[Pki-users] Re: KRA Problem

Dear Marco, dear all, The original error comes from the web GUI. So I do not know which commands are precisely executed. Fedora 40 does not offer packages for v11.6 yet. So I have updated now to Fedora 41 which comes with v11.6. Now, I can request and approve certificates through the web gui. Hence, the KRA problem is solved for me. I may eventually switch to Redhat Enterprise Linux packages and hope that they also offer v11.6... Best regards, Robert On Monday, 7 April 2025 16:32:58 Central European Summer Time Marco Fargetta wrote: > Hi Robert, > > I am not sure if there is an async operation to complete before the request > can be approved. I should investigate it. > However, this was executed during v11.5 and it was working. Not sure what > could have happened to create this different behaviour. > > If v11.6 works, then you could try to update your setup. > > For the original error, the logs show the same error when you run the > approve without the sleep? > > Cheers, > Marco > > > On Mon, 7 Apr 2025 at 16:11, Robert Riemann <robert-dogtag(a)riemann.cc&gt; > > wrote: > > Dear Marco, dear all, > > > > I run Dogtag v11.5 and have possibly found a race condition error. The > > Github > > actions you mentioned seem to be specific for version v11.6. The tests for > > v11.5 use instead this script: > > > > > > https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar > > chival.sh > > > > I copied the script over, adapted the passwords and gave it a try. I > > notice > > the following: > > > > This line 21 fails for me: > > pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force | > > tee > > output > > > > Source: > > https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar > > chival.sh#L21 > > > > Error: > > > > Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4 > > Submitting CRMF request to pki-test.riemann.cc:8080 > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580 > > Request Status: pending > > Reason: > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580 > > BadRequestException: Request Sending DRM request failed check KRA log for > > detail Rejected - {1} > > Cert ID: > > ERROR: Missing serial number > > > > > > Workaround: > > > > I add a "sleep 3" between the call to CRMFPopClient and the call to > > "ca-cert- > > request-approve". > > > > Is it possible that a race condition is also responsible for the original > > error? > > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE: > > > ProfileSubmitServlet: error in processing request: KRA Transport > > > > Certificate > > > > > needs to be imported into the CA nssdb for Server-Side Kegen Enrollment > > > KRA Transport Certificate needs to be imported into the CA nssdb for > > > Server-Side Kegen Enrollment > > > > I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't > > find > > any recent entry. > > > > $ ls /var/log/pki/pki-tomcat/kra/ > > archive debug.2025-04-04.log selftests.log signedAudit > > > > Best, > > Robert > > > > > > On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco > > Fargetta > > > > wrote: > > > Hi Robert, > > > > > > I have not tested your configuration but it seems correct. > > > > > > You can find documentation on dogtag KRA configuration in the folder: > > > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra. > > > > > There are also several actions performing the operation. Have a look at: > > https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048. > > > > > You can compare the installation steps with your case. > > > > > > Thanks, > > > Marco > > > > > > On Fri, 4 Apr 2025 at 17:55, Robert Riemann < robert-dogtag(a)riemann.cc&gt; > > > > > > wrote: > > > > Dears, > > > > > > > > I experience the same issue (KRA missing in CA nssdb) when attempting > > > > to > > > > > > enroll via the browser with the profile: > > > > Manual User Dual-Use Certificate Enrollment using server-side Key > > > > generation > > > > > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO: > > > > UserSubjectNameDefault: Subject: > > > > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE: > > > > ProfileSubmitServlet: error in processing request: KRA Transport > > > > Certificate > > > > needs to be imported into the CA nssdb for Server-Side Kegen > > > > Enrollment > > > > KRA Transport Certificate needs to be imported into the CA nssdb for > > > > Server- > > > > Side Kegen Enrollment > > > > > > > > at > > > > com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey > > > > > > genUserKeyDefault.java: 501) > > > > > > > > at > > > > com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237 > > > > > > ) > > > > > > > > at > > > > > > > > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261) > > > > > > > > > > > > The link > > > > https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_ > > > > > > EE provided by > > > > Chris Zinda in 2021 is unfortunately broken/empty. > > > > > > > > What I have done so far: > > > > > > > > - I have setup the directory server and CA+KRA in the same pki-tomcat > > > > instance. > > > > - I have checked if the kra_transport certficate in in the CA nssdb: > > > > > > > > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias > > > > > > > > Certificate