+a4ad6bba.noarch

How reproducible:
Every time

Steps to Reproduce:
1.ipa-server-install -a password -p password -r EXAMPLE.TEST -U

Actual results:

ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpmyy4ewti'] returned non-zero exit status 1: 'pkispawn      : ERROR    Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:877)\nconfiguration : ERROR    Server failed to restart\npkispawn      : ERROR    Exception: server failed to restart\n  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 549, in main\n    scriptlet.spawn(deployer)\n  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 672, in spawn\n    raise Exception("server failed to restart")\n\n')

The CA cert database is in FIPS mode:

# modutil -list -dbdir  /var/lib/pki/pki-tomcat/alias

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.41
         slots: 1 slot attached
        status: loaded

         slot: NSS FIPS 140-2 User Private Key Services
        token: NSS FIPS 140-2 Certificate DB
          uri: pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. p11-kit-proxy
        library name: p11-kit-proxy.so
           uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
         slots: 1 slot attached
        status: loaded

         slot: SoftHSM slot ID 0x0
        token: 
          uri: pkcs11:manufacturer=SoftHSM%20project;model=SoftHSM%20v2
-----------------------------------------------------------
Comment 1 Alex Scheel 2019-05-13 18:25:01 UTC 
This will be fixed in 8.1.0; marking as duplicate of 1673296.

*** This bug has been marked as a duplicate of bug 1673296 ***