5:59 a.m.
Dear Marco,
really appreciate your help. My colleague and I tried to our best to document
the issue on Github: https://github.com/dogtagpki/pki/issues/5037
Discussion can continue over at Github.
Best,
Robert
On Wednesday, 9 April 2025 11:02:42 Central European Summer Time you wrote:
Hi Robert,
it could be an issue. Could you open a new issue in GitHub explaining steps
and configuration?
Cheers,
Marco
On Wed, 9 Apr 2025 at 10:49, Robert Riemann <robert-dogtag(a)riemann.cc>
wrote:
> Dear Marco,
>
> the transport certificate was indeed added automatically. However, it was
> still producing an error until we added
> ca.connector.KRA.transportCertNickname.
>
> Best,
> Robert
>
> On Tuesday, 8 April 2025 19:03:12 Central European Summer Time you wrote:
> > Hi Robert,
> >
> > as far as I know the transport certificate should be automatically added
>
> to
>
> > the CA during KRA spawn.
> > There is something in your setup preventing this from happening but I am
> > not sure. Do you have a warning in the CA logs?
> > Or in the pkispawn installation? Maybe CA and pkispawn should run with
> > debug enabled to get what is going on.
> >
> > Cheers,
> > Marco
> >
> >
> >
> > On Tue, 8 Apr 2025 at 18:55, Robert Riemann <robert-dogtag(a)riemann.cc>
> >
> > wrote:
> > > Dear Marco, dear all,
> > >
> > > with my colleague, we have repeated the setup. While we got past the
>
> error
>
> > > during the certificate request error (the original error), we could
> > > not
> > > validate the the request due to this error:
> > >
> > > SEVERE: ProfileProcessServlet: KRA Transport Certificate needs to be
> > > imported
> > > into the CA nssdb for Server-Side Kegen Enrollment
> > > KRA Transport Certificate needs to be imported into the CA nssdb for
> > > Server-
> > > Side Kegen Enrollment
> > >
> > > Then, we compared again my working setup and the new setup and noticed
> > > that
> > > the I added previously in my CA CS.cfg file following line:
> > >
> > > ca.connector.KRA.transportCertNickname=kra_transport
> > >
> > > We then added this to the new setup and then the new setup allowed us
>
> to
>
> > > to
> > > create (request and validate) a certificate with profile
> > > caServerKeygen_UserCert.
> > >
> > > Couldn't this line be added automatically by "pkispawn -s
KRA"?
> > >
> > > Best,
> > > Robert
> > >
> > > On Tuesday, 8 April 2025 10:28:43 Central European Summer Time Marco
> > > Fargetta
> > >
> > > wrote:
> > > > Ok, thanks for the update.
> > > > Marco
> > > >
> > > >
> > > > On Mon, 7 Apr 2025 at 23:39, Robert Riemann <
>
> robert-dogtag(a)riemann.cc>
>
> > > > wrote:
> > > > > Dear Marco, dear all,
> > > > >
> > > > > The original error comes from the web GUI. So I do not know
which
> > >
> > > commands
> > >
> > > > > are
> > > > > precisely executed.
> > > > >
> > > > > Fedora 40 does not offer packages for v11.6 yet.
> > > > >
> > > > > So I have updated now to Fedora 41 which comes with v11.6. Now,
I
>
> can
>
> > > > > request
> > > > > and approve certificates through the web gui. Hence, the KRA
>
> problem
>
> > > > > is
> > > > > solved
> > > > > for me. I may eventually switch to Redhat Enterprise Linux
> > > > > packages
> > > > > and
> > > > > hope
> > > > > that they also offer v11.6...
> > > > >
> > > > > Best regards,
> > > > > Robert
> > > > >
> > > > > On Monday, 7 April 2025 16:32:58 Central European Summer Time
> > > > > Marco
> > > > > Fargetta
> > > > >
> > > > > wrote:
> > > > > > Hi Robert,
> > > > > >
> > > > > > I am not sure if there is an async operation to complete
before
>
> the
>
> > > > > request
> > > > >
> > > > > > can be approved. I should investigate it.
