1318302 – pkispawn ignores 3rd party CA certs in pki_clone_pkcs12_path

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1318302 - pkispawn ignores 3rd party CA certs in pki_clone_pkcs12_path

Summary: pkispawn ignores 3rd party CA certs in pki_clone_pkcs12_path

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	7.2
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1328522 (view as bug list)
Depends On:	1301546
Blocks:	1323836
TreeView+	depends on / blocked

Reported:	2016-03-16 13:22 UTC by Marcel Kolaja
Modified:	2020-10-04 21:07 UTC (History)
CC List:	16 users (show)
Fixed In Version:	pki-core-10.2.5-10.el7_2
Doc Type:	Bug Fix
Doc Text:	Previously, the PKI server relied on a fixed list of certificates to import from the PKCS #12 file during cloning. If the PKCS #12 file contained third-party CA certificates that were not part of the certificate chain, they were not imported, which caused the installation to fail due to trust problems. The code has been fixed to import all CA certificates in the PKCS #12 file with the proper trust flags before the server is started during installation. This ensures the installation completes successfully in the described scenario.
Clone Of:	1301546
Clones:	1323836 (view as bug list)
Environment:
Last Closed:	2016-05-12 09:57:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
pki-core-Added-support-for-cloning-3rd-party-CA-certificates.patch (193.29 KB, patch) 2016-03-18 22:53 UTC, Endi Sukma Dewata	mharmsen: review+	Details \| Diff
pki-core.spec (94.41 KB, text/plain) 2016-03-18 22:56 UTC, Endi Sukma Dewata	mharmsen: review+	Details
pki-core-Fixed-certificate-chain-import-problem.patch (3.44 KB, patch) 2016-03-28 16:50 UTC, Endi Sukma Dewata	mharmsen: review+	Details \| Diff
2247: pki-core-Install-tools-clean-up.patch (5.39 KB, patch) 2016-03-31 15:42 UTC, Matthew Harmsen	no flags	Details \| Diff
2247: pki-core-Fixed-KRA-install-problem.patch (5.10 KB, patch) 2016-03-31 15:43 UTC, Matthew Harmsen	no flags	Details \| Diff
2257: pki-core-Fixed-missing-trust-flags-in-certificate-backup.patch (18.41 KB, patch) 2016-04-02 20:18 UTC, Matthew Harmsen	no flags	Details \| Diff
Cloneca_fail_log (164.86 KB, text/plain) 2016-04-18 13:44 UTC, Geetika Kapoor	no flags	Details
configuration_files (160.00 KB, application/x-tar) 2016-04-27 10:17 UTC, Geetika Kapoor	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2326	None	None	None	2020-10-04 21:06:03 UTC
Github	dogtagpki pki issues 2372	None	None	None	2020-10-04 21:06:58 UTC
Github	dogtagpki pki issues 2377	None	None	None	2020-10-04 21:07:21 UTC
Github	dogtagpki pki issues 2378	None	None	None	2020-10-04 21:07:26 UTC
Red Hat Product Errata	RHBA-2016:1042	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-05-12 13:53:27 UTC

Description Marcel Kolaja 2016-03-16 13:22:38 UTC

This bug has been copied from bug #1301546 and has been proposed
to be backported to 7.2 z-stream (EUS).

Comment 3 Endi Sukma Dewata 2016-03-18 22:53:33 UTC

Created attachment 1137901 [details]
pki-core-Added-support-for-cloning-3rd-party-CA-certificates.patch

This is a patch for RHEL 7.2 based on the following changes:

* aa613fa272defcc8eebd4b9ef2556e61683b4e97
* 709457876a6d5e4aea281a35350667492bc34df8
* 54849505729d3f6345bc7b530e5a40c14ff36116
* 6947854a3ab6ee4f296a5f97850f5521572683a1
* 0d44556fa78203121a24224d4733b89c36ef9cc9
* a96ecbae1bfa27223bbebc7a67f695b643c4aebe
* 67a0c95b8622b18c9803b2bfe0f708be8747f896
* 67402ac16d2635ab3464568ca007cf81c4db73e6
* b74bf9b82102715e08fa3fd3bd5ce9462312aded
* b48889a2ef41fd45ca69c3926c36ef075777447c
* 1d58b883ff9d0056d89d74d30f1375ab12d01f03
* 935633c5ea9f2b5c4321d924af166367008ac4b3
* 0dadf421c327bc32d220405208031a9f7e1bb097
* 9c6b53ac8f6eee2eb8ed8f47a4b26be828626841
* 20a70830961f532e9483baefb64cc92af7cda8b2
* 1b15c725b6e9c5d9057b66e0a2806a7813a8d61b
* 04055a9bc40486950a3288acf610522e767c1e27
* c14e8c52ae7a2c15433fe9568c393c1d0e7a1301

Comment 4 Endi Sukma Dewata 2016-03-18 22:56:34 UTC

Created attachment 1137902 [details]
pki-core.spec

This is an updated spec file for the pki-core package on RHEL 7.2.

