Bug 1346433 - Strange Certificate Error, ipa-server-install ERROR 'b64_cert'
Summary: Strange Certificate Error, ipa-server-install ERROR 'b64_cert'
Status: CLOSED DUPLICATE of bug 1541853
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-06-14 19:44 UTC by J. M. Becker
Modified: 2020-10-04 21:10 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-02-22 09:07:00 UTC
Target Upstream Version:

Attachments (Terms of Use)
ipaserver-install.log (86.47 KB, text/plain)
2016-06-14 19:44 UTC, J. M. Becker
no flags Details
pki-ca-spawn.20160614152851.log (85.39 KB, text/plain)
2016-06-14 20:01 UTC, J. M. Becker
no flags Details
localhost.2016-06-14.log (4.86 KB, text/plain)
2016-06-14 20:02 UTC, J. M. Becker
no flags Details
catalina.2016-06-14.log (31.70 KB, text/plain)
2016-06-14 20:03 UTC, J. M. Becker
no flags Details
debug (662.80 KB, text/plain)
2016-06-14 20:06 UTC, J. M. Becker
no flags Details

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2499 0 None closed Strange Certificate Error, ipa-server-install ERROR 'b64_cert' 2020-11-09 18:54:36 UTC

Description J. M. Becker 2016-06-14 19:44:39 UTC
Created attachment 1167955 [details]

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/28]: creating certificate server user
  [2/28]: configuring certificate server instance
  [3/28]: stopping certificate server instance to update CS.cfg
  [4/28]: backing up CS.cfg
  [5/28]: disabling nonces
  [6/28]: set up CRL publishing
  [7/28]: enable PKIX certificate path discovery and validation
  [8/28]: starting certificate server instance
  [9/28]: creating RA agent certificate database
  [10/28]: importing CA chain to RA certificate database
  [11/28]: fixing RA database permissions
  [12/28]: setting up signing cert profile
  [13/28]: setting audit signing renewal to 2 years
  [14/28]: restarting certificate server
  [15/28]: requesting RA certificate from CA
  [16/28]: issuing RA agent certificate
  [error] KeyError: 'b64_cert'
ipa.ipapython.install.cli.install_tool(Server): ERROR    'b64_cert'

Post CSR generation, not sure how to proceed.  Very unhappy about this not being a more module installation, as minor common problems demand a full uninstall and reinstall.. which then requires a resign every time, dramatically increasing troubleshooting time.

Comment 1 J. M. Becker 2016-06-14 19:46:04 UTC
IPA packages are from RHEL 7 repository, versioned 4.2.0-15 el7_2.15

Comment 2 Rob Crittenden 2016-06-14 19:53:09 UTC
Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to issue the agent certificate (it threw java.lang.NullPointerException).

Comment 3 J. M. Becker 2016-06-14 20:01:43 UTC
Created attachment 1167958 [details]

Comment 4 J. M. Becker 2016-06-14 20:02:11 UTC
Created attachment 1167959 [details]

Comment 5 J. M. Becker 2016-06-14 20:03:21 UTC
Created attachment 1167960 [details]

Comment 7 J. M. Becker 2016-06-14 20:06:16 UTC
Created attachment 1167961 [details]

Comment 8 J. M. Becker 2016-06-14 20:14:22 UTC
(In reply to Rob Crittenden from comment #2)
> Look at the log files in /var/lib/pki/pki-tomcat/logs/. The CA failed to
> issue the agent certificate (it threw java.lang.NullPointerException).

I was unable to identify anything of significance, please let me know if more logs would be helpful.

Comment 9 J. M. Becker 2016-06-14 20:34:45 UTC
The error appears to be related to the DN's in some manner, I was able to at least pass the CA Installation section by not adding this option when installing.

--subject 'C=US,ST=Ohio,O=AmTrust North America\, Inc.,OU=Servers,OU=Infrastructure,OU=IT'

As even when I used no external CA to sign, it still resulted in the error when I used that option. 

I'm now attempting to install using no subject, signing it anyway, and hoping that somehow it works anyway.

Comment 10 Rob Crittenden 2016-06-14 20:42:52 UTC
I came to the same conclusion about the subject.

From the debug log:

[14/Jun/2016:15:30:07][http-bio-8443-exec-5]: java.io.IOException: Unknown AVA keyword 'INC.,ST'.

CCing a CA developer to see if he knows if this is a dogtag issue, an IPA issue or perhaps no escaping is needed.

Comment 11 Endi Sukma Dewata 2016-06-15 02:40:54 UTC
It looks like while processing the subject DN the attribute order is reversed, then it is parsed incorrectly due to the comma in the O attribute causing the 'INC.,ST' to be considered an LDAP attribute, which is invalid.

Could you try again without the comma in the O attribute to confirm the problem?

Please reassign the bug to pki-core. Thanks.

Comment 12 J. M. Becker 2016-06-15 18:56:46 UTC
I can confirm, the comma was the problem with the subject alternate. The installation worked as expected for this section using,

--subject 'C=US,ST=Ohio,O=AmTrust North America Inc.,OU=Servers,OU=Infrastructure,OU=IT'

Comment 13 Matthew Harmsen 2016-06-24 01:32:38 UTC
Per PKI Bug Council of 06/23/2016: RHEL 7.4

Comment 14 Matthew Harmsen 2016-06-24 01:35:54 UTC
Upstream ticket:

Comment 18 Matthew Harmsen 2017-10-25 22:58:02 UTC
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Comment 19 Fraser Tweedale 2018-02-22 09:05:45 UTC
Upstream commit: e634316eb7f2aedc65fe528fb572b15e1bdc1eb2

Comment 20 Fraser Tweedale 2018-02-22 09:07:00 UTC

*** This bug has been marked as a duplicate of bug 1541853 ***

Note You need to log in before you can comment on or make changes to this bug.