Bug 672333 - Creation of RA agent fails in IPA installation
Summary: Creation of RA agent fails in IPA installation
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: pki-ca
Version: 14
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-24 20:51 UTC by Rob Crittenden
Modified: 2011-02-03 00:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-03 00:11:36 UTC
Type: ---

Attachments (Terms of Use)
IPA server installation log showing the client side (193.82 KB, text/plain)
2011-01-24 20:51 UTC, Rob Crittenden 		no flags Details
CA debug log (441.40 KB, text/plain)
2011-01-24 20:51 UTC, Rob Crittenden 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Rob Crittenden 2011-01-24 20:51:16 UTC 
Created attachment 475043 [details]
IPA server installation log showing the client side

Description of problem:

The IPA installer attempts to create an RA user, issue a certificate for it and use it for all subsequent RA operations. The creation of the user is failing, we aren't getting back the expected certificate (hence the b64_cert error).

The error apparently being returned by the CA is Authorization Error but as far as I can tell authorization was successful. The request just seems to stop in the CA debug log.

Version-Release number of selected component (if applicable):

pki-ca-9.0.1-2.svn.1762M.20110121T1347z.fc14.noarch

How reproducible:

Only one user has reported this, I have been unable to reproduce.
Comment 1 Rob Crittenden 2011-01-24 20:51:40 UTC 
Created attachment 475044 [details]
CA debug log
Comment 2 Andrew Wnuk 2011-02-01 01:33:33 UTC 
From attachment 475043 [details]:
errorReason="Authorization Error";
errorCode="1";

From attachment 475044 [details]:
[24/Jan/2011:12:06:09][http-9443-1]: ProfileProcessServlet:  Missing nonce
[24/Jan/2011:12:06:09][http-9443-1]: ProfileProcessServlet:  nonceVerified=false

Above log entries are consistent with CS.cfg file containing:
  ca.enableNonces=true
Comment 3 Andrew Wnuk 2011-02-01 01:46:39 UTC 
Suggestion:
RA certificate could be obtained in single step by using profile similar to caAgentServerCert instead of using caServerCert profile.
Comment 4 Marc Sauton 2011-02-01 02:04:18 UTC 
some test details, seem tot work just fine with last builds:

Fedora release 14 (Laughlin)
Linux ipaserver2.example.com 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

freeipa-admintools-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-client-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-server-selinux-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-python-2.0-0.2011013122git41abde2.fc14.x86_64
freeipa-server-2.0-0.2011013122git41abde2.fc14.x86_64

pki-ca-9.0.1-2.fc14.noarch
osutil-9.0.0-1.fc14.x86_64
dogtag-pki-ca-theme-9.0.0-3.fc14.noarch
dogtag-pki-common-theme-9.0.0-3.fc14.noarch
jss-4.2.6-12.fc14.x86_64
tomcatjss-2.1.0-1.fc14.noarch


ipa-server-install --realm=EXAMPLE.COM --domain=example.com --ds-password=password --master-password=password --admin-password=password --hostname=ipaserver2.example.com --idstart=1000 --setup-dns --forwarder=10.14.7.221 --zonemgr=msauton


and got in the CA debug log:
/var/log/pki-ca/debug
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet:service() uri = /ca/agent/ca/profileProcess
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet::service() param name='name' value='CN=RA Subsystem,O=EXAMPLE.COM'
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet: caProfileProcess start to service.
[31/Jan/2011:17:21:21][http-9443-1]: IP: 10.14.5.15
[31/Jan/2011:17:21:21][http-9443-1]: AuthMgrName: certUserDBAuthMgr
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet: retrieving SSL certificate
[31/Jan/2011:17:21:21][http-9443-1]: CMSServlet: certUID=CN=ipa-ca-agent,O=EXAMPLE.COM
[31/Jan/2011:17:21:21][http-9443-1]: CertUserDBAuth: started
[31/Jan/2011:17:21:21][http-9443-1]: CertUserDBAuth: Retrieving client certificate
[31/Jan/2011:17:21:21][http-9443-1]: CertUserDBAuth: Got client certificate
[31/Jan/2011:17:21:21][http-9443-1]: Authentication: client certificate found
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: authenticated uid=admin,ou=people,o=ipaca
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: evaluated expression: group="Certificate Manager Agents" to be true
...snip...
[31/Jan/2011:17:21:21][http-9443-1]: ProfileProcessServlet: start serving
[31/Jan/2011:17:21:21][http-9443-1]: ProfileProcessServlet: SubId=profile
[31/Jan/2011:17:21:21][http-9443-1]: ProfileProcessServlet: requestId=7


the servlet ProfileProcessServlet went through as expected for this enrollment.
Comment 5 Rob Crittenden 2011-02-01 02:50:24 UTC 
The nonce error is a real head scratcher because we set it to false and then restart the server. This worked for everyone but the one user who reported the problem. He added another restart right before we start fetching the agent cert and it fixed things.
Comment 6 Andrew Wnuk 2011-02-02 19:24:22 UTC 
Old and new CA logs provided consistently report that nonces are enabled
  (see: log entries including "CertificateAuthority init: Nonces enabled.").

Nonces are enable in CA by default, which means that absence of the following line "ca.enableNonces=false" in CS.cfg file will result in CA requiring nonces.

CS team is unable reproduce this issue.

This issue could be avoided by obtaining RA certificate in single step (not 2 steps).

Obtaining RA certificate in single step can be achieved by using enrollment authenticated by agent. CA provides sample profile (caAgentServerCert) allowing for such enrollment. 

Replacing caServerCert with caAgentServerCert profile should be relatively simple since both enrollments use the same parameters.
Note You need to log in before you can comment on or make changes to this bug.