> > > > > > However, this was executed during v11.5 and it was working.
Not
>
> sure
>
> > > > > > what
> > > > > > could have happened to create this different behaviour.
> > > > > >
> > > > > > If v11.6 works, then you could try to update your setup.
> > > > > >
> > > > > > For the original error, the logs show the same error when
you
> > > > > > run
> > > > > > the
> > > > > > approve without the sleep?
> > > > > >
> > > > > > Cheers,
> > > > > > Marco
> > > > > >
> > > > > >
> > > > > > On Mon, 7 Apr 2025 at 16:11, Robert Riemann <
> > >
> > > robert-dogtag(a)riemann.cc>
> > >
> > > > > > wrote:
> > > > > > > Dear Marco, dear all,
> > > > > > >
> > > > > > > I run Dogtag v11.5 and have possibly found a race
condition
>
> error.
>
> > > The
> > >
> > > > > > > Github
> > > > > > > actions you mentioned seem to be specific for version
v11.6.
>
> The
>
> > > tests
> > >
> > > > > for
> > > > >
> > > > > > > v11.5 use instead this script:
> https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
>
> > > > > > > chival.sh
> > > > > > >
> > > > > > > I copied the script over, adapted the passwords and
gave it a
>
> try.
>
> > > I
> > >
> > > > > > > notice
> > > > > > > the following:
> > > > > > >
> > > > > > > This line 21 fails for me:
> > > > > > > pki -u caadmin -w Secret.123 ca-cert-request-approve
>
> $REQUEST_ID
>
> > > > > --force |
> > > > >
> > > > > > > tee
> > > > > > > output
>
> > > > > > > Source:
> https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
>
> > > > > > > chival.sh#L21
> > > > > > >
> > > > > > > Error:
> > > > > > >
> > > > > > > Keypair private key id:
> > > > > > > 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
> > > > > > > Submitting CRMF request to pki-test.riemann.cc:8080
> > > > > > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > > > > > > Request Status: pending
> > > > > > > Reason:
> > > > > > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > > > > > > BadRequestException: Request Sending DRM request
failed check
>
> KRA
>
> > > log
> > >
> > > > > for
> > > > >
> > > > > > > detail Rejected - {1}
> > > > > > > Cert ID:
> > > > > > > ERROR: Missing serial number
> > > > > > >
> > > > > > >
> > > > > > > Workaround:
> > > > > > >
> > > > > > > I add a "sleep 3" between the call to
CRMFPopClient and the
>
> call
>
> > > > > > > to
> > > > > > > "ca-cert-
> > > > > > > request-approve".
> > > > > > >
> > > > > > > Is it possible that a race condition is also
responsible for
>
> the
>
> > > > > original
> > > > >
> > > > > > > error?
> > > > > > >
> > > > > > > > 2025-04-04 15:00:55
[https-jsse-jss-nio-8443-exec-5] SEVERE:
> > > > > > > > ProfileSubmitServlet: error in processing
request: KRA
>
> Transport
>
> > > > > > > Certificate
> > > > > > >
> > > > > > > > needs to be imported into the CA nssdb for
Server-Side Kegen
> > > > >
> > > > > Enrollment
> > > > >
> > > > > > > > KRA Transport Certificate needs to be imported
into the CA
>
> nssdb
>
> > > for
> > >
> > > > > > > > Server-Side Kegen Enrollment
> > > > > > >
> > > > > > > I have checked the KRA log at
/var/log/pki/pki-tomcat/kra/ but
> > > > > > > couldn't
> > > > > > > find
> > > > > > > any recent entry.
> > > > > > >
> > > > > > > $ ls /var/log/pki/pki-tomcat/kra/
> > > > > > > archive debug.2025-04-04.log selftests.log
signedAudit
> > > > > > >
> > > > > > > Best,
> > > > > > > Robert
> > > > > > >
> > > > > > >
> > > > > > > On Friday, 4 April 2025 19:43:27 Central European
Summer Time
> > > > > > > Marco
> > > > > > > Fargetta
> > > > > > >
> > > > > > > wrote:
> > > > > > > > Hi Robert,
> > > > > > > >
> > > > > > > > I have not tested your configuration but it seems
correct.
