pki-server tks-clone-prepare & tps-clone-prepare cli doesn't import all required cert

[pki-bot]

This issue was migrated from Pagure Issue #3136. Originally filed by cipherboy (@cipherboy) on 2020-03-15 14:33:36:

• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1629028

---

Created attachment 1483377 [details] clone-tks-spawn.log

Description of problem: pki-server tks-clone-prepare cli doesn't import all required cert

Version-Release number of selected component (if applicable):

How reproducible: always

Steps to Reproduce: 1.Create a master TKS 2.It creates below certs in master's DB

[root@pki1 ~]# certutil -L -d /var/lib/pki/topology-02-TKS/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

auditSigningCert cert-topology-02-TKS TKS                    u,u,Pu
Server-Cert cert-topology-02-TKS                             u,u,u
ocspSigningCert cert-pki-ca                                  C,,  
DRM Transport Certificate - topology-02_Foobarmaster.org     c,c,c
CA Signing Certificate - topology-02_Foobarmaster.org        CT,C,C
subsystemCert cert-topology-02-TKS                           u,u,u

3. run tks clone prepare

[root@pki1 ~]# pki-server -v tks-clone-prepare --pkcs12-file tks-certs2.p12 --pkcs12-password Secret.123 -i topology-02-TKS
Command: tks-clone-prepare --pkcs12-file tks-certs2.p12 --pkcs12-password Secret.123 -i topology-02-TKS
------------------------------------------------------
Added certificate "subsystemCert cert-topology-02-TKS"
------------------------------------------------------
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 118, in <module>
    cli.execute(sys.argv)
  File "/usr/sbin/pki-server", line 110, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python2.7/site-packages/pki/server/cli/tks.py", line 144, in execute
    'signing', pkcs12_file, pkcs12_password_file)
  File "/usr/lib/python2.7/site-packages/pki/server/__init__.py", line 266, in export_system_cert
    subprocess.check_call(cmd)
  File "/usr/lib64/python2.7/subprocess.py", line 537, in check_call
    retcode = call(*popenargs, **kwargs)
  File "/usr/lib64/python2.7/subprocess.py", line 524, in call
    return Popen(*popenargs, **kwargs).wait()
  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.7/subprocess.py", line 1327, in _execute_child
    raise child_exception
TypeError: execv() arg 2 must contain only strings
ERROR: execv() arg 2 must contain only strings

Actual results: It only imports

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

subsystemCert cert-topology-02-TKS                           u,u,u
CA Signing Certificate - topology-02_Foobarmaster.org        ,,   

With the above clone-prepare p12 file the pkispawn fails with below error:

[root@clone ~]# pkispawn -s TKS -f tks-clone.cfg 
Log file: /var/log/pki/pki-tks-spawn.20180914121001.log
Loading deployment configuration from tks-clone.cfg.
Installing TKS into /var/lib/pki/topology-02-TKS.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/topology-02-TKS/tks/deployment.cfg.
Importing certificates from /tmp/certs/tks-certs2.p12:
---------------
2 entries found
---------------
  Certificate ID: 77bad53b5635c66a56d4b08e6d724961ef606ba7
  Serial Number: 0x13
  Nickname: subsystemCert cert-topology-02-TKS
  Subject DN: CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Trust Flags: u,u,u
  Has Key: true

  Certificate ID: 18ac8ea06cf900e2324c87d0759f7d5bb643d924
  Serial Number: 0x1
  Nickname: CA Signing Certificate - topology-02_Foobarmaster.org
  Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
  Trust Flags: CT,C,C
  Has Key: false
---------------
Import complete
---------------
certutil: could not find certificate named "auditSigningCert cert-topology-02-TKS TKS": SEC_ERROR_BAD_DATABASE: security library: bad database.

Installation failed: Command failed: certutil -M -d /etc/pki/topology-02-TKS/alias -f /etc/pki/topology-02-TKS/pfile -n auditSigningCert cert-topology-02-TKS TKS -t u,u,Pu

Please find the attachment for debug logs.

Expected results: It should import all certs that are required for clone TKS

Additional info:

I tried manual workaround using PKCS12 export to import all certs from master into pk12 file.

