custodia: include known CA certs in the PKCS#12 file for Dogtag

[HonzaCholasta]

This fixes CA replica install in a topology upgraded from CA-less to
CA-full.

https://fedorahosted.org/freeipa/ticket/6207

[MartinBasti]

On replica:

[root@vm-058-017 ~]# ipa-ca-install
Directory Manager (existing master) password: 

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/25]: creating certificate server user
  [2/25]: creating certificate server db
  [3/25]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 2 seconds elapsed
Update succeeded

  [4/25]: creating installation admin user
  [5/25]: setting up certificate server
  [6/25]: stopping instance to update CS.cfg
  [7/25]: backing up CS.cfg
  [8/25]: disabling nonces
  [9/25]: set up CRL publishing
  [10/25]: enable PKIX certificate path discovery and validation
  [11/25]: set up client auth to db
  [12/25]: destroying installation admin user
  [13/25]: Ensure lightweight CAs container exists
  [14/25]: Configure lightweight CA key retrieval
  [15/25]: starting instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for details.
  [16/25]: importing CA chain to RA certificate database
  [error] RuntimeError: Unable to retrieve CA chain: request failed with HTTP status 500

2016-08-26T12:41:39Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2016-08-26T12:41:39Z DEBUG Waiting for CA to start...
2016-08-26T12:41:40Z DEBUG request POST http://vm-058-017.abc.idm.lab.eng.brq.redhat.com:8080/ca/admin/ca/getStatus
2016-08-26T12:41:40Z DEBUG request body ''
2016-08-26T12:41:40Z DEBUG response status 500
2016-08-26T12:41:40Z DEBUG response headers {'content-length': '2351', 'content-language': 'en', 'server': 'Apache-Coyote/1.1', 'connection': 'close', 'date': 'Fri, 26 Aug 2016 12:41:40 GMT', 'content-type': 'te
xt/html;charset=utf-8'}
2016-08-26T12:41:40Z DEBUG response body '<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.32 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:
#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;
} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:wh
ite;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><div cl
ass="line"></div><p><b>type</b> Exception report</p><p><b>message</b> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this requ
est.</u></p><p><b>exception</b></p><pre>javax.ws.rs.ServiceUnavailableException: Subsystem unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:138)\n\torg.apache.catalina.au
thenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\torg.apache.catalina.valves.AbstractAccessLogValve.invoke(Abstra
ctAccessLogValve.java:616)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)\n\torg.apa
che.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)\n\torg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)\n\torg.apache.tomcat.util.net.NioEn
dpoint$SocketProcessor.run(NioEndpoint.java:1456)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:
617)\n\torg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:745)\n</pre><p><b>note</b> <u>The full stack trace of the root cause is available in
 the Apache Tomcat/8.0.32 logs.</u></p><hr class="line"><h3>Apache Tomcat/8.0.32</h3></body></html>'
2016-08-26T12:41:40Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500
2016-08-26T12:41:40Z DEBUG Waiting for CA to start...
2016-08-26T12:41:41Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 194, in start_instance
    self.start('pki-tomcat')
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 345, in start
    self.service.start(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 218, in start
    self.wait_until_running()
  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 212, in wait_until_running
    raise RuntimeError('CA did not start in %ss' % timeout)
RuntimeError: CA did not start in 300.0s

Debug log

Internal Database Error encountered: Could not connect to LDAP server host vm-058-017.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org.mozilla.jss.ssl.SSLSocketException: Unable to connect: (-5961) TCP connection reset by peer. (-1)
        at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122)
        at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997)
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585)
        at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

[root@vm-058-017 ~]# ldapsearch -ZZ -b 'cn=directory manager' -W -x -h `hostname`
ldap_start_tls: Protocol error (2)
    additional info: unsupported extended operation

Works without SSL

[MartinBasti]

I cannot connect to LDAPS even if only CA-less servers are installed

[pvoborni]

Promotion of replica is missing ds.enable_ssl step (or how is it called). Tomas is working on it in ticket https://fedorahosted.org/freeipa/ticket/6226

[MartinBasti]

Yes, I can reproduce it without this PR. ACK for this

[MartinBasti]

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6581389ac3ac1c6a0dbeb18d80e3fef69b158cc8