9:11 a.m.
Dear Marco, dear all,
I run Dogtag v11.5 and have possibly found a race condition error. The Github
actions you mentioned seem to be specific for version v11.6. The tests for
v11.5 use instead this script:
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
I copied the script over, adapted the passwords and gave it a try. I notice
the following:
This line 21 fails for me:
pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force | tee
output
Source:
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
Error:
Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
Submitting CRMF request to pki-test.riemann.cc:8080
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
Request Status: pending
Reason:
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
BadRequestException: Request Sending DRM request failed check KRA log for
detail Rejected - {1}
Cert ID:
ERROR: Missing serial number
Workaround:
I add a "sleep 3" between the call to CRMFPopClient and the call to
"ca-cert-
request-approve".
Is it possible that a race condition is also responsible for the original
error?
2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
ProfileSubmitServlet: error in processing request: KRA Transport Certificate
needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
KRA Transport Certificate needs to be imported into the CA nssdb for
Server-Side Kegen Enrollment
I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't find
any recent entry.
$ ls /var/log/pki/pki-tomcat/kra/
archive debug.2025-04-04.log selftests.log signedAudit
Best,
Robert
On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco Fargetta
wrote:
Hi Robert,
I have not tested your configuration but it seems correct.
You can find documentation on dogtag KRA configuration in the folder:
https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
There are also several actions performing the operation. Have a look at:
https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
You can compare the installation steps with your case.
Thanks,
Marco
On Fri, 4 Apr 2025 at 17:55, Robert Riemann <robert-dogtag(a)riemann.cc>
wrote:
> Dears,
>
> I experience the same issue (KRA missing in CA nssdb) when attempting to
> enroll via the browser with the profile:
> Manual User Dual-Use Certificate Enrollment using server-side Key
> generation
>
> 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> UserSubjectNameDefault: Subject:
> UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> ProfileSubmitServlet: error in processing request: KRA Transport
> Certificate
> needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
> KRA Transport Certificate needs to be imported into the CA nssdb for
> Server-
> Side Kegen Enrollment
>
> at
>
> com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
> genUserKeyDefault.java: 501)
>
> at
>
> com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
> )
>
> at
>
> com.netscape.cms.profile.common.Profile.populate(Profile.java:1261)
>
>
> The link
> https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
> EE provided by
> Chris Zinda in 2021 is unfortunately broken/empty.
>
> What I have done so far:
>
> - I have setup the directory server and CA+KRA in the same pki-tomcat
> instance.
> - I have checked if the kra_transport certficate in in the CA nssdb:
>
> $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/
>
> XPI
>
> ca_signing CTu,Cu,Cu
> ca_ocsp_signing u,u,u
> sslserver u,u,u
> subsystem u,u,u
> ca_audit_signing u,u,Pu
> kra_transport u,u,u
> kra_storage u,u,u
> kra_audit_signing u,u,Pu
>
> - I have read https://docs.redhat.com/en/documentation/
>
> red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
> ide/ configuring_key_recovery_authority
>
> - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the line:
> "ca.connector.KRA.transportCertNickname=kra_transport"
> (However, ca.connector.KRA.transportCert was already set accurately)
>
> - Is the line "ca.connector.KRA.nickName=subsystem" in the same file ok?
>
> - I've tested with `pki -n caadmin ca-kraconnector-show`:
>
> Host: pki-test.riemann.cc:8443
> Enabled: true
> Local: false
> Timeout: 30
> URI: /kra/agent/kra/connector
> Transport Cert:
>
> MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> […]
>
> What else could be wrong? Find my setup script here below.