Comment 5 Endi Sukma Dewata 2016-03-18 23:11:08 UTC

Verification steps:

1. Install CA with externally signed CA certificate (http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate)

2. Clone the CA (http://pki.fedoraproject.org/wiki/Installing_CA_Clone)

3. Compare the certificates on the master with the ones on the clone:

   certutil -L -d /var/lib/pki/pki-tomcat/alias

The fix is verified if the nicknames and the trust flags are identical.

Comment 6 Matthew Harmsen 2016-03-24 23:20:16 UTC

Comment on attachment 1137901 [details]
pki-core-Added-support-for-cloning-3rd-party-CA-certificates.patch

CAVEAT:  On RHEL 7.2, when creating the master CA during external step 2,
         I also needed to add the following parameter:

             pki_ca_signing_nickname=caSigningCert External CA

         I added this as a note on the Wiki page:

             http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate#Completing_New_CA_Installation

Comment 7 Endi Sukma Dewata 2016-03-28 16:50:28 UTC

Created attachment 1140936 [details]
pki-core-Fixed-certificate-chain-import-problem.patch

This patch fixes the cert chain import order such that the additional pki_ca_signing_nickname is no longer needed.

Comment 8 Matthew Harmsen 2016-03-28 21:42:22 UTC

Comment on attachment 1140936 [details]
pki-core-Fixed-certificate-chain-import-problem.patch

Re-ran tests and verified that the nickname no longer needs to be specified.

Comment 9 Matthew Harmsen 2016-03-28 22:15:33 UTC

Checked into DOGTAG_10_2_5_RHEL_BRANCH:

    * 28ef4b65ce5910fbebaf21446ec30c9a0770a604
    * d5beb44fd16aebf59d0dba291d4d26cd723a2672

Comment 10 Mike McCune 2016-03-28 22:32:18 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 11 Matthew Harmsen 2016-03-28 22:38:07 UTC

Spec file changes checked into DOGTAG_10_2_5_RHEL_BRANCH:

    * d794dfe2dbb311511ad7987207afd9a9de3fe604

Comment 12 Matthew Harmsen 2016-03-31 15:40:39 UTC

PKI TRAC Ticket #2247 fixes checked into DOGTAG_10_2_5_RHEL_BRANCH:
    * 6b1aca96090874659d8a130aea802d41ecca180c
    * 3e465a86bd32d694208239d73327cc8a84336aed

Comment 13 Matthew Harmsen 2016-03-31 15:42:40 UTC

Created attachment 1142277 [details]
2247: pki-core-Install-tools-clean-up.patch

Comment 14 Matthew Harmsen 2016-03-31 15:43:33 UTC

Created attachment 1142278 [details]
2247: pki-core-Fixed-KRA-install-problem.patch

Comment 15 Matthew Harmsen 2016-03-31 16:07:24 UTC

Steps to verify changes for PKI TRAC Ticket #2247:

    1.) setup a FreeIPA master w/ KRA

    2.) install a replica with CA

    3.) install KRA clone on the replica

KRA clone should be installed and functional.

Comment 16 Matthew Harmsen 2016-03-31 17:36:33 UTC

PKI TRAC Ticket #2022 changes checked into DOGTAG_10_2_RHEL_BRANCH:
    * 09fd21429666575adf72d7f17b15eda313d94db1
    * e7ae36f091c9b2390b2c9c46f159b0b58e3c0ea3 

PKI TRAC Ticket #2022 spec file changes checked into DOGTAG_10_2_RHEL_BRANCH:
    * 7938a11c3ca94fb7d7ef30e0859280aee3b6b70d

Comment 17 Matthew Harmsen 2016-03-31 17:47:07 UTC

PKI TRAC Ticket #2252 changes checked into DOGTAG_10_2_RHEL_BRANCH:
    * 631fa3ee228d44976416925ab3ee590075a54750
    * 95922afb2a2acb499ba65b76bcfa3d5dd7eb7232

