IPA server installation with externally-signed CA fails (with @pki/master copr repo)

[flo-renaud]

The installation of an IPA server with an externally-signed CA fails with PKI shipped in @pki/master copr repo.

Reproducer steps:

1. dnf copr enable -y @freeipa/freeipa-master-nightly
2. dnf copr enable -y @pki/master
3. ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 --external-ca -U This step generates a CSR in /root/ipa.csr. Create an external CA, sign the csr, and continue the installation with
4. ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 --external-cert-file ca-chain.crt

The installation fails:

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.12.0.dev202405071236+git

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

Warning: skipping DNS resolution of host server.ipa.test
Checking DNS domain ipa.test., please wait ...
Trust is configured but no NetBIOS domain name found, setting it now.
Enter the NetBIOS name for the IPA domain.
Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
Example: EXAMPLE.

NetBIOS domain name [IPA]: 

Do you want to configure chrony with NTP server or pool address? [no]: 

The IPA Master Server will be configured with:
Hostname:       server.ipa.test
IP address(es): 10.0.187.161
Domain name:    ipa.test
Realm name:     IPA.TEST

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=IPA.TEST
Subject base: O=IPA.TEST
Chaining:     externally signed

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.11.5.160, 10.2.70.215, 2620:52:0:aa0::dead:beef, 10.11.5.160, 10.2.70.215, 2620:52:0:aa0::dead:beef
Forward policy:   only
Reverse zone(s):  No reverse zone

Disabled p11-kit-proxy
Configuring ipa-custodia
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/31]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The logs from pki-ca-spawn contain the following message:

2024-05-15 03:32:17 DEBUG: Importing a PKCS #7 data without header/footer
2024-05-15 03:32:17 DEBUG: NSSDatabase.import_pkcs7()
2024-05-15 03:32:17 DEBUG: Command: pki -d /var/lib/pki/pki-tomcat/conf/alias pkcs7-cert-export --pkcs7 -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----
 --output-prefix /tmp/tmp1s8viaol/cert --output-suffix .crt --debug
2024-05-15 03:32:17 DEBUG: NSSDatabase.import_cert_chain(caSigningCert External CA) ends

and ipa-server-install log:

DEBUG: Importing a PKCS #7 data without header/footer
DEBUG: NSSDatabase.import_pkcs7()
DEBUG: Command: pki -d /var/lib/pki/pki-tomcat/conf/alias pkcs7-cert-export --pkcs7 -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----
 --output-prefix /tmp/tmp1s8viaol/cert --output-suffix .crt --debug
INFO: Loading PKCS #7 data from -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----

java.nio.file.FileSystemException: -----BEGIN PKCS7-----
MIIDOgYJKoZIhvcNAQcCoIIDKzCCAycCAQExADALBgkqhkiG9w0BBwGgggMPMIID
CzCCAfOgAwIBAgIFAMMPI4QwDQYJKoZIhvcNAQELBQAwJTEPMA0GA1UEChMGTXlB
dXRoMRIwEAYDVQQDEwlDZXJ0IEF1dGgwHhcNMjQwNTE1MDczMTQyWhcNMjQwODE1
MDczMTQyWjAlMQ8wDQYDVQQKEwZNeUF1dGgxEjAQBgNVBAMTCUNlcnQgQXV0aDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJS6e7wiVvuAHvZVJRVEXTEv
VV85BHoEF9a8BZz7tJ3fwixENhFrJBBTQo8JBEX53b6SM8uwJxm082Z1rbNOoyUX
Gaf+GaTJ6LYojkwrmDKv7odEnyGjtkrJon41WcJSX2hN0PXQzqiErBhzXLMs0wuN
Sokce6o/cLEgICfm5Evv1IWxoUxOAjfMxXSlVDp+hTBeKYLzwqWkcIXWabfALtmR
nJy4tQOeg2MVK383e+ewmwj8t4rXw9u/VkSTnul6AdxiO+aLqADHt2vcBZtsz9mZ
jJQqLeISzW0USdNUq8gAZccCh3WjCxsNHM+pQ+44qMigQXoYNfDR2Y13aKqL9BUC
AwEAAaNCMEAwHQYDVR0OBBYEFDImbSsZOSenVp+z1C86CEv+TTw/MA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBAQAkmEqY
8IpMiMhA5SrQ6F35RXgG4H985kfQ1bUee0aJRJva9dleSU+ofe1jFZ3KvOEsFxmG
nd8Wwu/WuzXH3nrEzAk/Qt/H8hyh6R4vsp56fWM2yRA5yN4eO4nejQTzVx/Tl/i7
y0KaqW1Y4Qq496yQAA4o+o7fLnmS4F2xNJcpLHgqxuf2B/hK+QgmooqNFhkcYObS
33CMQyblHESdcUOIlZffvHVBfzsGm93GZz4MGY51e2Q/8zGoXZa2D0U3+jsTUUy/
8lD4Jjc/oeySZUKKYfBH6pCHWHnsxGxT7SN9iZm9JcYI20y/PUUcizXbOvyXTwBz
70+Zbc4ZqW248OaJMQA=
-----END PKCS7-----
: File name too long
        at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
        at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
        at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
        at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
        at java.base/java.nio.file.Files.readAllBytes(Files.java:3288)
        at com.netscape.cmstools.pkcs7.PKCS7CertExportCLI.execute(PKCS7CertExportCLI.java:96)
        at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
        at org.dogtagpki.cli.CLI.execute(CLI.java:353)

It looks like the command expects a filename but is provided the certificate content.

ipaserver-install.log

pki-ca-spawn.20240515033215.log

[flo-renaud]

Installed versions (fedora 39):

• freeipa-server-4.12.0.dev202405071236+git-0.fc39.x86_64
• pki-resteasy-core-3.0.26-31.fc39.noarch
• dogtag-pki-server-11.6.0-0.1.alpha1.20240514231708UTC.09ea4f77.fc39.noarch

[edewata]

This issue should be fixed by this commit: https://github.com/dogtagpki/pki/commit/abd605bfdabc0109e306df0026d90f14afd919e0

Could you try again?

[flo-renaud]

Hi @edewata the tests from this week-end didn't hit the issue (PR 3701). Closing as fixed.