> > > > > > > >
> > > > > > > > You can find documentation on dogtag KRA
configuration in
>
> the
>
> > > > > folder:
> > > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
> > >
> > > > > > > > There are also several actions performing the
operation.
>
> Have a
>
> > > look
> > >
> > > > > at:
> https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
>
> > > > > > > > You can compare the installation steps with your
case.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Marco
> > > > > > > >
> > > > > > > > On Fri, 4 Apr 2025 at 17:55, Robert Riemann <
> > > > >
> > > > > robert-dogtag(a)riemann.cc>
> > > > >
> > > > > > > > wrote:
> > > > > > > > > Dears,
> > > > > > > > >
> > > > > > > > > I experience the same issue (KRA missing in
CA nssdb) when
> > > > >
> > > > > attempting
> > > > >
> > > > > > > to
> > > > > > >
> > > > > > > > > enroll via the browser with the profile:
> > > > > > > > > Manual User Dual-Use Certificate Enrollment
using
>
> server-side
>
> > > Key
> > >
> > > > > > > > > generation
> > > > > > > > >
> > > > > > > > > 2025-04-04 15:00:55
[https-jsse-jss-nio-8443-exec-5] INFO:
> > > > > > > > > UserSubjectNameDefault: Subject:
> > > > > > > > >
UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> > > > > > > > > 2025-04-04 15:00:55
[https-jsse-jss-nio-8443-exec-5]
>
> SEVERE:
> > > > > > > > > ProfileSubmitServlet: error in processing
request: KRA
> > >
> > > Transport
> > >
> > > > > > > > > Certificate
> > > > > > > > > needs to be imported into the CA nssdb for
Server-Side
>
> Kegen
>
> > > > > > > > > Enrollment
> > > > > > > > > KRA Transport Certificate needs to be
imported into the CA
> > >
> > > nssdb
> > >
> > > > > for
> > > > >
> > > > > > > > > Server-
> > > > > > > > > Side Kegen Enrollment
> > > > > > > > >
> > > > > > > > > at
>
> com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
>
> > > > > > > > > genUserKeyDefault.java: 501)
> > > > > > > > >
> > > > > > > > > at
>
> com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
>
> > > > > > > > > )
> > > > > > > > >
> > > > > > > > > at
> > >
> > > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261
> > >
> > > > > > > > > )
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > The link
>
> https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
>
> > > > > > > > > EE provided by
> > > > > > > > > Chris Zinda in 2021 is unfortunately
broken/empty.
> > > > > > > > >
> > > > > > > > > What I have done so far:
> > > > > > > > >
> > > > > > > > > - I have setup the directory server and
CA+KRA in the same
> > > > >
> > > > > pki-tomcat
> > > > >
> > > > > > > > > instance.
> > > > > > > > > - I have checked if the kra_transport
certficate in in the
>
> CA
>
> > > > > nssdb:
> > > > > > > > > $ certutil -L -d
/var/lib/pki/pki-tomcat/ca/alias
> > > > > > > > >
> > > > > > > > > Certificate Nickname
> > >
> > > Trust
> > >
> > > > > > > > > Attributes
> > > > > > > > >
> > > > > > > > > SSL,S/MIME,JAR/
> > > > > > > > >
> > > > > > > > > XPI
> > > > > > > > >
> > > > > > > > > ca_signing
> > > > >
> > > > > CTu,Cu,Cu
> > > > >
> > > > > > > > > ca_ocsp_signing
> > >
> > > u,u,u
> > >
> > > > > > > > > sslserver
> > >
> > > u,u,u
> > >
> > > > > > > > > subsystem
> > >
> > > u,u,u
> > >
> > > > > > > > > ca_audit_signing
> > > > > > > > > u,u,Pu
> > > > > > > > > kra_transport
> > >
> > > u,u,u
> > >
> > > > > > > > > kra_storage
> > >
> > > u,u,u
> > >
> > > > > > > > > kra_audit_signing
> > > > > > > > > u,u,Pu
> > > > > > > > >
> > > > > > > > > - I have read
https://docs.redhat.com/en/documentation/
>
> red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
>
> > > > > > > > > ide/ configuring_key_recovery_authority
> > > > > > > > >
> > > > > > > > > - I have edited
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg to
>
> add
>
> > > the
> > >
> > > > > line:
> > > > > > > > >
"ca.connector.KRA.transportCertNickname=kra_transport"
> > > > > > > > > (However, ca.connector.KRA.transportCert
was already set
> > > > >
> > > > > accurately)
> > > > >
> > > > > > > > > - Is the line
"ca.connector.KRA.nickName=subsystem" in the
> > > > > > > > > same
> > > > >
> > > > > file
> > > > >
> > > > > > > ok?