PKI TRAC Ticket #2252 spec file changes checked into DOGTAG_10_2_RHEL_BRANCH:
    * 7938a11c3ca94fb7d7ef30e0859280aee3b6b70d

Comment 18 Matthew Harmsen 2016-03-31 18:03:35 UTC

Steps to verify changes for PKI TRAC Ticket #2252:

(1) Install default DS for masters

(2) install second DS for clones using:

    pki_ds_ldap_port=10389
    pki_ds_ldaps_port=10636 

(3) Create 'pki-master-ca.cfg':

    # cat /root/pki/pki-master-ca.cfg
    [DEFAULT]
    pki_admin_password=Secret123
    pki_backup_keys=True
    pki_backup_password=Secret123
    pki_client_database_password=Secret123
    pki_client_database_purge=False
    pki_client_pkcs12_password=Secret123
    pki_ds_password=Secret123
    pki_instance_name=pki-master
    [CA]
    pki_ds_base_dn=o=pki-tomcat-CA
    pki_ds_database=pki-tomcat-CA 

(4) Create 'pki-master' CA:

    # script -c "pkispawn -s CA -f /root/pki/pki-master-ca.cfg -vvv" /root/typescript.pki-master-ca 

(5) Obtain master CA PKCS #12 file with appropriate trust flags set:

    # grep "internal=" /var/lib/pki/pki-master/conf/password.conf | awk -F= '{print $2}' > /tmp/master_internal.txt
    # PKCS12Export -debug -d /var/lib/pki/pki-master/alias -p /tmp/master_internal.txt -o /tmp/ca_backup_keys.p12 -w ~/.dogtag/pki-master/ca/pkcs12_password.conf 

(6) Create 'pki-master-kra.cfg':

    # cat /root/pki/pki-master-kra.cfg
    [DEFAULT]
    pki_admin_password=Secret123
    pki_backup_keys=True
    pki_backup_password=Secret123
    pki_client_database_password=Secret123
    pki_client_database_purge=False
    pki_client_pkcs12_password=Secret123
    pki_ds_password=Secret123
    pki_instance_name=pki-master
    pki_security_domain_password=Secret123
    [KRA]
    pki_ds_base_dn=o=pki-tomcat-KRA
    pki_ds_database=pki-tomcat-KRA 


(7) Create 'pki-master' KRA:

    # script -c "pkispawn -s KRA -f /root/pki/pki-master-kra.cfg -vvv" /root/typescript.pki-master-kra 

(8) Obtain master KRA PKCS #12 file with appropriate trust flags set:

    # PKCS12Export -debug -d /var/lib/pki/pki-master/alias -p /tmp/master_internal.txt -o /tmp/kra_backup_keys.p12 -w ~/.dogtag/pki-master/kra/pkcs12_password.conf 

(9) Create 'pki-clone-ca.cfg':

    # cat pki-clone-ca.cfg
    [DEFAULT]
    pki_admin_password=Secret123
    pki_client_database_password=Secret123
    pki_client_database_purge=False
    pki_client_pkcs12_password=Secret123
    pki_ds_ldap_port=10389
    pki_ds_ldaps_port=10636
    pki_ds_password=Secret123
    pki_http_port=17080
    pki_https_port=17443
    pki_instance_name=pki-clone
    pki_security_domain_hostname=pki.example.com
    pki_security_domain_https_port=8443
    pki_security_domain_password=Secret123
    [Tomcat]
    pki_ajp_port=17009
    pki_clone=True
    pki_clone_pkcs12_password=Secret123
    pki_clone_pkcs12_path=/tmp/ca_backup_keys.p12
    pki_clone_uri=https://pki.example.com:8443
    pki_tomcat_server_port=17005
    [CA]
    pki_ds_base_dn=o=pki-tomcat-CA
    pki_ds_database=pki-tomcat-CA 

(10) Create 'pki-clone' CA:

    # script -c "pkispawn -s CA -f /root/pki/pki-clone-ca.cfg -vvv" /root/typescript.pki-clone-ca 

(11) Create 'pki-clone-kra.cfg':