>
> Best,
> Robert
>
>
> #!/usr/bin/sudo /bin/bash
>
> cat << EOF > /etc/security/limits.d/01-pki
> # Dogtag CA Settings
> root hard nofile 4096
> root soft nofile 4096
> EOF
>
> dnf update -y
> dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
>
>
> # Create Directory Server Instance:
> #
> # https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> creating-ds-instance.adoc
> <https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
> ating-ds-instance.adoc> #
> dscreate create-template ds-template.inf
>
> sed --silent \
>
> -e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \
> -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \
> -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \
> -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
> -e "w ds.inf" \
> ds-template.inf
>
> dscreate from-file ds.inf
>
> ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w
"$DS_PASSWORD"
> <<
> EOF
> dn: dc=pki,$SUFFIX
> objectClass: domain
> dc: pki
> EOF
>
> systemctl status dirsrv(a)localhost.service
>
> # Create PKI CA Server
> #
> curl -o ca-template.cfg
> https://raw.githubusercontent.com/dogtagpki/pki/refs/
> heads/master/base/server/examples/installation/ca.cfg
> <https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
> rver/examples/installation/ca.cfg> # cp
> /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed
> --silent \
>
> -e "s/pki_server_database_password=.*/
>
> pki_server_database_password=$PKI_SERVER_PASSWORD/" \
>
> -e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/" \
> -e "s/pki_client_pkcs12_password=.*/
>
> pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
>
> -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \
> -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> -e "w ca.cfg" \
> ca-template.cfg
>
> pkispawn -f ca.cfg -s CA
>
> pki-server cert-export ca_signing --cert-file ca_signing.crt
> sudo -u fedora pki client-cert-import "CA Signing Certificate" --ca-cert
> ./
> ca_signing.crt
> #
> https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
> -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import --pkcs12
> ./ca_admin_cert.p12 --pkcs12- password "$PKI_CA_CLIENT_PASSWORD"
> sudo -u fedora pki info # for testing the setup
>
> # Create PKI KRA Server
> #
> cp /usr/share/pki/server/examples/installation/kra.cfg kra-template.cfg
> sed --silent \
>
> -e "s/pki_server_database_password=.*/
>
> pki_server_database_password=$PKI_SERVER_PASSWORD/" \
>
> -e "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/" \
> -e "s/pki_client_pkcs12_password=.*/
>
> pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
>
> -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \
> -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> -e "s/pki_security_domain_password=.*/
>
> pki_security_domain_password=$PKI_CA_PASSWORD/" \
>
> -e "w kra.cfg" \
> kra-template.cfg
>
> pkispawn -f kra.cfg -s KRA
>
>
> _______________________________________________
> Pki-users mailing list -- users(a)lists.dogtagpki.org
> To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
9:32 a.m.
New subject: KRA Problem
Hi Robert,
I am not sure if there is an async operation to complete before the request
can be approved. I should investigate it.
However, this was executed during v11.5 and it was working. Not sure what
could have happened to create this different behaviour.
If v11.6 works, then you could try to update your setup.
For the original error, the logs show the same error when you run the
approve without the sleep?
Cheers,
Marco
On Mon, 7 Apr 2025 at 16:11, Robert Riemann <robert-dogtag(a)riemann.cc>
wrote:
Dear Marco, dear all,
I run Dogtag v11.5 and have possibly found a race condition error. The
Github
actions you mentioned seem to be specific for version v11.6. The tests for
v11.5 use instead this script:
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
I copied the script over, adapted the passwords and gave it a try. I
notice
the following:
This line 21 fails for me:
pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force |
tee
output
Source:
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-a...
Error:
Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
Submitting CRMF request to pki-test.riemann.cc:8080
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
Request Status: pending
Reason:
Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
BadRequestException: Request Sending DRM request failed check KRA log for
detail Rejected - {1}
Cert ID:
ERROR: Missing serial number
Workaround:
I add a "sleep 3" between the call to CRMFPopClient and the call to
"ca-cert-
request-approve".
Is it possible that a race condition is also responsible for the original
error?
> 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> ProfileSubmitServlet: error in processing request: KRA Transport
Certificate
> needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
> KRA Transport Certificate needs to be imported into the CA nssdb for
> Server-Side Kegen Enrollment
I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't
find
any recent entry.
$ ls /var/log/pki/pki-tomcat/kra/
archive debug.2025-04-04.log selftests.log signedAudit
Best,
Robert
On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco
Fargetta
wrote:
> Hi Robert,
>
> I have not tested your configuration but it seems correct.
>
> You can find documentation on dogtag KRA configuration in the folder:
> https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
>
> There are also several actions performing the operation. Have a look at:
>
https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
> You can compare the installation steps with your case.
>
> Thanks,
> Marco
>
> On Fri, 4 Apr 2025 at 17:55, Robert Riemann <robert-dogtag(a)riemann.cc>
>
> wrote:
> > Dears,
> >
> > I experience the same issue (KRA missing in CA nssdb) when attempting
to
> > enroll via the browser with the profile:
> > Manual User Dual-Use Certificate Enrollment using server-side Key
> > generation
> >
> > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> > UserSubjectNameDefault: Subject:
> > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > ProfileSubmitServlet: error in processing request: KRA Transport
> > Certificate
> > needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
> > KRA Transport Certificate needs to be imported into the CA nssdb for
> > Server-
> > Side Kegen Enrollment
> >
> > at
> >
> >
com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
> > genUserKeyDefault.java: 501)
> >
> > at
> >
> >
com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
> > )
> >
> > at
> >
> > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261)
> >
> >
> > The link
> >
https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
> > EE provided by
> > Chris Zinda in 2021 is unfortunately broken/empty.
> >
> > What I have done so far:
> >
> > - I have setup the directory server and CA+KRA in the same pki-tomcat
> > instance.
> > - I have checked if the kra_transport certficate in in the CA nssdb:
> >
> > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> >
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/
> >
> > XPI
> >
> > ca_signing CTu,Cu,Cu
> > ca_ocsp_signing u,u,u
> > sslserver u,u,u
> > subsystem u,u,u
> > ca_audit_signing u,u,Pu
> > kra_transport u,u,u
> > kra_storage u,u,u
> > kra_audit_signing u,u,Pu
> >
> > - I have read https://docs.redhat.com/en/documentation/
> >
> >
red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
> > ide/ configuring_key_recovery_authority
> >
> > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the line:
> > "ca.connector.KRA.transportCertNickname=kra_transport"
> > (However, ca.connector.KRA.transportCert was already set accurately)
> >
> > - Is the line "ca.connector.KRA.nickName=subsystem" in the same file
ok?
