Bug 672333

Summary: Creation of RA agent fails in IPA installation
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: pki-caAssignee: Ade Lee <alee>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: awnuk, dennis, kwright, msauton
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-03 00:11:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
IPA server installation log showing the client side
none
CA debug log none

Description Rob Crittenden 2011-01-24 20:51:16 UTC 
Created attachment 475043 [details]
IPA server installation log showing the client side

Description of problem:

The IPA installer attempts to create an RA user, issue a certificate for it and use it for all subsequent RA operations. The creation of the user is failing, we aren't getting back the expected certificate (hence the b64_cert error).

The error apparently being returned by the CA is Authorization Error but as far as I can tell authorization was successful. The request just seems to stop in the CA debug log.

Version-Release number of selected component (if applicable):

pki-ca-9.0.1-2.svn.1762M.20110121T1347z.fc14.noarch

How reproducible:

Only one user has reported this, I have been unable to reproduce.
Comment 1 Rob Crittenden 2011-01-24 20:51:40 UTC 
Created attachment 475044 [details]
CA debug log
Comment 2 Andrew Wnuk 2011-02-01 01:33:33 UTC 
From attachment 475043 [details]:
errorReason="Authorization Error";
errorCode="1";

From attachment 475044 [details]:
[24/Jan/2011:12:06:09][http-9443-1]: ProfileProcessServlet:  Missing nonce
[24/Jan/2011:12:06:09][http-9443-1]: ProfileProcessServlet:  nonceVerified=false

Above log entries are consistent with CS.cfg file containing:
  ca.enableNonces=true
Comment 3 Andrew Wnuk 2011-02-01 01:46:39 UTC 
Suggestion:
RA certificate could be obtained in single step by using profile similar to caAgentServerCert instead of using caServerCert profile.
Comment 4 Marc Sauton 2011-02-01 02:04:18 UTC 
some test details, seem tot work just fine with last builds:

Fedora release 14 (Laughlin)
Linux ipaserver2.example.com 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

freeipa-admintools-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-client-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-server-selinux-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-python-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-server-2.0-0.2011013122git41abde2.fc14.x86_64

pki-ca-9.0.1-2.fc14.noarch
osutil-9.0.0-1.fc14.x86_64
dogtag-pki-ca-theme-9.0.0-3.fc14.noarch
dogtag-pki-common-theme-9.0.0-3.fc14.noarch
jss-4.2.6-12.fc14.x86_64
tomcatjss-2.1.0-1.fc14.noarch


ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver2.example.com --idstart=1000 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton


and got in the CA debug log:
/var/log/pki-ca/debug
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet:service() uri = /ca/agent/ca/profileProcess
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet::service() param name='name' value='CN=RA Subsystem,O=EXAMPLE.COM'
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet: caProfileProcess start to service.
[31/Jan/2011:17:21:21][http-9443-1]: IP: 10.14.5.15
[31/Jan/2011:17:21:21][http-9443-1]: AuthMgrName: certUserDBAuthMgr
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet: retrieving SSL certificate
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet: certUID=CN=ipa-ca-agent,O=EXAMPLE.COM
[31/Jan/2011:17:21:21][http-9443-1]: CertUserDBAuth: started
[31/Jan/2011:17:21:21][http-9443-1]: CertUserDBAuth: Retrieving client certificate
[31/Jan/2011:17:21:21][http-9443-1]: CertUserDBAuth: Got client certificate
[31/Jan/2011:17:21:21][http-9443-1]: Authentication: client certificate found
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: authenticated uid=admin,ou=people,o=ipaca
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: evaluated expression: group="Certificate Manager Agents" to be true
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: ProfileProcessServlet: start serving
[31/Jan/2011:17:21:21][http-9443-1]: ProfileProcessServlet: SubId=profile
[31/Jan/2011:17:21:21][http-9443-1]: ProfileProcessServlet: requestId=7


the servlet ProfileProcessServlet went through as expected for this enrollment.
Comment 5 Rob Crittenden 2011-02-01 02:50:24 UTC 
The nonce error is a real head scratcher because we set it to false and then restart the server. This worked for everyone but the one user who reported the problem. He added another restart right before we start fetching the agent cert and it fixed things.
Comment 6 Andrew Wnuk 2011-02-02 19:24:22 UTC 
Old and new CA logs provided consistently report that nonces are enabled
  (see: log entries including "CertificateAuthority init: Nonces enabled.").

Nonces are enable in CA by default, which means that absence of the following line "ca.enableNonces=false" in CS.cfg file will result in CA requiring nonces.

CS team is unable reproduce this issue.

This issue could be avoided by obtaining RA certificate in single step (not 2 steps).

Obtaining RA certificate in single step can be achieved by using enrollment authenticated by agent. CA provides sample profile (caAgentServerCert) allowing for such enrollment. 

Replacing caServerCert with caAgentServerCert profile should be relatively simple since both enrollments use the same parameters.