pkispawn from master branch creates orphan key in /etc/pki/pki-tomcat/alias

[flo-renaud]

During IPA server installation, the pkispawn command creates an orphan key in /etc/pki/pki-tomcat/alias. This happens with pki packages installed from the copr repo @pki/master (for instance dogtag-pki-base-11.3.0-0.1.alpha1.20220816002107UTC.52585e78.fc36.noarch).

In order to reproduce:

1. Install IPA server with # ipa-server-install --domain testrelm.test --realm TESTRELM.TEST -a Secret123 -p Secret123 -U
2. Check the content of the PKI NSS DB:

   # certutil -K -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt
   certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
   < 0> rsa      a4390f279ce57159272f5ff76128f7fba62701f5   (orphan)
   < 1> rsa      e46e6072136212d93ef9188c08d324c1db79fe0f   NSS Certificate DB:caSigningCert cert-pki-ca
   < 2> rsa      f78318465429c08175527598b216c7cc2185e44e   NSS Certificate DB:ocspSigningCert cert-pki-ca
   < 3> rsa      13ecad146a86270c93db2990d5dcc3acb13073d0   NSS Certificate DB:Server-Cert cert-pki-ca
   < 4> rsa      11d3fa179f8563fe83df2ba546394c9ab33527d8   NSS Certificate DB:subsystemCert cert-pki-ca
   < 5> rsa      9b7e96a0bf1c8c454143c256be8892d1d4216549   NSS Certificate DB:auditSigningCert cert-pki-ca

pkispawn is called with the following configuration file:

[CA]
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_admin_cert_request_type = pkcs10
pki_admin_dualkey = False
pki_admin_email = root@localhost
pki_admin_name = admin
pki_admin_nickname = ipa-ca-agent
pki_admin_password = XXXXXXXX
pki_admin_subject_dn = cn=ipa-ca-agent,O=TESTRELM.TEST
pki_admin_uid = admin
pki_ajp_host_ipv4 = 127.0.0.1
pki_ajp_host_ipv6 = ::1
pki_ajp_secret = 7Jjc8CpTy37NU77Q0i7mroiTBCOMDzOC8evuhJsN5XP9
pki_audit_group = pkiaudit
pki_audit_signing_key_algorithm = SHA256withRSA
pki_audit_signing_key_size = 2048
pki_audit_signing_key_type = rsa
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_audit_signing_signing_algorithm = SHA256withRSA
pki_audit_signing_subject_dn = cn=CA Audit,O=TESTRELM.TEST
pki_audit_signing_token = internal
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_ca_hostname = master.testrelm.test
pki_ca_port = 443
pki_ca_signing_cert_path = /etc/pki/pki-tomcat/external_ca.cert
pki_ca_signing_csr_path = /root/ipa.csr
pki_ca_signing_key_algorithm = SHA256withRSA
pki_ca_signing_key_size = 3072
pki_ca_signing_key_type = rsa
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_record_create = True
pki_ca_signing_serial_number = 1
pki_ca_signing_signing_algorithm = SHA256withRSA
pki_ca_signing_subject_dn = CN=Certificate Authority,O=TESTRELM.TEST
pki_ca_signing_token = internal
pki_ca_starting_crl_number = 0
pki_cert_chain_nickname = caSigningCert External CA
pki_cert_chain_path = /etc/pki/pki-tomcat/external_ca_chain.cert
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_client_database_password =
pki_client_database_purge = True
pki_client_dir = /root/.dogtag/pki-tomcat
pki_client_pkcs12_password = XXXXXXXX
pki_configuration_path = /etc/pki
pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp
pki_dns_domainname = testrelm.test
pki_ds_base_dn = o=ipaca
pki_ds_bind_dn = cn=Directory Manager
pki_ds_database = ipaca
pki_ds_hostname = master.testrelm.test
pki_ds_ldap_port = 389
pki_ds_ldaps_port = 636
pki_ds_password = XXXXXXXX
pki_ds_remove_data = True
pki_ds_secure_connection = False
pki_ds_secure_connection_ca_nickname = Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt
pki_enable_proxy = True
pki_existing = False
pki_external = False
pki_external_pkcs12_password =
pki_external_pkcs12_path =
pki_external_step_two = False
pki_group = pkiuser
pki_hostname = master.testrelm.test
pki_hsm_enable = False
pki_hsm_libfile =
pki_hsm_modulename =
pki_import_admin_cert = False
pki_instance_configuration_path = /etc/pki/pki-tomcat
pki_instance_name = pki-tomcat
pki_issuing_ca = https://master.testrelm.test:443
pki_issuing_ca_hostname = master.testrelm.test
pki_issuing_ca_https_port = 443
pki_issuing_ca_uri = https://master.testrelm.test:443
pki_master_crl_enable = True
pki_ocsp_signing_key_algorithm = SHA256withRSA
pki_ocsp_signing_key_size = 2048
pki_ocsp_signing_key_type = rsa
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm = SHA256withRSA
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=TESTRELM.TEST
pki_ocsp_signing_token = internal
pki_pkcs12_password =
pki_pkcs12_path =
pki_profiles_in_ldap = True
pki_random_serial_numbers_enable = False
pki_replica_number_range_end = 100
pki_replica_number_range_start = 1
pki_replication_password =
pki_request_number_range_end = 10000000
pki_request_number_range_start = 1
pki_restart_configured_instance = False
pki_san_for_server_cert =
pki_san_inject = False
pki_security_domain_hostname = master.testrelm.test
pki_security_domain_https_port = 443
pki_security_domain_name = IPA
pki_security_domain_password = XXXXXXXX
pki_security_domain_user = admin
pki_self_signed_token = internal
pki_serial_number_range_end = 10000000
pki_serial_number_range_start = 1
pki_server_database_password = XXXXXXXX
pki_share_db = False
pki_skip_configuration = False
pki_skip_ds_verify = False
pki_skip_installation = False
pki_skip_sd_verify = False
pki_sslserver_key_algorithm = SHA256withRSA
pki_sslserver_key_size = 2048
pki_sslserver_key_type = rsa
pki_sslserver_nickname = Server-Cert cert-pki-ca
pki_sslserver_subject_dn = cn=master.testrelm.test,O=TESTRELM.TEST
pki_sslserver_token = internal
pki_status_request_timeout = 15
pki_subordinate = False
pki_subordinate_create_new_security_domain = False
pki_subsystem = CA
pki_subsystem_key_algorithm = SHA256withRSA
pki_subsystem_key_size = 2048
pki_subsystem_key_type = rsa
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_subsystem_subject_dn = cn=CA Subsystem,O=TESTRELM.TEST
pki_subsystem_token = internal
pki_subsystem_type = ca
pki_theme_enable = True
pki_theme_server_dir = /usr/share/pki/common-ui
pki_token_name = internal
pki_user = pkiuser

and with the following options: args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmparm8sd8v', '--debug', '--log-file', '/var/log/pki/pki-ca-spawn.20220816144351.log']

Companion issue on IPA side: https://pagure.io/freeipa/issue/9223

[flo-renaud]

pki-ca-spawn.20220816144351.log

[edewata]

@flo-renaud It should be fixed now. Could you give it a try? Thanks.

[flo-renaud]

@edewata I manually tried with 11.3.0-0.1.alpha1.20221122191406UTC.6abe6d11 and it looks good

[edewata]

@flo-renaud Thanks!