[Freeipa-users] Re: ECC keypair generation failed with `ipa-server-instal` on HSM

チョーチュアン via FreeIPA-users wrote: > Hello, > > Recently I've been experimenting on HSM with FreeIPA, I got stuck at the > CA generation, but it's a separate issue. I somehow achieve a successful > key generation on HSM with default key_algorimth/size/ settings. RSA > 3072/2048 keys showed up on the HSM even after a failed CA installation > but not the case with ECC keys. > > The error was: > Failed to configure CA instance: CalledProcessError(Command > ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp877ip58a'] returned > non-zero exit status 1: > > pkihelper     : ERROR    Server unreachable due to SSL error: > [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] > > sslv3 alert handshake failure (_ssl.c:1056) > > configuration : ERROR    Server failed to restart > pkispawn      : ERROR    Exception: server failed to restart > >   File "/usr/lib/python3.7/site-packages/pki/server/pkispawn.py", line > 547, in main >     scriptlet.spawn(deployer) >   File > "/usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/configuration.py", > line 670, in spawn >     raise Exception("server failed to restart") > ') > See the installation logs and the following files/directories for more > information: >   /var/log/pki/pki-tomcat >   [error] RuntimeError: CA configuration failed. > CA configuration failed. > > and configuration was: > ``` > [DEFAULT] > ipa_key_algorithm=SHA256withEC > ipa_key_size=nistp384 > ipa_key_type=ecc > ipa_signing_algorithm=SHA256withEC > pki_ca_signing_key_size=nistp384 > > pki_hsm_enable=True > pki_hsm_libfile=/usr/lib64/opensc-pkcs11.so > pki_hsm_modulename=nitrohsm > pki_token_name=UserPIN (SmartCard-HSM) > pki_token_password=648219 > > pki_random_serial_numbers_enable=True > ``` You're really on the bleeding edge. I don't know that HSM works reliably yet. An ECC CA is not something we're planning on ever doing (keys too small) so you're on your own with that.