> >
> > - I've tested with `pki -n caadmin ca-kraconnector-show`:
> >
> > Host: pki-test.riemann.cc:8443
> > Enabled: true
> > Local: false
> > Timeout: 30
> > URI: /kra/agent/kra/connector
> > Transport Cert:
> >
> > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> > […]
> >
> > What else could be wrong? Find my setup script here below.
> >
> > Best,
> > Robert
> >
> >
> > #!/usr/bin/sudo /bin/bash
> >
> > cat << EOF > /etc/security/limits.d/01-pki
> > # Dogtag CA Settings
> > root hard nofile 4096
> > root soft nofile 4096
> > EOF
> >
> > dnf update -y
> > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
> >
> >
> > # Create Directory Server Instance:
> > #
> > #
https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> > creating-ds-instance.adoc
> > <
https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
> > ating-ds-instance.adoc> #
> > dscreate create-template ds-template.inf
> >
> > sed --silent \
> >
> > -e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \
> > -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \
> > -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> > -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \
> > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
> > -e "w ds.inf" \
> > ds-template.inf
> >
> > dscreate from-file ds.inf
> >
> > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w
"$DS_PASSWORD"
> > <<
> > EOF
> > dn: dc=pki,$SUFFIX
> > objectClass: domain
> > dc: pki
> > EOF
> >
> > systemctl status dirsrv(a)localhost.service
> >
> > # Create PKI CA Server
> > #
> > curl -o ca-template.cfg
> > https://raw.githubusercontent.com/dogtagpki/pki/refs/
> > heads/master/base/server/examples/installation/ca.cfg
> > <
https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
> > rver/examples/installation/ca.cfg> # cp
> > /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed
> > --silent \
> >
> > -e "s/pki_server_database_password=.*/
> >
> > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> >
> > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/"
\
> > -e "s/pki_client_pkcs12_password=.*/
> >
> > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
> >
> > -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \
> > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > -e "w ca.cfg" \
> > ca-template.cfg
> >
> > pkispawn -f ca.cfg -s CA
> >
> > pki-server cert-export ca_signing --cert-file ca_signing.crt
> > sudo -u fedora pki client-cert-import "CA Signing Certificate"
--ca-cert
> > ./
> > ca_signing.crt
> > #
> >
https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
> > -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import
--pkcs12
> > ./ca_admin_cert.p12 --pkcs12- password "$PKI_CA_CLIENT_PASSWORD"
> > sudo -u fedora pki info # for testing the setup
> >
> > # Create PKI KRA Server
> > #
> > cp /usr/share/pki/server/examples/installation/kra.cfg kra-template.cfg
> > sed --silent \
> >
> > -e "s/pki_server_database_password=.*/
> >
> > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> >
> > -e
"s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/"
\
> > -e "s/pki_client_pkcs12_password=.*/
> >
> > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
> >
> > -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \
> > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > -e "s/pki_security_domain_password=.*/
> >
> > pki_security_domain_password=$PKI_CA_PASSWORD/" \
> >
> > -e "w kra.cfg" \
> > kra-template.cfg
> >
> > pkispawn -f kra.cfg -s KRA
> >
> >
> > _______________________________________________
> > Pki-users mailing list -- users(a)lists.dogtagpki.org
> > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
4:38 p.m.
New subject: KRA Problem
Dear Marco, dear all,
The original error comes from the web GUI. So I do not know which commands are
precisely executed.
Fedora 40 does not offer packages for v11.6 yet.
So I have updated now to Fedora 41 which comes with v11.6. Now, I can request
and approve certificates through the web gui. Hence, the KRA problem is solved
for me. I may eventually switch to Redhat Enterprise Linux packages and hope
that they also offer v11.6...
Best regards,
Robert
On Monday, 7 April 2025 16:32:58 Central European Summer Time Marco Fargetta
wrote:
Hi Robert,
I am not sure if there is an async operation to complete before the request
can be approved. I should investigate it.
However, this was executed during v11.5 and it was working. Not sure what
could have happened to create this different behaviour.
If v11.6 works, then you could try to update your setup.
For the original error, the logs show the same error when you run the
approve without the sleep?