    # cat /root/pki/pki-clone-kra.cfg
    [DEFAULT]
    pki_admin_password=Secret123
    pki_client_database_password=Secret123
    pki_client_database_purge=False
    pki_client_pkcs12_password=Secret123
    pki_ds_ldap_port=10389
    pki_ds_ldaps_port=10636
    pki_ds_password=Secret123
    pki_http_port=17080
    pki_https_port=17443
    pki_instance_name=pki-clone
    pki_security_domain_hostname=pki.example.com
    pki_security_domain_https_port=8443
    pki_security_domain_password=Secret123
    [Tomcat]
    pki_ajp_port=17009
    pki_clone=True
    pki_clone_pkcs12_password=Secret123
    pki_clone_pkcs12_path=/tmp/kra_backup_keys.p12
    pki_clone_uri=https://pki.example.com:8443
    pki_tomcat_server_port=17005
    [KRA]
    pki_ds_base_dn=o=pki-tomcat-KRA
    pki_ds_database=pki-tomcat-KRA 

(12) Create 'pki-clone' KRA:

    # script -c "pkispawn -s KRA -f /root/pki/pki-clone-kra.cfg -vvv" /root/typescript.pki-clone-kra

Comment 20 Matthew Harmsen 2016-04-02 20:17:04 UTC

PKI TRAC Ticket #2257 fixes checked into DOGTAG_10_2_5_RHEL_BRANCH:
    * b216472ddd80f64b136b3ac367d3415b526c97d4

Comment 21 Matthew Harmsen 2016-04-02 20:18:37 UTC

Created attachment 1142866 [details]
2257: pki-core-Fixed-missing-trust-flags-in-certificate-backup.patch

Comment 24 Geetika Kapoor 2016-04-18 13:44:48 UTC

Created attachment 1148216 [details]
Cloneca_fail_log

Comment 27 Nikhil Dehadrai 2016-04-20 16:42:27 UTC

IPA server version: ipa-server-4.2.0-15.el7_2.15.x86_64
PKI KRA version: pki-kra-10.2.5-9.el7_2.noarch

Tested the bug with following observations w.r.t IPA/REPLICA as per steps in comment#15:
1. Setup IPA server with RHEL 7.2up4.
2. Configure Replica with CA against this IPA server with RHEL 7.2up4.
3. Run command "ipa-kra-install -p password -U" on IPA server, the installation is successful.
4. Run command "ipa-kra-install -p password -U" on Replica, the command fails with following error message:

This program will setup Dogtag KRA for the IPA Server.
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp01DwuS'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.
Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.

Comment 28 Endi Sukma Dewata 2016-04-20 22:54:10 UTC

Nikhil, is this the case where the IPA server was upgraded? If yes, the failure is most likely caused by bug #1328522. I was able to execute the steps in comment #15 successfully without upgrade.

Comment 29 Nikhil Dehadrai 2016-04-21 10:43:16 UTC

Endi, Yes the observation in Comment#27 is in case of Upgrade ( i.e IPA/ REPLICA is setup BEFORE upgrade to 7.2up4)

PKI-KRI Details: pki-kra-10.2.5-9.el7_2.noarch
IPA server Details: ipa-server-4.2.0-15.el7_2.15.x86_64

Today , I tested the bug with following observations where IPA / Replica is setup and configured on top of RHEL 7.2up4 (i.e IPA / REPLICA is setup AFTER updating to RHEL 7.2up4)

1. Setup IPA server with RHEL 7.2up4.
2. Configure Replica with CA against this IPA server with RHEL 7.2up4.
3. Run command "ipa-kra-install" on IPA server, the installation is successful after providing password.
4. Run command "ipa-kra-install <provide path to replica file>" and then provide password on Replica, the command fails with following error message:

[root@replica ipa]# ipa-kra-install replica-info-replica.testrelm.test.gpg
Directory Manager password:
This program will setup Dogtag KRA for the IPA Server.
Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

Missing KRA certificates, please create a new replica file.
[root@replica ipa]# ipa-kra-install --uninstall
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: Cannot uninstall. There is no KRA installed on this system.

5. ipaserver kra out file displays following details :
#cat /var/log/ipaserver-kra-install.log

2016-04-21T10:37:35Z DEBUG stderr=
2016-04-21T10:37:35Z DEBUG Starting external process
2016-04-21T10:37:35Z DEBUG args='/usr/bin/certutil' '-d' '/tmp/tmp2GAOE8' '-L' '-n' 'storageCert cert-pki-kra' '-a'
2016-04-21T10:37:35Z DEBUG Process finished, return code=255
2016-04-21T10:37:35Z DEBUG stdout=
2016-04-21T10:37:35Z DEBUG stderr=certutil: Could not find cert: storageCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

2016-04-21T10:37:35Z ERROR
Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

2016-04-21T10:37:35Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 187, in run
self._run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py", line 178, in _run
raise admintool.ScriptError(str(e))

2016-04-21T10:37:35Z DEBUG The ipa-kra-install command failed, exception: ScriptError: Missing KRA certificates, please create a new replica file.
2016-04-21T10:37:35Z ERROR Missing KRA certificates, please create a new replica file.

