installation of IPA with (embedded) CA fails

[pki-bot]

This issue was migrated from Pagure Issue #3170. Originally filed by fcami (@fcami) on 2020-04-06 08:54:55:

• Closed at 2020-06-15 14:38:42 as fixed
• Assigned to nobody

---

Installation fails at:
"requesting RA certificate from CA"
with the following logs:
Certificate issuance failed (CA_REJECTED: Server at "https://master.ipa.test:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
Full logs:

DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [1/30]: configuring certificate server instance
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [2/30]: Add ipa-pki-wait-running
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [3/30]: secure AJP connector
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [4/30]: reindex attributes
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [5/30]: exporting Dogtag certificate store pin
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [6/30]: stopping certificate server instance to update CS.cfg
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [7/30]: backing up CS.cfg
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [8/30]: disabling nonces
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [9/30]: set up CRL publishing
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [10/30]: enable PKIX certificate path discovery and validation
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [11/30]: starting certificate server instance
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [12/30]: configure certmonger for renewals
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [13/30]: requesting RA certificate from CA
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558   [error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://master.ipa.test:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 Certificate issuance failed (CA_REJECTED: Server at "https://master.ipa.test:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
DEBUG    ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:217 Exit code: 1

This is visible in the nightly PR 4498.

Sample logs: 1, 2, 3, 4.

For worker logs, please remove the "report.html" part of the URL.

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2020-04-06 11:26:38

Hello @fcami

Thanks for filing the issue. We saw this issue last week and is due to JSS.

From the provided Log URL, following version is being pulled from @pki/master COPR repo:

jss-4.6.3-1.20200402162402.0789edca.fc31.x86_64

The issue is related to SSLEngine changes that were introduced in JSS. @cipherboy has been working on fixing it.

PS: we have turned off pulling latest JSS in PKI's official CI.

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2020-04-06 11:26:39

Metadata Update from @SilleBille:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None

[pki-bot]

Comment from frenaud (@flo-renaud) at 2020-04-13 04:35:40

During last weekly test, the ipa-server-install command failed at the same point but with a different error:

2020-04-12T20:39:14Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "http://master.ipa.test:8080/ca/ee/ca//profileSubmit" replied: Request 7 Rejected - Signing Algorithm Not Matched SHA256withRSA )
2020-04-12T20:39:14Z ERROR Certificate issuance failed (CA_REJECTED: Server at "http://master.ipa.test:8080/ca/ee/ca//profileSubmit" replied: Request 7 Rejected - Signing Algorithm Not Matched SHA256withRSA )
2020-04-12T20:39:14Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Version of jss: jss-4.7.0-1.20200409175605.f74dd43e.fc31.x86_64
Is there a jss issue number that we can reference for tracking?

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-04-13 09:33:12

@flo-renaud Fixed here:

• Remove space from AlgorithmId.toString() dogtagpki/jss#484 (master)
• Remove space from AlgorithmId.toString() dogtagpki/jss#485 (v4.4.x)
• Remove space from AlgorithmId.toString() dogtagpki/pki#374 (DOGTAG_10_5_BRANCH) re-fix

Later branches of Dogtag don't yet have RSA/PSS support.

[pki-bot]

Comment from frenaud (@flo-renaud) at 2020-05-28 11:19:42

The latest run shows that the issue was fixed: PR 207
Versions:
pki-base-10.9.0-0.1.20200523021925.617a3c1d.fc32.noarch
tomcatjss-7.5.0-1.20200518183820.23655272.fc32.noarch
jss-4.7.0-1.20200522211756.4791c10f.fc32.x86_64

@cipherboy you can close this issue.

[pki-bot]

Comment from cipherboy (@cipherboy) at 2020-06-15 14:38:42

Metadata Update from @cipherboy:

• Issue close_status updated to: fixed
• Issue status updated to: Closed (was: Open)