On Tue, Apr 09, 2019 at 01:39:55PM -0000, Petr Benas via FreeIPA-users wrote:
Hello,
I'm trying to solve following issue in our FreeIPA 4.6.4 deployment and ran our of
ideas, so I'm asking for an advice. The main issue is the auditSigningCert having a
printablestring subject:
# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert cert-pki-ca' -a
| openssl x509 -noout -nameopt multiline,show_type -subject -issuer
subject=
organizationName =
PRINTABLESTRING:DOMAIN.COM
commonName = PRINTABLESTRING:CA Audit
issuer=
organizationName =
UTF8STRING:DOMAIN.COM
commonName = UTF8STRING:Certificate Authority
It gets resubmitted with printablestring subject again, so I was hoping to fix it
according to
https://pagure.io/dogtagpki/issue/2865 by setting
policyset.caLogSigningSet.1.default.params.useSysEncoding=true
In order to modify the caSignedLogCert profile the Dogtag's admin certificate is
required. Our domain is couple of years old and we don't have the original master
anymore, neither we have any backups from it that would contain the /root/ca-agent.p12.
So I was attempting to restore the admin cert by the method described in
/etc/pki/pki-tomcat/ca/CS.cfg, but after setting
ca.Policy.enable=true
cmsgateway.enableAdminEnroll=true
and restaring Dogtag, but it fails to start with following in
/var/log/pki/pki-tomcat/ca/debug
[08/Apr/2019:13:55:32][localhost-startStop-1]: CertificateAuthority init:
initRequestQueue
[08/Apr/2019:13:55:32][localhost-startStop-1]: selected policy processor = classic
[08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init begins
[08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init Certificate
Policy Framework (deprecated) is ENABLED
java.lang.ClassNotFoundException:
com.netscape.cms.policy.constraints.ManualAuthentication
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1892)
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1735)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at
org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1220)
at
org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200)
at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81)
at
com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
No policy implementation exists for: null
at
org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1247)
at
org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200)
at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81)
at
com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
So I wanted to ask two questions. How to reset or obtain the lost /root/ca-agent.p12
certificate? If it's not possible in a way safe enough for replicated production
environment, are there any alternative ways how to modify the caSignedLogCert profile
without the Dogtag's admin cert or even how to resubmit the auditSigningCert with
utf8string encoding without modifying the profile?
Thanks
Petr
Hi Petr,
You should be able to use the IPA RA certificate to perform the
profile modification. It lives in /var/lib/ipa/ra-agent.{key,pem}.
You will need to import it into an NSSDB to use the `pki' tool to
perform the profile modification. (First create a PKCS #12 file via
`openssl pkcs12', then import to NSSDB via `pk12util'.)
Alternatively, the profile configurations are stored in LDAP so you
could modify directly in LDAP. The entry of interest is
cn=caSignedLogCert,ou=certificateProfiles,ou=ca,o=ipaca (and other
profiles are stored nearby).
Cheers,
Fraser