Comment 30 Nikhil Dehadrai 2016-04-21 13:55:37 UTC

Just to add more information to observations in Comment#29, using the newly generated replica file , then the command to install KRA "ipa-kra-install <replica file>" is executed successfully. (This is in case of IPA / REPLICA is setup AFTER updating to RHEL 7.2up4) )


But in case of upgrade(i.e IPA/ REPLICA is setup BEFORE upgrade to 7.2up4), following behavior is noticed.

[root@replica ipa]# ipa-kra-install -p password -U
===================================================================
This program will setup Dogtag KRA for the IPA Server.
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmpFcXnNH'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.
Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.

[root@replica ipa]# ipa-kra-install replica-info-replica.testrelm.test.gpg
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: Too many parameters provided.  No replica file is required.

Comment 31 Matthew Harmsen 2016-04-21 18:41:12 UTC

Checked into DOGTAG_10_2_6_RHEL_BRANCH:
* 361c708d5854786d8c80dd9864818137d733661c

Comment 32 Matthew Harmsen 2016-04-21 18:42:40 UTC

*** Bug 1328522 has been marked as a duplicate of this bug. ***

Comment 34 Geetika Kapoor 2016-04-22 07:17:53 UTC

Filed  "Bug 1329365 - pkispawn generates CSR without extensions"  so as to support extensions in RootCA.

Comment 35 Nikhil Dehadrai 2016-04-22 12:49:08 UTC

IPA server version: ipa-server-4.2.0-15.el7_2.15.x86_64
PKI KRA version: pki-kra-10.2.5-10.el7_2.noarch

Tested the bug, with following steps/observations:
1. Setup IPA server with RHEL 7.2.
2. Configure Replica with CA against this IPA server with RHEL 7.2.
3. Upgrade IPA and Replica to 7.2up4.
4. On IPA server, run command "ipa-kra-install -p password -U" on IPA server, the installation is successful.
5. Create new Replica file "ipa-replica-prepare" command and copy this replica file from "/var/lib/ipa" to Replica.
6. On Replica,run command "ipa-kra-install as follows and notice the observations:

[root@replica ~]# ipa-kra-install -p password -U
===================================================================
This program will setup Dogtag KRA for the IPA Server.
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmpWfKgYD'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.
Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.
KRA configuration failed.

[root@replica ~]# ipa-kra-install replica-info-replica.testrelm.test.gpg
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: Too many parameters provided.  No replica file is required.

Comment 36 Xiyang Dong 2016-04-23 02:28:05 UTC

I was unable to reproduce Comment#35:

1.On server :
[root@hp-bl460cgen9-01 ~]# rpm -q ipa-server pki-kra
ipa-server-4.2.0-15.el7.x86_64
pki-kra-10.2.5-6.el7.noarch

2 On replica:
[root@sgi-uv2-01 ~]# rpm -q ipa-server pki-kra
ipa-server-4.2.0-15.el7.x86_64
pki-kra-10.2.5-6.el7.noarch

3.
On server:
[root@hp-bl460cgen9-01 yum.repos.d]# yum update ipa-* pki-kra
.
.
.
Updated:
  ipa-admintools.x86_64 0:4.2.0-15.el7_2.15              ipa-client.x86_64 0:4.2.0-15.el7_2.15             
  ipa-python.x86_64 0:4.2.0-15.el7_2.15                  ipa-server.x86_64 0:4.2.0-15.el7_2.15             
  ipa-server-dns.x86_64 0:4.2.0-15.el7_2.15              pki-kra.noarch 0:10.2.5-10.el7_2                  

