Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkispawn from master branch creates orphan key in /etc/pki/pki-tomcat/alias #4103

Closed
flo-renaud opened this issue Aug 16, 2022 · 4 comments · Fixed by #4243
Closed

pkispawn from master branch creates orphan key in /etc/pki/pki-tomcat/alias #4103

flo-renaud opened this issue Aug 16, 2022 · 4 comments · Fixed by #4243
Assignees
@edewata

Comments

@flo-renaud
Copy link

During IPA server installation, the pkispawn command creates an orphan key in /etc/pki/pki-tomcat/alias.
This happens with pki packages installed from the copr repo @pki/master (for instance dogtag-pki-base-11.3.0-0.1.alpha1.20220816002107UTC.52585e78.fc36.noarch).

In order to reproduce:

  1. Install IPA server with # ipa-server-install --domain testrelm.test --realm TESTRELM.TEST -a Secret123 -p Secret123 -U
  2. Check the content of the PKI NSS DB:
# certutil -K -d /etc/pki/pki-tomcat/alias/ -f /etc/pki/pki-tomcat/alias/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      a4390f279ce57159272f5ff76128f7fba62701f5   (orphan)
< 1> rsa      e46e6072136212d93ef9188c08d324c1db79fe0f   NSS Certificate DB:caSigningCert cert-pki-ca
< 2> rsa      f78318465429c08175527598b216c7cc2185e44e   NSS Certificate DB:ocspSigningCert cert-pki-ca
< 3> rsa      13ecad146a86270c93db2990d5dcc3acb13073d0   NSS Certificate DB:Server-Cert cert-pki-ca
< 4> rsa      11d3fa179f8563fe83df2ba546394c9ab33527d8   NSS Certificate DB:subsystemCert cert-pki-ca
< 5> rsa      9b7e96a0bf1c8c454143c256be8892d1d4216549   NSS Certificate DB:auditSigningCert cert-pki-ca

pkispawn is called with the following configuration file:

[CA]
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_admin_cert_request_type = pkcs10
pki_admin_dualkey = False
pki_admin_email = root@localhost
pki_admin_name = admin
pki_admin_nickname = ipa-ca-agent
pki_admin_password = XXXXXXXX
pki_admin_subject_dn = cn=ipa-ca-agent,O=TESTRELM.TEST
pki_admin_uid = admin
pki_ajp_host_ipv4 = 127.0.0.1
pki_ajp_host_ipv6 = ::1
pki_ajp_secret = 7Jjc8CpTy37NU77Q0i7mroiTBCOMDzOC8evuhJsN5XP9
pki_audit_group = pkiaudit
pki_audit_signing_key_algorithm = SHA256withRSA
pki_audit_signing_key_size = 2048
pki_audit_signing_key_type = rsa
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_audit_signing_signing_algorithm = SHA256withRSA
pki_audit_signing_subject_dn = cn=CA Audit,O=TESTRELM.TEST
pki_audit_signing_token = internal
pki_backup_keys = True
pki_backup_password = XXXXXXXX
pki_ca_hostname = master.testrelm.test
pki_ca_port = 443
pki_ca_signing_cert_path = /etc/pki/pki-tomcat/external_ca.cert
pki_ca_signing_csr_path = /root/ipa.csr
pki_ca_signing_key_algorithm = SHA256withRSA
pki_ca_signing_key_size = 3072
pki_ca_signing_key_type = rsa
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_record_create = True
pki_ca_signing_serial_number = 1
pki_ca_signing_signing_algorithm = SHA256withRSA
pki_ca_signing_subject_dn = CN=Certificate Authority,O=TESTRELM.TEST
pki_ca_signing_token = internal
pki_ca_starting_crl_number = 0
pki_cert_chain_nickname = caSigningCert External CA
pki_cert_chain_path = /etc/pki/pki-tomcat/external_ca_chain.cert
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_client_database_password =
pki_client_database_purge = True
pki_client_dir = /root/.dogtag/pki-tomcat
pki_client_pkcs12_password = XXXXXXXX
pki_configuration_path = /etc/pki
pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp
pki_dns_domainname = testrelm.test
pki_ds_base_dn = o=ipaca
pki_ds_bind_dn = cn=Directory Manager
pki_ds_database = ipaca
pki_ds_hostname = master.testrelm.test
pki_ds_ldap_port = 389
pki_ds_ldaps_port = 636
pki_ds_password = XXXXXXXX
pki_ds_remove_data = True
pki_ds_secure_connection = False
pki_ds_secure_connection_ca_nickname = Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt
pki_enable_proxy = True
pki_existing = False
pki_external = False
pki_external_pkcs12_password =
pki_external_pkcs12_path =
pki_external_step_two = False
pki_group = pkiuser
pki_hostname = master.testrelm.test
pki_hsm_enable = False
pki_hsm_libfile =
pki_hsm_modulename =
pki_import_admin_cert = False
pki_instance_configuration_path = /etc/pki/pki-tomcat
pki_instance_name = pki-tomcat
pki_issuing_ca = https://master.testrelm.test:443
pki_issuing_ca_hostname = master.testrelm.test
pki_issuing_ca_https_port = 443
pki_issuing_ca_uri = https://master.testrelm.test:443
pki_master_crl_enable = True
pki_ocsp_signing_key_algorithm = SHA256withRSA
pki_ocsp_signing_key_size = 2048
pki_ocsp_signing_key_type = rsa
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm = SHA256withRSA
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=TESTRELM.TEST
pki_ocsp_signing_token = internal
pki_pkcs12_password =
pki_pkcs12_path =
pki_profiles_in_ldap = True
pki_random_serial_numbers_enable = False
pki_replica_number_range_end = 100
pki_replica_number_range_start = 1
pki_replication_password =
pki_request_number_range_end = 10000000
pki_request_number_range_start = 1
pki_restart_configured_instance = False
pki_san_for_server_cert =
pki_san_inject = False
pki_security_domain_hostname = master.testrelm.test
pki_security_domain_https_port = 443
pki_security_domain_name = IPA
pki_security_domain_password = XXXXXXXX
pki_security_domain_user = admin
pki_self_signed_token = internal
pki_serial_number_range_end = 10000000
pki_serial_number_range_start = 1
pki_server_database_password = XXXXXXXX
pki_share_db = False
pki_skip_configuration = False
pki_skip_ds_verify = False
pki_skip_installation = False
pki_skip_sd_verify = False
pki_sslserver_key_algorithm = SHA256withRSA
pki_sslserver_key_size = 2048
pki_sslserver_key_type = rsa
pki_sslserver_nickname = Server-Cert cert-pki-ca
pki_sslserver_subject_dn = cn=master.testrelm.test,O=TESTRELM.TEST
pki_sslserver_token = internal
pki_status_request_timeout = 15
pki_subordinate = False
pki_subordinate_create_new_security_domain = False
pki_subsystem = CA
pki_subsystem_key_algorithm = SHA256withRSA
pki_subsystem_key_size = 2048
pki_subsystem_key_type = rsa
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_subsystem_subject_dn = cn=CA Subsystem,O=TESTRELM.TEST
pki_subsystem_token = internal
pki_subsystem_type = ca
pki_theme_enable = True
pki_theme_server_dir = /usr/share/pki/common-ui
pki_token_name = internal
pki_user = pkiuser