Cheers,
Marco
On Mon, 7 Apr 2025 at 16:11, Robert Riemann <robert-dogtag(a)riemann.cc>
wrote:
> Dear Marco, dear all,
>
> I run Dogtag v11.5 and have possibly found a race condition error. The
> Github
> actions you mentioned seem to be specific for version v11.6. The tests for
> v11.5 use instead this script:
>
>
> https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
> chival.sh
>
> I copied the script over, adapted the passwords and gave it a try. I
> notice
> the following:
>
> This line 21 fails for me:
> pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force |
> tee
> output
>
> Source:
> https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
> chival.sh#L21
>
> Error:
>
> Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
> Submitting CRMF request to pki-test.riemann.cc:8080
> Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> Request Status: pending
> Reason:
> Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> BadRequestException: Request Sending DRM request failed check KRA log for
> detail Rejected - {1}
> Cert ID:
> ERROR: Missing serial number
>
>
> Workaround:
>
> I add a "sleep 3" between the call to CRMFPopClient and the call to
> "ca-cert-
> request-approve".
>
> Is it possible that a race condition is also responsible for the original
> error?
>
> > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > ProfileSubmitServlet: error in processing request: KRA Transport
>
> Certificate
>
> > needs to be imported into the CA nssdb for Server-Side Kegen Enrollment
> > KRA Transport Certificate needs to be imported into the CA nssdb for
> > Server-Side Kegen Enrollment
>
> I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't
> find
> any recent entry.
>
> $ ls /var/log/pki/pki-tomcat/kra/
> archive debug.2025-04-04.log selftests.log signedAudit
>
> Best,
> Robert
>
>
> On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco
> Fargetta
>
> wrote:
> > Hi Robert,
> >
> > I have not tested your configuration but it seems correct.
> >
> > You can find documentation on dogtag KRA configuration in the folder:
> > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
>
> > There are also several actions performing the operation. Have a look at:
> https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
>
> > You can compare the installation steps with your case.
> >
> > Thanks,
> > Marco
> >
> > On Fri, 4 Apr 2025 at 17:55, Robert Riemann <robert-dogtag(a)riemann.cc>
> >
> > wrote:
> > > Dears,
> > >
> > > I experience the same issue (KRA missing in CA nssdb) when attempting
>
> to
>
> > > enroll via the browser with the profile:
> > > Manual User Dual-Use Certificate Enrollment using server-side Key
> > > generation
> > >
> > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> > > UserSubjectNameDefault: Subject:
> > > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > > ProfileSubmitServlet: error in processing request: KRA Transport
> > > Certificate
> > > needs to be imported into the CA nssdb for Server-Side Kegen
> > > Enrollment
> > > KRA Transport Certificate needs to be imported into the CA nssdb for
> > > Server-
> > > Side Kegen Enrollment
> > >
> > > at
>
> com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
>
> > > genUserKeyDefault.java: 501)
> > >
> > > at
>
> com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
>
> > > )
> > >
> > > at
> > >
> > > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261)
> > >
> > >
> > > The link
>
> https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
>
> > > EE provided by
> > > Chris Zinda in 2021 is unfortunately broken/empty.
> > >
> > > What I have done so far:
> > >
> > > - I have setup the directory server and CA+KRA in the same pki-tomcat
> > > instance.
> > > - I have checked if the kra_transport certficate in in the CA nssdb:
> > >
> > > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> > >
> > > Certificate Nickname Trust
> > > Attributes
> > >
> > > SSL,S/MIME,JAR/
> > >
> > > XPI
> > >
> > > ca_signing CTu,Cu,Cu
> > > ca_ocsp_signing u,u,u
> > > sslserver u,u,u
> > > subsystem u,u,u
> > > ca_audit_signing u,u,Pu
> > > kra_transport u,u,u
> > > kra_storage u,u,u
> > > kra_audit_signing u,u,Pu
> > >
> > > - I have read https://docs.redhat.com/en/documentation/
>
> red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
>
> > > ide/ configuring_key_recovery_authority
> > >
> > > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the
line:
> > >
"ca.connector.KRA.transportCertNickname=kra_transport"
> > > (However, ca.connector.KRA.transportCert was already set accurately)
> > >
> > > - Is the line "ca.connector.KRA.nickName=subsystem" in the same
file
>
> ok?
>
> > > - I've tested with `pki -n caadmin ca-kraconnector-show`:
> > >
> > > Host: pki-test.riemann.cc:8443
> > > Enabled: true
> > > Local: false
> > > Timeout: 30
> > > URI: /kra/agent/kra/connector
> > > Transport Cert:
> > >
> > > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> > > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> > > […]
> > >
> > > What else could be wrong? Find my setup script here below.