Dependency Updated:
  libipa_hbac.x86_64 0:1.13.0-40.el7_2.4                libsss_idmap.x86_64 0:1.13.0-40.el7_2.4             
  pki-base.noarch 0:10.2.5-10.el7_2                     pki-ca.noarch 0:10.2.5-10.el7_2                     
  pki-server.noarch 0:10.2.5-10.el7_2                   pki-tools.x86_64 0:10.2.5-10.el7_2                  
  python-libipa_hbac.x86_64 0:1.13.0-40.el7_2.4         python-sssdconfig.noarch 0:1.13.0-40.el7_2.4        
  slapi-nis.x86_64 0:0.54-8.el7_2                       sssd.x86_64 0:1.13.0-40.el7_2.4                     
  sssd-ad.x86_64 0:1.13.0-40.el7_2.4                    sssd-client.x86_64 0:1.13.0-40.el7_2.4              
  sssd-common.x86_64 0:1.13.0-40.el7_2.4                sssd-common-pac.x86_64 0:1.13.0-40.el7_2.4          
  sssd-ipa.x86_64 0:1.13.0-40.el7_2.4                   sssd-krb5.x86_64 0:1.13.0-40.el7_2.4                
  sssd-krb5-common.x86_64 0:1.13.0-40.el7_2.4           sssd-ldap.x86_64 0:1.13.0-40.el7_2.4                
  sssd-proxy.x86_64 0:1.13.0-40.el7_2.4                


On replica:
[root@sgi-uv2-01 yum.repos.d]# yum update ipa-* pki-kra
.
.
.
Updated:
  ipa-admintools.x86_64 0:4.2.0-15.el7_2.15                   ipa-client.x86_64 0:4.2.0-15.el7_2.15                  
  ipa-python.x86_64 0:4.2.0-15.el7_2.15                       ipa-server.x86_64 0:4.2.0-15.el7_2.15                  
  ipa-server-dns.x86_64 0:4.2.0-15.el7_2.15                   pki-kra.noarch 0:10.2.5-10.el7_2                       

Dependency Updated:
  libipa_hbac.x86_64 0:1.13.0-40.el7_2.4                    libsss_idmap.x86_64 0:1.13.0-40.el7_2.4                 
  pki-base.noarch 0:10.2.5-10.el7_2                         pki-ca.noarch 0:10.2.5-10.el7_2                         
  pki-server.noarch 0:10.2.5-10.el7_2                       pki-tools.x86_64 0:10.2.5-10.el7_2                      
  python-libipa_hbac.x86_64 0:1.13.0-40.el7_2.4             python-sssdconfig.noarch 0:1.13.0-40.el7_2.4            
  slapi-nis.x86_64 0:0.54-8.el7_2                           sssd.x86_64 0:1.13.0-40.el7_2.4                         
  sssd-ad.x86_64 0:1.13.0-40.el7_2.4                        sssd-client.x86_64 0:1.13.0-40.el7_2.4                  
  sssd-common.x86_64 0:1.13.0-40.el7_2.4                    sssd-common-pac.x86_64 0:1.13.0-40.el7_2.4              
  sssd-ipa.x86_64 0:1.13.0-40.el7_2.4                       sssd-krb5.x86_64 0:1.13.0-40.el7_2.4                    
  sssd-krb5-common.x86_64 0:1.13.0-40.el7_2.4               sssd-ldap.x86_64 0:1.13.0-40.el7_2.4                    
  sssd-proxy.x86_64 0:1.13.0-40.el7_2.4                    

Complete!


4.On server:
[root@hp-bl460cgen9-01 ~]# ipa-kra-install -p <password> -U

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

5.On server:
[root@hp-bl460cgen9-01 ~]# ipa-replica-prepare sgi-uv2-01.testrelm.test
Directory Manager (existing master) password: 

Preparing replica for sgi-uv2-01.testrelm.test from hp-bl460cgen9-01.testrelm.test
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Saving dogtag Directory Server port
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-sgi-uv2-01.testrelm.test.gpg
The ipa-replica-prepare command was successful

[root@hp-bl460cgen9-01 ~]# scp /var/lib/ipa/replica-info-sgi-uv2-01.testrelm.test.gpg 10.16.67.134:/root/
replica-info-sgi-uv2-01.testrelm.test.gpg                                 100%   37KB  36.5KB/s   00:00 

6.On replica:
[root@sgi-uv2-01 ~]# ipa-kra-install -p <password> -U
Usage: ipa-kra-install [options] [replica_file]

ipa-kra-install: error: A replica file is required.
[root@sgi-uv2-01 ~]# ipa-kra-install -p <password> -U replica-info-sgi-uv2-01.testrelm.test.gpg

