Hello,
I'm trying to solve following issue in our FreeIPA 4.6.4 deployment and ran our of ideas, so I'm asking for an advice. The main issue is the auditSigningCert having a printablestring subject:
# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert cert-pki-ca' -a | openssl x509 -noout -nameopt multiline,show_type -subject -issuer subject= organizationName = PRINTABLESTRING:DOMAIN.COM commonName = PRINTABLESTRING:CA Audit issuer= organizationName = UTF8STRING:DOMAIN.COM commonName = UTF8STRING:Certificate Authority
It gets resubmitted with printablestring subject again, so I was hoping to fix it according to https://pagure.io/dogtagpki/issue/2865 by setting
policyset.caLogSigningSet.1.default.params.useSysEncoding=true
In order to modify the caSignedLogCert profile the Dogtag's admin certificate is required. Our domain is couple of years old and we don't have the original master anymore, neither we have any backups from it that would contain the /root/ca-agent.p12.
So I was attempting to restore the admin cert by the method described in /etc/pki/pki-tomcat/ca/CS.cfg, but after setting
ca.Policy.enable=true cmsgateway.enableAdminEnroll=true
and restaring Dogtag, but it fails to start with following in /var/log/pki/pki-tomcat/ca/debug
[08/Apr/2019:13:55:32][localhost-startStop-1]: CertificateAuthority init: initRequestQueue [08/Apr/2019:13:55:32][localhost-startStop-1]: selected policy processor = classic [08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init begins [08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is ENABLED java.lang.ClassNotFoundException: com.netscape.cms.policy.constraints.ManualAuthentication at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1892) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1735) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1220) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200) at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81) at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) No policy implementation exists for: null at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1247) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200) at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81) at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
So I wanted to ask two questions. How to reset or obtain the lost /root/ca-agent.p12 certificate? If it's not possible in a way safe enough for replicated production environment, are there any alternative ways how to modify the caSignedLogCert profile without the Dogtag's admin cert or even how to resubmit the auditSigningCert with utf8string encoding without modifying the profile?
Thanks Petr
On Tue, Apr 09, 2019 at 01:39:55PM -0000, Petr Benas via FreeIPA-users wrote:
Hello,
I'm trying to solve following issue in our FreeIPA 4.6.4 deployment and ran our of ideas, so I'm asking for an advice. The main issue is the auditSigningCert having a printablestring subject:
# certutil -d /etc/pki/pki-tomcat/alias/ -L -n 'auditSigningCert cert-pki-ca' -a | openssl x509 -noout -nameopt multiline,show_type -subject -issuer subject= organizationName = PRINTABLESTRING:DOMAIN.COM commonName = PRINTABLESTRING:CA Audit issuer= organizationName = UTF8STRING:DOMAIN.COM commonName = UTF8STRING:Certificate Authority
It gets resubmitted with printablestring subject again, so I was hoping to fix it according to https://pagure.io/dogtagpki/issue/2865 by setting
policyset.caLogSigningSet.1.default.params.useSysEncoding=true
In order to modify the caSignedLogCert profile the Dogtag's admin certificate is required. Our domain is couple of years old and we don't have the original master anymore, neither we have any backups from it that would contain the /root/ca-agent.p12.
So I was attempting to restore the admin cert by the method described in /etc/pki/pki-tomcat/ca/CS.cfg, but after setting
ca.Policy.enable=true cmsgateway.enableAdminEnroll=true
and restaring Dogtag, but it fails to start with following in /var/log/pki/pki-tomcat/ca/debug
[08/Apr/2019:13:55:32][localhost-startStop-1]: CertificateAuthority init: initRequestQueue [08/Apr/2019:13:55:32][localhost-startStop-1]: selected policy processor = classic [08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init begins [08/Apr/2019:13:55:32][localhost-startStop-1]: GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is ENABLED java.lang.ClassNotFoundException: com.netscape.cms.policy.constraints.ManualAuthentication at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1892) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1735) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1220) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200) at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81) at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) No policy implementation exists for: null at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.initSystemPolicies(GenericPolicyProcessor.java:1247) at org.dogtagpki.legacy.core.policy.GenericPolicyProcessor.init(GenericPolicyProcessor.java:200) at org.dogtagpki.legacy.ca.CAPolicy.init(CAPolicy.java:81) at com.netscape.ca.CertificateAuthority.initRequestQueue(CertificateAuthority.java:2183) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:591) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1056) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:962) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1257) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1182) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1072) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5368) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5660) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
So I wanted to ask two questions. How to reset or obtain the lost /root/ca-agent.p12 certificate? If it's not possible in a way safe enough for replicated production environment, are there any alternative ways how to modify the caSignedLogCert profile without the Dogtag's admin cert or even how to resubmit the auditSigningCert with utf8string encoding without modifying the profile?
Thanks Petr
Hi Petr,
You should be able to use the IPA RA certificate to perform the profile modification. It lives in /var/lib/ipa/ra-agent.{key,pem}. You will need to import it into an NSSDB to use the `pki' tool to perform the profile modification. (First create a PKCS #12 file via `openssl pkcs12', then import to NSSDB via `pk12util'.)
Alternatively, the profile configurations are stored in LDAP so you could modify directly in LDAP. The entry of interest is cn=caSignedLogCert,ou=certificateProfiles,ou=ca,o=ipaca (and other profiles are stored nearby).
Cheers, Fraser
Hi Fraser,
thanks for your response and for giving me the pointers. I was able to modify the certificate profile using the var/lib/ipa/ra-agent.{key,pem}. I will update after the successful resubmit with the utf8 encoding.
Note for anyone facing the same issue. The RA certificate does not seem to have permission to list users (ca-user-find), but it does not limit it from the cert profile modification.
Cheers, Petr
The promised update: the resubmit went as expected and I have the auditSigningCert with utf8 subject now.
Thanks again!
freeipa-users@lists.fedorahosted.org