> > >
> > > Best,
> > > Robert
> > >
> > >
> > > #!/usr/bin/sudo /bin/bash
> > >
> > > cat << EOF > /etc/security/limits.d/01-pki
> > > # Dogtag CA Settings
> > > root hard nofile 4096
> > > root soft nofile 4096
> > > EOF
> > >
> > > dnf update -y
> > > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
> > >
> > >
> > > # Create Directory Server Instance:
> > > #
> > > #
>
> https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
>
> > > creating-ds-instance.adoc
> > > <
>
> https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
>
> > > ating-ds-instance.adoc> #
> > > dscreate create-template ds-template.inf
> > >
> > > sed --silent \
> > >
> > > -e "s/;full_machine_name = .*/full_machine_name =
$HOSTNAME/" \
> > > -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \
> > > -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> > > -e "s/;create_suffix_entry = .*/create_suffix_entry =
True/g" \
> > > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
> > > -e "w ds.inf" \
> > > ds-template.inf
> > >
> > > dscreate from-file ds.inf
> > >
> > > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w
>
> "$DS_PASSWORD"
>
> > > <<
> > > EOF
> > > dn: dc=pki,$SUFFIX
> > > objectClass: domain
> > > dc: pki
> > > EOF
> > >
> > > systemctl status dirsrv(a)localhost.service
> > >
> > > # Create PKI CA Server
> > > #
> > > curl -o ca-template.cfg
> > > https://raw.githubusercontent.com/dogtagpki/pki/refs/
> > > heads/master/base/server/examples/installation/ca.cfg
> > > <
>
> https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
>
> > > rver/examples/installation/ca.cfg> # cp
> > > /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed
> > > --silent \
> > >
> > > -e "s/pki_server_database_password=.*/
> > >
> > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > >
> > > -e
"s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/"
> > > \
> > > -e "s/pki_client_pkcs12_password=.*/
> > >
> > > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
> > >
> > > -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/"
\
> > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > > -e "w ca.cfg" \
> > > ca-template.cfg
> > >
> > > pkispawn -f ca.cfg -s CA
> > >
> > > pki-server cert-export ca_signing --cert-file ca_signing.crt
> > > sudo -u fedora pki client-cert-import "CA Signing Certificate"
>
> --ca-cert
>
> > > ./
> > > ca_signing.crt
> > > #
>
> https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
>
> > > -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import
>
> --pkcs12
>
> > > ./ca_admin_cert.p12 --pkcs12- password
"$PKI_CA_CLIENT_PASSWORD"
> > > sudo -u fedora pki info # for testing the setup
> > >
> > > # Create PKI KRA Server
> > > #
> > > cp /usr/share/pki/server/examples/installation/kra.cfg
> > > kra-template.cfg
> > > sed --silent \
> > >
> > > -e "s/pki_server_database_password=.*/
> > >
> > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > >
> > > -e
"s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/"
>
> \
>
> > > -e "s/pki_client_pkcs12_password=.*/
> > >
> > > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
> > >
> > > -e
"s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \
> > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > > -e "s/pki_security_domain_password=.*/
> > >
> > > pki_security_domain_password=$PKI_CA_PASSWORD/" \
> > >
> > > -e "w kra.cfg" \
> > > kra-template.cfg
> > >
> > > pkispawn -f kra.cfg -s KRA
> > >
> > >
> > > _______________________________________________
> > > Pki-users mailing list -- users(a)lists.dogtagpki.org
> > > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
3:28 a.m.
New subject: KRA Problem
Ok, thanks for the update.
Marco
On Mon, 7 Apr 2025 at 23:39, Robert Riemann <robert-dogtag(a)riemann.cc>
wrote:
Dear Marco, dear all,
The original error comes from the web GUI. So I do not know which commands
are
precisely executed.
Fedora 40 does not offer packages for v11.6 yet.
So I have updated now to Fedora 41 which comes with v11.6. Now, I can
request
and approve certificates through the web gui. Hence, the KRA problem is
solved
for me. I may eventually switch to Redhat Enterprise Linux packages and
hope
that they also offer v11.6...
Best regards,
Robert
On Monday, 7 April 2025 16:32:58 Central European Summer Time Marco
Fargetta
wrote:
> Hi Robert,
>
> I am not sure if there is an async operation to complete before the
request
> can be approved. I should investigate it.
> However, this was executed during v11.5 and it was working. Not sure what
> could have happened to create this different behaviour.
>
> If v11.6 works, then you could try to update your setup.
>
> For the original error, the logs show the same error when you run the
> approve without the sleep?
>
> Cheers,
> Marco
>
>
> On Mon, 7 Apr 2025 at 16:11, Robert Riemann <robert-dogtag(a)riemann.cc>
>
> wrote:
> > Dear Marco, dear all,
> >
> > I run Dogtag v11.5 and have possibly found a race condition error. The
> > Github
> > actions you mentioned seem to be specific for version v11.6. The tests
for
> > v11.5 use instead this script:
> >
> >
> >
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
> > chival.sh
> >
> > I copied the script over, adapted the passwords and gave it a try. I
> > notice
> > the following:
> >
> > This line 21 fails for me:
> > pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID
--force |
> > tee
> > output
> >
> > Source:
> >
https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
> > chival.sh#L21
> >
> > Error:
> >
> > Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
> > Submitting CRMF request to pki-test.riemann.cc:8080
> > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > Request Status: pending
> > Reason:
> > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > BadRequestException: Request Sending DRM request failed check KRA log
for
> > detail Rejected - {1}
> > Cert ID:
> > ERROR: Missing serial number
> >
> >
> > Workaround:
> >
> > I add a "sleep 3" between the call to CRMFPopClient and the call to
> > "ca-cert-
> > request-approve".