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/7]: configuring KRA instance
  [2/7]: restarting KRA
  [3/7]: configure certmonger for renewals
  [4/7]: configure certificate renewals
  [5/7]: configure HTTP to proxy connections
  [6/7]: add vault container
  [7/7]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory and KRA servers
Restarting the directory server
The ipa-kra-install command was successful



I do find out that if Master becomes unreachable before kra install , the same issue will pop out:

[root@sgi-uv2-01 ~]# ping $MASTER
ping: unknown host hp-bl460cgen9-01.testrelm.test
[root@sgi-uv2-01 ~]# ipa-kra-install -p Secret123 -U replica-info-sgi-uv2-01.testrelm.test.gpg

===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/7]: configuring KRA instance
Failed to configure KRA instance: Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp8SWCqS'' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki-ca-install.log
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

KRA configuration failed.


Nikhil, could you confirm that the issue is not reproducible and check if master is resolvable before kra install?

Thanks!

Comment 38 Nikhil Dehadrai 2016-04-25 07:31:54 UTC

As per comment#36, I was able to install KRA on IPA server and Replica, after force-syncing the replica with IPA, the KRA installation was successful and the issue mentioned in Comment#30,#35 is not observed.

IPA server version: ipa-server-4.2.0-15.el7_2.15.x86_64
PKI KRA version: pki-kra-10.2.5-10.el7_2.noarch

Tested the bug, with following steps/observations:
1. Setup IPA server with RHEL 7.2.
2. Configure Replica with CA against this IPA server with RHEL 7.2.
3. Upgrade IPA and Replica to 7.2up4.
4. On IPA server, run command "ipa-kra-install -p password -U" on IPA server, the installation is successful.
5. Create new Replica file "ipa-replica-prepare" command and copy this replica file from "/var/lib/ipa" to Replica.
6. On Replica, run command "ipa-replica-manage force-sync --from <ipaserver>" to make sure Replica is in communincation with IPA and insync.
7. On Replica,run command "ipa-kra-install as follows and notice the observations:

[root@replica ~]# ipa-replica-manage force-sync --from ipaserver.testrelm.test
ipa: INFO: Setting agreement cn=meToreplica.testrelm.test,cn=replica,cn=dc\=testrelm\,dc\=test,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToreplica.testrelm.test,cn=replica,cn=dc\=testrelm\,dc\=test,cn=mapping tree,cn=config

[root@replica ipa]# ipa-kra-install -p password -U
Usage: ipa-kra-install [options] [replica_file]
ipa-kra-install: error: A replica file is required.
[root@replica ipa]# ipa-kra-install -p password -U replica-info-replica.testrelm.test.gpg
===================================================================
This program will setup Dogtag KRA for the IPA Server.
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/7]: configuring KRA instance
  [2/7]: restarting KRA
  [3/7]: configure certmonger for renewals
  [4/7]: configure certificate renewals
  [5/7]: configure HTTP to proxy connections
  [6/7]: add vault container
  [7/7]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory and KRA servers
Restarting the directory server
The ipa-kra-install command was successful

Comment 39 Geetika Kapoor 2016-04-27 07:02:21 UTC

Tested below mentioned scenario's:

Test Case 1: 
CA and clone installation works.

Test Case 2: dogtag-dogtag
ExternalCA installation -- PASS

Test Case 3: dogtag-nss
ExternalCA  installation -- PASS
ExternalCA clone installation -- PASS

Test Case 4:dogtag-openssl -- FAIL (Raised BZ 1329365)
extension in csr are not supported

Test Case 5:  Verification of pkcs12-cert-find utility.
Works 

Test Case 5.a : Verification of pkcs12-cert-find utility
If not initialized properly it gives below logs.
INFO: Loading PKCS #12 file
NotInitializedException: null
Raised a BZ for logging improvement for Bug 1330449 

Test Case 6: KRA and KRA clone installation for externalCA -- PASS

Sometimes i have observed below mentioned error while configuring KRA with externalCA  + Clone CA.
But this is not very consistent behavior.
<log snip>
 ERROR    ....... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.PKIException","Code":500,"Message":"Error in obtaining certificate chain from issuing CA: java.io.IOException: org.mozilla.jss.ssl.SSLSocketException: Unable to connect: (-5961) TCP connection reset by peer."
</log snip>

But when we do a clean setup again it goes.
I need to dig more into that issue.I observed similar behavior as mentioned in https://fedorahosted.org/pki/ticket/1372.

Test Case 7: To check the mandatory fields before CA sign certs.
dogtag-openssl -- with CA fields set/unset

`Currently no such check exist.Raised a BZ 1330439.