> > > > > > >
> > > > > > > > > - I've tested with `pki -n caadmin
ca-kraconnector-show`:
> > > > > > > > >
> > > > > > > > > Host: pki-test.riemann.cc:8443
> > > > > > > > > Enabled: true
> > > > > > > > > Local: false
> > > > > > > > > Timeout: 30
> > > > > > > > > URI: /kra/agent/kra/connector
> > >
> > > > > > > > > Transport Cert:
> > > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> > >
> > > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> > >
> > > > > > > > > […]
> > > > > > > > >
> > > > > > > > > What else could be wrong? Find my setup
script here below.
> > > > > > > > >
> > > > > > > > > Best,
> > > > > > > > > Robert
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > #!/usr/bin/sudo /bin/bash
> > > > > > > > >
> > > > > > > > > cat << EOF >
/etc/security/limits.d/01-pki
> > > > > > > > > # Dogtag CA Settings
> > > > > > > > > root hard nofile 4096
> > > > > > > > > root soft nofile 4096
> > > > > > > > > EOF
> > > > > > > > >
> > > > > > > > > dnf update -y
> > > > > > > > > dnf install -y 389-ds-base pki-ca pki-kra
dogtag-pki-theme
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > # Create Directory Server Instance:
> > > > > > > > > #
> > > > > > > > > #
> > >
> > > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> > >
> > > > > > > > > creating-ds-instance.adoc
> > > > > > > > > <
>
> https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
>
> > > > > > > > > ating-ds-instance.adoc> #
> > > > > > > > > dscreate create-template ds-template.inf
> > > > > > > > >
> > > > > > > > > sed --silent \
> > > > > > > > >
> > > > > > > > > -e "s/;full_machine_name =
.*/full_machine_name =
> > >
> > > $HOSTNAME/"
> > >
> > > > > > > > > \
> > > > > > > > > -e "s/;root_password =
.*/root_password =
>
> $DS_PASSWORD/g"
>
> > > > > > > > > \
> > > > > > > > > -e "s/;suffix = .*/suffix =
$SUFFIX/g" \
> > > > > > > > > -e "s/;create_suffix_entry =
.*/create_suffix_entry =
> > >
> > > True/g"
> > >
> > > > > > > > > \
> > > > > > > > > -e "s/;self_sign_cert =
.*/self_sign_cert = True/g" \
> > > > > > > > > -e "w ds.inf" \
> > > > > > > > > ds-template.inf
> > > > > > > > >
> > > > > > > > > dscreate from-file ds.inf
> > > > > > > > >
> > > > > > > > > ldapadd -H ldap://$HOSTNAME -x -D
"cn=Directory Manager"
> > > > > > > > > -w
> > > > > > >
> > > > > > > "$DS_PASSWORD"
> > > > > > >
> > > > > > > > > <<
> > > > > > > > > EOF
> > > > > > > > > dn: dc=pki,$SUFFIX
> > > > > > > > > objectClass: domain
> > > > > > > > > dc: pki
> > > > > > > > > EOF
> > > > > > > > >
> > > > > > > > > systemctl status dirsrv(a)localhost.service
> > > > > > > > >
> > > > > > > > > # Create PKI CA Server
> > > > > > > > > #
> > > > > > > > > curl -o ca-template.cfg
> > > > > > > > >
https://raw.githubusercontent.com/dogtagpki/pki/refs/
> > > > > > > > >
heads/master/base/server/examples/installation/ca.cfg
> > > > > > > > > <
>
> https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
>
> > > > > > > > > rver/examples/installation/ca.cfg> # cp
> > > > > > > > >
/usr/share/pki/server/examples/installation/ca.cfg
> > >
> > > ca-template.cfg
