search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
345 stars 133 forks source link

Dogtag - failed to create an externally signed CA #3383

Open p57p57 opened 3 years ago

p57p57 commented 3 years ago

During step 2 of an externally signed CA, the installation failed with the following error message:

Installation failed: Command failed: pki -d /var/lib/pki/XXXXXX/alias pkcs7-cert-export --pkcs7-file /tmp/tmpiu1lMX/cert_chain.p7b --output-prefix /tmp/tmp7c8rxl/cert --output-suffix .crt

Logs from /var/log/pki/pki-ca-spawn.20201118123850.log:

2020-11-18 12:38:50 pkispawn : INFO ....... importing ca_signing certificate from UsersCA-4.crt 2020-11-18 12:38:50 pki.nssdb : DEBUG Command: pki -d /var/lib/pki/XXXXXXX/alias pkcs7-cert-export --pkcs7-file /tmp/tmphixnSq/cert_chain.p7b --output-prefix /tmp/tmpwvsiMR/cert --output-suffix .crt 2020-11-18 12:38:52 pkispawn : DEBUG ....... Error Type: CalledProcessError 2020-11-18 12:38:52 pkispawn : DEBUG ....... Error Message: Command '['pki', '-d', '/var/lib/pki/XXXXX/alias', 'pkcs7-cert-export', '--pkcs7-file', '/tmp/tmphixnSq/cert_chain.p7b', '--output-prefix', '/tmp/tmpwvsiMR/cert', '--output-suffix', '.crt']' returned non-zero exit status 255 2020-11-18 12:38:52 pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 534, in main scriptlet.spawn(deployer) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1089, in spawn self.import_system_certs(deployer, nssdb, subsystem) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 622, in import_system_certs self.import_ca_signing_cert(deployer, nssdb) File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 443, in import_ca_signing_cert trust_attributes='CT,C,C') File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 1157, in import_cert_chain trust_attributes=trust_attributes) File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 1189, in import_pkcs7 subprocess.check_call(cmd) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd)

Info: rpm -q pki-server: pki-server-10.5.17-6.el7.noarch rpm -q tomcat: tomcat-7.0.76-12.el7_8.noarch

p57p57 commented 3 years ago

part of the conf file for step 2. I have tried both (ca.crt is my rootCA certificate, UsersCA-4.crt is the signed certificate from the CSR signed by the rootCA) option 1: pki_external_step_two=True pki_cert_chain_path=ca.crt pki_ca_signing_cert_path=UsersCA-4.crt

option 2: pki_external_step_two=True pki_cert_chain_path=ca.p7b pki_ca_signing_cert_path=UsersCA-4.crt

p57p57 commented 3 years ago

And by the way, if i attempt to create a rootCA using interactive mode, it works ...