Nickname Trust > > > > Attributes > > > > > > > > SSL,S/MIME,JAR/ > > > > > > > > XPI > > > > > > > > ca_signing CTu,Cu,Cu > > > > ca_ocsp_signing u,u,u > > > > sslserver u,u,u > > > > subsystem u,u,u > > > > ca_audit_signing u,u,Pu > > > > kra_transport u,u,u > > > > kra_storage u,u,u > > > > kra_audit_signing u,u,Pu > > > > > > > > - I have read https://docs.redhat.com/en/documentation/ > > > > red_hat_certificate_system/10/html/planning_installation_and_deployment_gu > > > > > > ide/ configuring_key_recovery_authority > > > > > > > > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the line: > > > > "ca.connector.KRA.transportCertNickname=kra_transport" > > > > (However, ca.connector.KRA.transportCert was already set accurately) > > > > > > > > - Is the line "ca.connector.KRA.nickName=subsystem" in the same file > > > > ok? > > > > > > - I've tested with `pki -n caadmin ca-kraconnector-show`: > > > > > > > > Host: pki-test.riemann.cc:8443 > > > > Enabled: true > > > > Local: false > > > > Timeout: 30 > > > > URI: /kra/agent/kra/connector > > > > Transport Cert: > > > > > > > > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk > > > > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET > > > > […] > > > > > > > > What else could be wrong? Find my setup script here below. > > > > > > > > Best, > > > > Robert > > > > > > > > > > > > #!/usr/bin/sudo /bin/bash > > > > > > > > cat << EOF > /etc/security/limits.d/01-pki > > > > # Dogtag CA Settings > > > > root hard nofile 4096 > > > > root soft nofile 4096 > > > > EOF > > > > > > > > dnf update -y > > > > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme > > > > > > > > > > > > # Create Directory Server Instance: > > > > # > > > > # > > > > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/ > > > > > > creating-ds-instance.adoc > > > > < > > > > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre > > > > > > ating-ds-instance.adoc> # > > > > dscreate create-template ds-template.inf > > > > > > > > sed --silent \ > > > > > > > > -e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \ > > > > -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \ > > > > -e "s/;suffix = .*/suffix = $SUFFIX/g" \ > > > > -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \ > > > > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \ > > > > -e "w ds.inf" \ > > > > ds-template.inf > > > > > > > > dscreate from-file ds.inf > > > > > > > > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w > > > > "$DS_PASSWORD" > > > > > > << > > > > EOF > > > > dn: dc=pki,$SUFFIX > > > > objectClass: domain > > > > dc: pki > > > > EOF > > > > > > > > systemctl status dirsrv(a)localhost.service > > > > > > > > # Create PKI CA Server > > > > # > > > > curl -o ca-template.cfg > > > > https://raw.githubusercontent.com/dogtagpki/pki/refs/ > > > > heads/master/base/server/examples/installation/ca.cfg > > > > < > > > > https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se > > > > > > rver/examples/installation/ca.cfg> # cp > > > > /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed > > > > --silent \ > > > > > > > > -e "s/pki_server_database_password=.*/ > > > > > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \ > > > > > > > > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/" > > > > \ > > > > -e "s/pki_client_pkcs12_password=.*/ > > > > > > > > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \ > > > > > > > > -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \ > > > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \ > > > > -e "w ca.cfg" \ > > > > ca-template.cfg > > > > > > > > pkispawn -f ca.cfg -s CA > > > > > > > > pki-server cert-export ca_signing --cert-file ca_signing.crt > > > > sudo -u fedora pki client-cert-import "CA Signing Certificate" > > > > --ca-cert > > > > > > ./ > > > > ca_signing.crt > > > > # > > > > https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI > > > > > > -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import > > > > --pkcs12 > > > > > > ./ca_admin_cert.p12 --pkcs12- password "$PKI_CA_CLIENT_PASSWORD" > > > > sudo -u fedora pki info # for testing the setup > > > > > > > > # Create PKI KRA Server > > > > # > > > > cp /usr/share/pki/server/examples/installation/kra.cfg > > > > kra-template.cfg > > > > sed --silent \ > > > > > > > > -e "s/pki_server_database_password=.*/ > > > > > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \ > > > > > > > > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/" > > > > \ > > > > > > -e "s/pki_client_pkcs12_password=.*/ > > > > > > > > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \ > > > > > > > > -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \ > > > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \ > > > > -e "s/pki_security_domain_password=.*/ > > > > > > > > pki_security_domain_password=$PKI_CA_PASSWORD/" \ > > > > > > > > -e "w kra.cfg" \ > > > > kra-template.cfg > > > > > > > > pkispawn -f kra.cfg -s KRA > > > > > > > > > > > > _______________________________________________ > > > > Pki-users mailing list -- users(a)lists.dogtagpki.org > > > > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org > > > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s