> >
> > Is it possible that a race condition is also responsible for the
original
> > error?
> >
> > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > > ProfileSubmitServlet: error in processing request: KRA Transport
> >
> > Certificate
> >
> > > needs to be imported into the CA nssdb for Server-Side Kegen
Enrollment
> > > KRA Transport Certificate needs to be imported into the CA nssdb for
> > > Server-Side Kegen Enrollment
> >
> > I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't
> > find
> > any recent entry.
> >
> > $ ls /var/log/pki/pki-tomcat/kra/
> > archive debug.2025-04-04.log selftests.log signedAudit
> >
> > Best,
> > Robert
> >
> >
> > On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco
> > Fargetta
> >
> > wrote:
> > > Hi Robert,
> > >
> > > I have not tested your configuration but it seems correct.
> > >
> > > You can find documentation on dogtag KRA configuration in the
folder:
> > > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
> >
> > > There are also several actions performing the operation. Have a look
at:
> >
https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
> >
> > > You can compare the installation steps with your case.
> > >
> > > Thanks,
> > > Marco
> > >
> > > On Fri, 4 Apr 2025 at 17:55, Robert Riemann <
robert-dogtag(a)riemann.cc>
> > >
> > > wrote:
> > > > Dears,
> > > >
> > > > I experience the same issue (KRA missing in CA nssdb) when
attempting
> >
> > to
> >
> > > > enroll via the browser with the profile:
> > > > Manual User Dual-Use Certificate Enrollment using server-side Key
> > > > generation
> > > >
> > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> > > > UserSubjectNameDefault: Subject:
> > > > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > > > ProfileSubmitServlet: error in processing request: KRA Transport
> > > > Certificate
> > > > needs to be imported into the CA nssdb for Server-Side Kegen
> > > > Enrollment
> > > > KRA Transport Certificate needs to be imported into the CA nssdb
for
> > > > Server-
> > > > Side Kegen Enrollment
> > > >
> > > > at
> >
> >
com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
> >
> > > > genUserKeyDefault.java: 501)
> > > >
> > > > at
> >
> >
com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
> >
> > > > )
> > > >
> > > > at
> > > >
> > > > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261)
> > > >
> > > >
> > > > The link
> >
> >
https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
> >
> > > > EE provided by
> > > > Chris Zinda in 2021 is unfortunately broken/empty.
> > > >
> > > > What I have done so far:
> > > >
> > > > - I have setup the directory server and CA+KRA in the same
pki-tomcat
> > > > instance.
> > > > - I have checked if the kra_transport certficate in in the CA
nssdb:
> > > >
> > > > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> > > >
> > > > Certificate Nickname Trust
> > > > Attributes
> > > >
> > > > SSL,S/MIME,JAR/
> > > >
> > > > XPI
> > > >
> > > > ca_signing
CTu,Cu,Cu
> > > > ca_ocsp_signing u,u,u
> > > > sslserver u,u,u
> > > > subsystem u,u,u
> > > > ca_audit_signing u,u,Pu
> > > > kra_transport u,u,u
> > > > kra_storage u,u,u
> > > > kra_audit_signing u,u,Pu
> > > >
> > > > - I have read https://docs.redhat.com/en/documentation/
> >
> >
red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
> >
> > > > ide/ configuring_key_recovery_authority
> > > >
> > > > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the
line:
> > > > "ca.connector.KRA.transportCertNickname=kra_transport"
> > > > (However, ca.connector.KRA.transportCert was already set
accurately)
> > > >
> > > > - Is the line "ca.connector.KRA.nickName=subsystem" in the
same
file
> >
> > ok?
> >
> > > > - I've tested with `pki -n caadmin ca-kraconnector-show`:
> > > >
> > > > Host: pki-test.riemann.cc:8443
> > > > Enabled: true
> > > > Local: false
> > > > Timeout: 30
> > > > URI: /kra/agent/kra/connector
> > > > Transport Cert:
> > > >
> > > > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> > > > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> > > > […]
> > > >
> > > > What else could be wrong? Find my setup script here below.
