[Pki-users] Re: KRA Problem

Dear Marco, dear all, I run Dogtag v11.5 and have possibly found a race condition error. The Github actions you mentioned seem to be specific for version v11.6. The tests for v11.5 use instead this script: https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a... I copied the script over, adapted the passwords and gave it a try. I notice the following: This line 21 fails for me: pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force | tee output Source: https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a... Error: Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4 Submitting CRMF request to pki-test.riemann.cc:8080 Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580 Request Status: pending Reason: Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580 BadRequestException: Request Sending DRM request failed check KRA log for detail Rejected - {1} Cert ID: ERROR: Missing serial number Workaround: I add a "sleep 3" between the call to CRMFPopClient and the call to "ca-cert- request-approve". Is it possible that a race condition is also responsible for the original error? > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE: > ProfileSubmitServlet: error in processing request: KRA Transport Certificate > needs to be imported into the CA nssdb for Server-Side Kegen Enrollment > KRA Transport Certificate needs to be imported into the CA nssdb for > Server-Side Kegen Enrollment I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't find any recent entry. $ ls /var/log/pki/pki-tomcat/kra/ archive debug.2025-04-04.log selftests.log signedAudit Best, Robert On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco Fargetta wrote: > Hi Robert, > > I have not tested your configuration but it seems correct. > > You can find documentation on dogtag KRA configuration in the folder: > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra. > > There are also several actions performing the operation. Have a look at: > https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048. > You can compare the installation steps with your case. > > Thanks, > Marco > > On Fri, 4 Apr 2025 at 17:55, Robert Riemann <robert-dogtag(a)riemann.cc&gt; > > wrote: > > Dears, > > > > I experience the same issue (KRA missing in CA nssdb) when attempting to > > enroll via the browser with the profile: > > Manual User Dual-Use Certificate Enrollment using server-side Key > > generation > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO: > > UserSubjectNameDefault: Subject: > > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE: > > ProfileSubmitServlet: error in processing request: KRA Transport > > Certificate > > needs to be imported into the CA nssdb for Server-Side Kegen Enrollment > > KRA Transport Certificate needs to be imported into the CA nssdb for > > Server- > > Side Kegen Enrollment > > > > at > > > > com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey > > genUserKeyDefault.java: 501) > > > > at > > > > com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237 > > ) > > > > at > > > > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261) > > > > > > The link > > https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_ > > EE provided by > > Chris Zinda in 2021 is unfortunately broken/empty. > > > > What I have done so far: > > > > - I have setup the directory server and CA+KRA in the same pki-tomcat > > instance. > > - I have checked if the kra_transport certficate in in the CA nssdb: > > > > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias > > > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/ > > > > XPI > > > > ca_signing CTu,Cu,Cu > > ca_ocsp_signing u,u,u > > sslserver u,u,u > > subsystem u,u,u > > ca_audit_signing u,u,Pu > > kra_transport u,u,u > > kra_storage u,u,u > > kra_audit_signing u,u,Pu > > > > - I have read https://docs.redhat.com/en/documentation/ > > > > red_hat_certificate_system/10/html/planning_installation_and_deployment_gu > > ide/ configuring_key_recovery_authority > > > > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the line: > > "ca.connector.KRA.transportCertNickname=kra_transport" > > (However, ca.connector.KRA.transportCert was already set accurately) > > > > - Is the line "ca.connector.KRA.nickName=subsystem" in the same file ok? > > > > - I've tested with `pki -n caadmin ca-kraconnector-show`: > > > > Host: pki-test.riemann.cc:8443 > > Enabled: true > > Local: false > > Timeout: 30 > > URI: /kra/agent/kra/connector > > Transport Cert: > > > > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk > > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET > > […] > > > > What else could be wrong? Find my setup script here below. > > > > Best, > > Robert > > > > > > #!/usr/bin/sudo /bin/bash > > > > cat << EOF > /etc/security/limits.d/01-pki > > # Dogtag CA Settings > > root hard nofile 4096 > > root soft nofile 4096 > > EOF > > > > dnf update -y > > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme > > > > > > # Create Directory Server Instance: > > # > > # https://github.com/dogtagpki/pki/blob/master/docs/installation/others/ > > creating-ds-instance.adoc > > < https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre > > ating-ds-instance.adoc> # > > dscreate create-template ds-template.inf > > > > sed --silent \ > > > > -e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \ > > -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \ > > -e "s/;suffix = .*/suffix = $SUFFIX/g" \ > > -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \ > > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \ > > -e "w ds.inf" \ > > ds-template.inf > > > > dscreate from-file ds.inf > > > > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w "$DS_PASSWORD" > > << > > EOF > > dn: dc=pki,$SUFFIX > > objectClass: domain > > dc: pki > > EOF > > > > systemctl status dirsrv(a)localhost.service > > > > # Create PKI CA Server > > # > > curl -o ca-template.cfg > > https://raw.githubusercontent.com/dogtagpki/pki/refs/ > > heads/master/base/server/examples/installation/ca.cfg > > < https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se > > rver/examples/installation/ca.cfg> # cp > > /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed > > --silent \ > > > > -e "s/pki_server_database_password=.*/ > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \ > > > > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/" \ > > -e "s/pki_client_pkcs12_password=.*/ > > > > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \ > > > > -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \ > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \ > > -e "w ca.cfg" \ > > ca-template.cfg > > > > pkispawn -f ca.cfg -s CA > > > > pki-server cert-export ca_signing --cert-file ca_signing.crt > > sudo -u fedora pki client-cert-import "CA Signing Certificate" --ca-cert > > ./ > > ca_signing.crt > > # > > https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI > > -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import --pkcs12 > > ./ca_admin_cert.p12 --pkcs12- password "$PKI_CA_CLIENT_PASSWORD" > > sudo -u fedora pki info # for testing the setup > > > > # Create PKI KRA Server > > # > > cp /usr/share/pki/server/examples/installation/kra.cfg kra-template.cfg > > sed --silent \ > > > > -e "s/pki_server_database_password=.*/ > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \ > > > > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/" \ > > -e "s/pki_client_pkcs12_password=.*/ > > > > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \ > > > > -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \ > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \ > > -e "s/pki_security_domain_password=.*/ > > > > pki_security_domain_password=$PKI_CA_PASSWORD/" \ > > > > -e "w kra.cfg" \ > > kra-template.cfg > > > > pkispawn -f kra.cfg -s KRA > > > > > > _______________________________________________ > > Pki-users mailing list -- users(a)lists.dogtagpki.org > > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s