1346433 – Strange Certificate Error, ipa-server-install ERROR 'b64_cert'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1346433 - Strange Certificate Error, ipa-server-install ERROR 'b64_cert'

Summary: Strange Certificate Error, ipa-server-install ERROR 'b64_cert'

Keywords:
Status:	CLOSED DUPLICATE of bug 1541853
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-14 19:44 UTC by J. M. Becker
Modified:	2020-10-04 21:10 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-22 09:07:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ipaserver-install.log (86.47 KB, text/plain) 2016-06-14 19:44 UTC, J. M. Becker	no flags	Details
pki-ca-spawn.20160614152851.log (85.39 KB, text/plain) 2016-06-14 20:01 UTC, J. M. Becker	no flags	Details
localhost.2016-06-14.log (4.86 KB, text/plain) 2016-06-14 20:02 UTC, J. M. Becker	no flags	Details
catalina.2016-06-14.log (31.70 KB, text/plain) 2016-06-14 20:03 UTC, J. M. Becker	no flags	Details
debug (662.80 KB, text/plain) 2016-06-14 20:06 UTC, J. M. Becker	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2499	0	None	closed	Strange Certificate Error, ipa-server-install ERROR 'b64_cert'	2020-11-09 18:54:36 UTC

Description J. M. Becker 2016-06-14 19:44:39 UTC

Created attachment 1167955 [details]
ipaserver-install.log

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/28]: creating certificate server user
  [2/28]: configuring certificate server instance
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: creating RA agent certificate database
  [10/28]: importing CA chain to RA certificate database
  [11/28]: fixing RA database permissions
  [12/28]: setting up signing cert profile
  [13/28]: setting audit signing renewal to 2 years
  [14/28]: restarting certificate server
  [15/28]: requesting RA certificate from CA
  [16/28]: issuing RA agent certificate
  [error] KeyError: 'b64_cert'
ipa.ipapython.install.cli.install_tool(Server): ERROR    'b64_cert'


Post CSR generation, not sure how to proceed.  Very unhappy about this not being a more module installation, as minor common problems demand a full uninstall and reinstall.. which then requires a resign every time, dramatically increasing troubleshooting time.

Comment 1 J. M. Becker 2016-06-14 19:46:04 UTC

IPA packages are from RHEL 7 repository, versioned 4.2.0-15 el7_2.15

Comment 2 Rob Crittenden 2016-06-14 19:53:09 UTC

Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to issue the agent certificate (it threw java.lang.NullPointerException).

Comment 3 J. M. Becker 2016-06-14 20:01:43 UTC

Created attachment 1167958 [details]
pki-ca-spawn.20160614152851.log

Comment 4 J. M. Becker 2016-06-14 20:02:11 UTC

Created attachment 1167959 [details]
localhost.2016-06-14.log

Comment 5 J. M. Becker 2016-06-14 20:03:21 UTC

Created attachment 1167960 [details]
catalina.2016-06-14.log

Comment 7 J. M. Becker 2016-06-14 20:06:16 UTC

Created attachment 1167961 [details]
debug

Comment 8 J. M. Becker 2016-06-14 20:14:22 UTC

(In reply to Rob Crittenden from comment #2)
> Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to
> issue the agent certificate (it threw java.lang.NullPointerException).

I was unable to identify anything of significance, please let me know if more logs would be helpful.

Comment 9 J. M. Becker 2016-06-14 20:34:45 UTC

The error appears to be related to the DN's in some manner, I was able to at least pass the CA Installation section by not adding this option when installing.


--subject 'C=US,ST=Ohio,O=AmTrust North America\, Inc.,OU=Servers,OU=Infrastructure,OU=IT'

As even when I used no external CA to sign, it still resulted in the error when I used that option. 

I'm now attempting to install using no subject, signing it anyway, and hoping that somehow it works anyway.

Comment 10 Rob Crittenden 2016-06-14 20:42:52 UTC

I came to the same conclusion about the subject.

From the debug log:

[14/Jun/2016:15:30:07][http-bio-8443-exec-5]: java.io.IOException: Unknown AVA keyword 'INC.,ST'.

CCing a CA developer to see if he knows if this is a dogtag issue, an IPA issue or perhaps no escaping is needed.

Comment 11 Endi Sukma Dewata 2016-06-15 02:40:54 UTC

It looks like while processing the subject DN the attribute order is reversed, then it is parsed incorrectly due to the comma in the O attribute causing the 'INC.,ST' to be considered an LDAP attribute, which is invalid.

Could you try again without the comma in the O attribute to confirm the problem?

Please reassign the bug to pki-core. Thanks.

Comment 12 J. M. Becker 2016-06-15 18:56:46 UTC

I can confirm, the comma was the problem with the subject alternate. The installation worked as expected for this section using,

--subject 'C=US,ST=Ohio,O=AmTrust North America Inc.,OU=Servers,OU=Infrastructure,OU=IT'

Comment 13 Matthew Harmsen 2016-06-24 01:32:38 UTC

Per PKI Bug Council of 06/23/2016: RHEL 7.4

Comment 14 Matthew Harmsen 2016-06-24 01:35:54 UTC

Upstream ticket:
https://fedorahosted.org/pki/ticket/2379

Comment 18 Matthew Harmsen 2017-10-25 22:58:02 UTC

[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Comment 19 Fraser Tweedale 2018-02-22 09:05:45 UTC

Upstream commit: e634316eb7f2aedc65fe528fb572b15e1bdc1eb2

Comment 20 Fraser Tweedale 2018-02-22 09:07:00 UTC


*** This bug has been marked as a duplicate of bug 1541853 ***

Note You need to log in before you can comment on or make changes to this bug.