> > > >
> > > > Best,
> > > > Robert
> > > >
> > > >
> > > > #!/usr/bin/sudo /bin/bash
> > > >
> > > > cat << EOF > /etc/security/limits.d/01-pki
> > > > # Dogtag CA Settings
> > > > root hard nofile 4096
> > > > root soft nofile 4096
> > > > EOF
> > > >
> > > > dnf update -y
> > > > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
> > > >
> > > >
> > > > # Create Directory Server Instance:
> > > > #
> > > > #
> >
> > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> >
> > > > creating-ds-instance.adoc
> > > > <
> >
> >
https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
> >
> > > > ating-ds-instance.adoc> #
> > > > dscreate create-template ds-template.inf
> > > >
> > > > sed --silent \
> > > >
> > > > -e "s/;full_machine_name = .*/full_machine_name =
$HOSTNAME/" \
> > > > -e "s/;root_password = .*/root_password =
$DS_PASSWORD/g" \
> > > > -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> > > > -e "s/;create_suffix_entry = .*/create_suffix_entry =
True/g" \
> > > > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \
> > > > -e "w ds.inf" \
> > > > ds-template.inf
> > > >
> > > > dscreate from-file ds.inf
> > > >
> > > > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager"
-w
> >
> > "$DS_PASSWORD"
> >
> > > > <<
> > > > EOF
> > > > dn: dc=pki,$SUFFIX
> > > > objectClass: domain
> > > > dc: pki
> > > > EOF
> > > >
> > > > systemctl status dirsrv(a)localhost.service
> > > >
> > > > # Create PKI CA Server
> > > > #
> > > > curl -o ca-template.cfg
> > > > https://raw.githubusercontent.com/dogtagpki/pki/refs/
> > > > heads/master/base/server/examples/installation/ca.cfg
> > > > <
> >
> >
https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
> >
> > > > rver/examples/installation/ca.cfg> # cp
> > > > /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg
sed
> > > > --silent \
> > > >
> > > > -e "s/pki_server_database_password=.*/
> > > >
> > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > >
> > > > -e
"s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/"
> > > > \
> > > > -e "s/pki_client_pkcs12_password=.*/
> > > >
> > > > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
> > > >
> > > > -e
"s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \
> > > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/"
\
> > > > -e "w ca.cfg" \
> > > > ca-template.cfg
> > > >
> > > > pkispawn -f ca.cfg -s CA
> > > >
> > > > pki-server cert-export ca_signing --cert-file ca_signing.crt
> > > > sudo -u fedora pki client-cert-import "CA Signing
Certificate"
> >
> > --ca-cert
> >
> > > > ./
> > > > ca_signing.crt
> > > > #
> >
> >
https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
> >
> > > > -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import
> >
> > --pkcs12
> >
> > > > ./ca_admin_cert.p12 --pkcs12- password
"$PKI_CA_CLIENT_PASSWORD"
> > > > sudo -u fedora pki info # for testing the setup
> > > >
> > > > # Create PKI KRA Server
> > > > #
> > > > cp /usr/share/pki/server/examples/installation/kra.cfg
> > > > kra-template.cfg
> > > > sed --silent \
> > > >
> > > > -e "s/pki_server_database_password=.*/
> > > >
> > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > >
> > > > -e
"s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/"
> >
> > \
> >
> > > > -e "s/pki_client_pkcs12_password=.*/
> > > >
> > > > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
> > > >
> > > > -e
"s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/"
\
> > > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/"
\
> > > > -e "s/pki_security_domain_password=.*/
> > > >
> > > > pki_security_domain_password=$PKI_CA_PASSWORD/" \
> > > >
> > > > -e "w kra.cfg" \
> > > > kra-template.cfg
> > > >
> > > > pkispawn -f kra.cfg -s KRA
> > > >
> > > >
> > > > _______________________________________________
> > > > Pki-users mailing list -- users(a)lists.dogtagpki.org
> > > > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> > > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
11:54 a.m.
New subject: KRA Problem
Dear Marco, dear all,
with my colleague, we have repeated the setup. While we got past the error
during the certificate request error (the original error), we could not
validate the the request due to this error:
SEVERE: ProfileProcessServlet: KRA Transport Certificate needs to be imported
into the CA nssdb for Server-Side Kegen Enrollment
KRA Transport Certificate needs to be imported into the CA nssdb for Server-
Side Kegen Enrollment
Then, we compared again my working setup and the new setup and noticed that
the I added previously in my CA CS.cfg file following line:
ca.connector.KRA.transportCertNickname=kra_transport
We then added this to the new setup and then the new setup allowed us to to
create (request and validate) a certificate with profile
caServerKeygen_UserCert.
Couldn't this line be added automatically by "pkispawn -s KRA"?
Best,
Robert
On Tuesday, 8 April 2025 10:28:43 Central European Summer Time Marco Fargetta
wrote:
Ok, thanks for the update.
Marco
On Mon, 7 Apr 2025 at 23:39, Robert Riemann <robert-dogtag(a)riemann.cc>
wrote:
> Dear Marco, dear all,
>
> The original error comes from the web GUI. So I do not know which commands
> are
> precisely executed.
>
> Fedora 40 does not offer packages for v11.6 yet.
>
> So I have updated now to Fedora 41 which comes with v11.6. Now, I can
> request
> and approve certificates through the web gui. Hence, the KRA problem is
> solved
> for me. I may eventually switch to Redhat Enterprise Linux packages and
> hope
> that they also offer v11.6...