[root@pki1 ~]# PKCS12Export -debug -d /var/lib/pki/topology-02-TKS/alias -p tks-keydb-pass.txt -w tks-pkcs12-pass.txt -o tks-certs.p12
INFO: Initializing database in /var/lib/pki/topology-02-TKS/alias
INFO: Reading database password from tks-keydb-pass.txt
INFO: Logging into security token
INFO: Reading PKCS 12 password from tks-pkcs12-pass.txt
INFO: Exporting NSS database into tks-certs.p12
INFO: Loading all certificate and keys from NSS database
INFO: Loading certificate "auditSigningCert cert-topology-02-TKS TKS" from NSS database
INFO: Loading private key for certificate "auditSigningCert cert-topology-02-TKS TKS" from NSS database
FINE: Certificate "auditSigningCert cert-topology-02-TKS TKS" has private key
INFO: Loading certificate "CA Signing Certificate - topology-02_Foobarmaster.org" from NSS database
INFO: Loading certificate "Server-Cert cert-topology-02-TKS" from NSS database
INFO: Loading private key for certificate "Server-Cert cert-topology-02-TKS" from NSS database
FINE: Certificate "Server-Cert cert-topology-02-TKS" has private key
INFO: Loading certificate "CA Signing Certificate - topology-02_Foobarmaster.org" from NSS database
INFO: Loading certificate "ocspSigningCert cert-pki-ca" from NSS database
INFO: Loading private key for certificate "ocspSigningCert cert-pki-ca" from NSS database
FINE: Certificate "ocspSigningCert cert-pki-ca" has no private key
INFO: Loading certificate "CA Signing Certificate - topology-02_Foobarmaster.org" from NSS database
INFO: Loading certificate "DRM Transport Certificate - topology-02_Foobarmaster.org" from NSS database
INFO: Loading private key for certificate "DRM Transport Certificate - topology-02_Foobarmaster.org" from NSS database
FINE: Certificate "DRM Transport Certificate - topology-02_Foobarmaster.org" has no private key
INFO: Loading certificate "CA Signing Certificate - topology-02_Foobarmaster.org" from NSS database
INFO: Loading certificate "CA Signing Certificate - topology-02_Foobarmaster.org" from NSS database
INFO: Loading private key for certificate "CA Signing Certificate - topology-02_Foobarmaster.org" from NSS database
FINE: Certificate "CA Signing Certificate - topology-02_Foobarmaster.org" has no private key
INFO: Loading certificate "subsystemCert cert-topology-02-TKS" from NSS database
INFO: Loading private key for certificate "subsystemCert cert-topology-02-TKS" from NSS database
FINE: Certificate "subsystemCert cert-topology-02-TKS" has private key
INFO: Loading certificate "CA Signing Certificate - topology-02_Foobarmaster.org" from NSS database
INFO: Generating PKCS 12 data
FINE: Creating cert bag for auditSigningCert cert-topology-02-TKS TKS
FINE: Creating cert bag for CA Signing Certificate - topology-02_Foobarmaster.org
FINE: Creating cert bag for Server-Cert cert-topology-02-TKS
FINE: Creating cert bag for ocspSigningCert cert-pki-ca
FINE: Creating cert bag for DRM Transport Certificate - topology-02_Foobarmaster.org
FINE: Creating cert bag for subsystemCert cert-topology-02-TKS
FINE: Creating key bag for CN=TKS Audit Signing Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org
FINE: Encrypting private key for CN=TKS Audit Signing Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org
FINE: Creating key bag for CN=pki1.example.com,OU=topology-02-TKS,O=topology-02_Foobarmaster.org
FINE: Encrypting private key for CN=pki1.example.com,OU=topology-02-TKS,O=topology-02_Foobarmaster.org
FINE: Creating key bag for CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org
FINE: Encrypting private key for CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org
INFO: Storing data into PKCS 12 file
Export complete.

And uploaded this file to clone machine and did the installation. The installation was successful.

Also there is a already open bug 701319 for importing DRM-transport for cloning tks.

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-03-15 14:33:59

https://bugzilla.redhat.com/show_bug.cgi?id=1629028

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-03-15 14:34:01

Metadata Update from @cipherboy:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1629028
• Custom field type adjusted to None
• Custom field version adjusted to None