> > >
> > > > > sed
> > > > >
> > > > > > > > > --silent \
> > > > > > > > >
> > > > > > > > > -e
"s/pki_server_database_password=.*/
> > > > > > > > >
> > > > > > > > >
pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > > > > > > >
> > > > > > > > > -e
> > > > >
> > > > >
"s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/"
> > > > >
> > > > > > > > > \
> > > > > > > > > -e
"s/pki_client_pkcs12_password=.*/
> > > > > > > > >
> > > > > > > > >
pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
> > > > > > > > >
> > > > > > > > > -e
> > > > > > > > >
"s/pki_admin_email=.*/pki_admin_email=caadmin@
>
> $HOSTNAME/"
>
> > > \
> > >
> > > > > > > > > -e
>
> "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
>
> > > > > > > > > -e "w ca.cfg" \
> > > > > > > > > ca-template.cfg
> > > > > > > > >
> > > > > > > > > pkispawn -f ca.cfg -s CA
> > > > > > > > >
> > > > > > > > > pki-server cert-export ca_signing
--cert-file
>
> ca_signing.crt
>
> > > > > > > > > sudo -u fedora pki client-cert-import
"CA Signing
>
> Certificate"
>
> > > > > > > --ca-cert
> > > > > > >
> > > > > > > > > ./
> > > > > > > > > ca_signing.crt
> > > > > > > > > #
>
> https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
>
> > > > > > > > > -CLI#importing-admin-certificate sudo -u
fedora pki
> > >
> > > pkcs12-import
> > >
> > > > > > > --pkcs12
> > > > > > >
> > > > > > > > > ./ca_admin_cert.p12 --pkcs12- password
> > >
> > > "$PKI_CA_CLIENT_PASSWORD"
> > >
> > > > > > > > > sudo -u fedora pki info # for testing the
setup
> > > > > > > > >
> > > > > > > > > # Create PKI KRA Server
> > > > > > > > > #
> > > > > > > > > cp
/usr/share/pki/server/examples/installation/kra.cfg
> > > > > > > > > kra-template.cfg
> > > > > > > > > sed --silent \
> > > > > > > > >
> > > > > > > > > -e
"s/pki_server_database_password=.*/
> > > > > > > > >
> > > > > > > > >
pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > > > > > > >
> > > > > > > > > -e
> > > > >
> > > > >
"s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/"
> > > > >
> > > > > > > \
> > > > > > >
> > > > > > > > > -e
"s/pki_client_pkcs12_password=.*/
> > > > > > > > >
> > > > > > > > >
pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
> > > > > > > > >
> > > > > > > > > -e
"s/pki_admin_email=.*/pki_admin_email=kraadmin@
> > >
> > > $HOSTNAME/"
> > >
> > > > > \
> > > > >
> > > > > > > > > -e
>
> "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
>
> > > > > > > > > -e
"s/pki_security_domain_password=.*/
> > > > > > > > >
> > > > > > > > >
pki_security_domain_password=$PKI_CA_PASSWORD/" \
> > > > > > > > >
> > > > > > > > > -e "w kra.cfg" \
> > > > > > > > > kra-template.cfg
> > > > > > > > >
> > > > > > > > > pkispawn -f kra.cfg -s KRA
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
_______________________________________________
> > > > > > > > > Pki-users mailing list --
users(a)lists.dogtagpki.org
> > > > > > > > > To unsubscribe send an email to
> > >
> > > users-leave(a)lists.dogtagpki.org
> > >
> > > > > > > > >
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s