Test Case 8: Verifying externalCA Trust flags status -- PASS 
pki pkcs12-cert-find --pkcs12-file /var/lib/pki/ExternalCA_nss/alias/ca_backup_keys.p12 --pkcs12-password-file /opt/Foobar1/ca/pkcs12_password.conf
---------------
5 entries found
---------------
  Certificate ID: 27c07bfee58f7b4915ca4f9b3bec523271ca1982
  Serial Number: 0x5579
  Nickname: caSigningCert cert-ExternalCA_nss CA
  Subject DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Issuer DN: CN=External CA,O=EXTERNAL
  Trust Flags: CTu,CTu,CTu
  Has Key: true

  Certificate ID: 50406de3f72b790e78c297fb6612f7ba1f820a3c
  Serial Number: 0x1
  Nickname: ocspSigningCert cert-ExternalCA_nss CA
  Subject DN: CN=CA OCSP Signing Certificate,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: f48a55847085c939dc1ae176d47fd24475f520b1
  Serial Number: 0x3
  Nickname: subsystemCert cert-ExternalCA_nss
  Subject DN: CN=Subsystem Certificate,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 178cfb5ed743c144beebd2410b261920878ff92c
  Serial Number: 0x4
  Nickname: auditSigningCert cert-ExternalCA_nss CA
  Subject DN: CN=CA Audit Signing Certificate,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,Pu
  Has Key: true

  Certificate ID: 368b6b37fbdcbb091bf670653e3b5aee398db295
  Serial Number: 0x15c
  Nickname: caSigningCert External CA
  Subject DN: CN=External CA,O=EXTERNAL
  Issuer DN: CN=External CA,O=EXTERNAL
  Trust Flags: CT,C,C
  Has Key: false


Test Case 9: Check if pkcs12 files used for kra clone installation contains 3rd part data:

pki pkcs12-cert-find --pkcs12-file /tmp/kra_backup_keys.p12 --pkcs12-password-file /opt/Foobar1/ca/pkcs12_password.conf
---------------
7 entries found
---------------
  Certificate ID: 27c07bfee58f7b4915ca4f9b3bec523271ca1982
  Serial Number: 0x5579
  Nickname: CA.Signing.Certificate - EXTERNAL
  Subject DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Issuer DN: CN=External CA,O=EXTERNAL
  Trust Flags: c,c,
  Has Key: false

  Certificate ID: 368b6b37fbdcbb091bf670653e3b5aee398db295
  Serial Number: 0x15c
  Nickname: External CA - EXTERNAL
  Subject DN: CN=External CA,O=EXTERNAL
  Issuer DN: CN=External CA,O=EXTERNAL
  Trust Flags: CT,c,c
  Has Key: false

  Certificate ID: ab8847ed5a20e9c490b5094c431a3021d10bc45d
  Serial Number: 0x7
  Nickname: storageCert cert-Foobar3 KRA
  Subject DN: CN=DRM Storage Certificate,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: e7d36ad287d321630a7780466c7a18fa77314a85
  Serial Number: 0x9
  Nickname: subsystemCert cert-Foobar3
  Subject DN: CN=Subsystem Certificate,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 198bf14fd58e4df90890f95feba303d59a631dfb
  Serial Number: 0x6
  Nickname: transportCert cert-Foobar3 KRA
  Subject DN: CN=DRM Transport Certificate,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 33ffd96cbc535485e6d5eeb1f64c7acf40455a64
  Serial Number: 0x8
  Nickname: Server-Cert cert-Foobar3
  Subject DN: CN=nocp9.idm.lab.eng.rdu2.redhat.com,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: cf26599bec847037ccd015ae7091e79510e80ee0
  Serial Number: 0xa
  Nickname: auditSigningCert cert-Foobar3 KRA
  Subject DN: CN=KRA Audit Signing Certificate,O=EXTERNAL
  Issuer DN: CN=CA.Signing.Certificate,OU=Redhat,O=EXTERNAL.,L=Pune,ST=IN,C=IN
  Trust Flags: u,u,Pu
  Has Key: true

Comment 40 Geetika Kapoor 2016-04-27 10:17:05 UTC

Created attachment 1151282 [details]
configuration_files

Comment 42 errata-xmlrpc 2016-05-12 09:57:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1042.html

Comment 43 Endi Sukma Dewata 2016-07-26 21:31:03 UTC

*** Bug 1328522 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.