and with the following options: args=['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmparm8sd8v', '--debug', '--log-file', '/var/log/pki/pki-ca-spawn.20220816144351.log']

Companion issue on IPA side: https://pagure.io/freeipa/issue/9223
@flo-renaud
Copy link
Author

pki-ca-spawn.20220816144351.log

@flo-renaud flo-renaud mentioned this issue Aug 16, 2022
Closed
@edewata edewata self-assigned this Nov 21, 2022
edewata added a commit to edewata/pki that referenced this issue Nov 22, 2022
@edewata
Fix temporary SSL server key removal
1df9d3c 
In the past pkispawn used the same nickname for the temporary
and the permanent SSL server certs. Initially it would create
the temporary cert and the key, then it would create the
permanent cert with the same key, then drop the temporary
cert while keeping the key.

Recently the code was changed to use separate nicknames to
simplify installation which would generate separate keys too.
It removed the temporary cert, but not the temporary key. Now
the code has been updated to remove the temporary key as well.

Some tests have been modified to check for orphaned keys after
installation.

Resolves: dogtagpki#4103
@edewata edewata mentioned this issue Nov 22, 2022
Merged
edewata added a commit that referenced this issue Nov 22, 2022
@edewata
Fix temporary SSL server key removal
0a8bbe3 
In the past pkispawn used the same nickname for the temporary
and the permanent SSL server certs. Initially it would create
the temporary cert and the key, then it would create the
permanent cert with the same key, then drop the temporary
cert while keeping the key.

Recently the code was changed to use separate nicknames to
simplify installation which would generate separate keys too.
It removed the temporary cert, but not the temporary key. Now
the code has been updated to remove the temporary key as well.

Some tests have been modified to check for orphaned keys after
installation.

Resolves: #4103
@edewata
Copy link
Contributor

edewata commented Nov 22, 2022

@flo-renaud It should be fixed now. Could you give it a try? Thanks.

@flo-renaud
Copy link
Author

@edewata I manually tried with 11.3.0-0.1.alpha1.20221122191406UTC.6abe6d11 and it looks good

@edewata
Copy link
Contributor

edewata commented Nov 23, 2022

@flo-renaud Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@edewata edewata

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix temporary SSL server key removal edewata/pki
2 participants
@flo-renaud @edewata