>
> Best regards,
> Robert
>
> On Monday, 7 April 2025 16:32:58 Central European Summer Time Marco
> Fargetta
>
> wrote:
> > Hi Robert,
> >
> > I am not sure if there is an async operation to complete before the
>
> request
>
> > can be approved. I should investigate it.
> > However, this was executed during v11.5 and it was working. Not sure
> > what
> > could have happened to create this different behaviour.
> >
> > If v11.6 works, then you could try to update your setup.
> >
> > For the original error, the logs show the same error when you run the
> > approve without the sleep?
> >
> > Cheers,
> > Marco
> >
> >
> > On Mon, 7 Apr 2025 at 16:11, Robert Riemann <robert-dogtag(a)riemann.cc>
> >
> > wrote:
> > > Dear Marco, dear all,
> > >
> > > I run Dogtag v11.5 and have possibly found a race condition error. The
> > > Github
> > > actions you mentioned seem to be specific for version v11.6. The tests
>
> for
>
> > > v11.5 use instead this script:
> https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
>
> > > chival.sh
> > >
> > > I copied the script over, adapted the passwords and gave it a try. I
> > > notice
> > > the following:
> > >
> > > This line 21 fails for me:
> > > pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID
>
> --force |
>
> > > tee
> > > output
>
> > > Source:
> https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar
>
> > > chival.sh#L21
> > >
> > > Error:
> > >
> > > Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4
> > > Submitting CRMF request to pki-test.riemann.cc:8080
> > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > > Request Status: pending
> > > Reason:
> > > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580
> > > BadRequestException: Request Sending DRM request failed check KRA log
>
> for
>
> > > detail Rejected - {1}
> > > Cert ID:
> > > ERROR: Missing serial number
> > >
> > >
> > > Workaround:
> > >
> > > I add a "sleep 3" between the call to CRMFPopClient and the call
to
> > > "ca-cert-
> > > request-approve".
> > >
> > > Is it possible that a race condition is also responsible for the
>
> original
>
> > > error?
> > >
> > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > > > ProfileSubmitServlet: error in processing request: KRA Transport
> > >
> > > Certificate
> > >
> > > > needs to be imported into the CA nssdb for Server-Side Kegen
>
> Enrollment
>
> > > > KRA Transport Certificate needs to be imported into the CA nssdb for
> > > > Server-Side Kegen Enrollment
> > >
> > > I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but
> > > couldn't
> > > find
> > > any recent entry.
> > >
> > > $ ls /var/log/pki/pki-tomcat/kra/
> > > archive debug.2025-04-04.log selftests.log signedAudit
> > >
> > > Best,
> > > Robert
> > >
> > >
> > > On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco
> > > Fargetta
> > >
> > > wrote:
> > > > Hi Robert,
> > > >
> > > > I have not tested your configuration but it seems correct.
> > > >
> > > > You can find documentation on dogtag KRA configuration in the
>
> folder:
> > > > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra.
> > > >
> > > > There are also several actions performing the operation. Have a look
>
> at:
>
> https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048.
>
> > > > You can compare the installation steps with your case.
> > > >
> > > > Thanks,
> > > > Marco
> > > >
> > > > On Fri, 4 Apr 2025 at 17:55, Robert Riemann <
>
> robert-dogtag(a)riemann.cc>
>
> > > > wrote:
> > > > > Dears,
> > > > >
> > > > > I experience the same issue (KRA missing in CA nssdb) when
>
> attempting
>
> > > to
> > >
> > > > > enroll via the browser with the profile:
> > > > > Manual User Dual-Use Certificate Enrollment using server-side
Key
> > > > > generation
> > > > >
> > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO:
> > > > > UserSubjectNameDefault: Subject:
> > > > > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT
> > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE:
> > > > > ProfileSubmitServlet: error in processing request: KRA
Transport
> > > > > Certificate
> > > > > needs to be imported into the CA nssdb for Server-Side Kegen
> > > > > Enrollment
> > > > > KRA Transport Certificate needs to be imported into the CA
nssdb
>
> for
>
> > > > > Server-
> > > > > Side Kegen Enrollment
> > > > >
> > > > > at
>
> com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey
>
> > > > > genUserKeyDefault.java: 501)
> > > > >
> > > > > at
>
> com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237
>
> > > > > )
> > > > >
> > > > > at
> > > > >
> > > > >
com.netscape.cms.profile.common.Profile.populate(Profile.java:1261
> > > > > )
> > > > >
> > > > >
> > > > > The link
>
> https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_
>
> > > > > EE provided by
> > > > > Chris Zinda in 2021 is unfortunately broken/empty.
> > > > >
> > > > > What I have done so far:
> > > > >
> > > > > - I have setup the directory server and CA+KRA in the same
>
> pki-tomcat
>
> > > > > instance.
> > > > > - I have checked if the kra_transport certficate in in the CA
>
> nssdb:
> > > > > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
> > > > >
> > > > > Certificate Nickname
Trust
> > > > > Attributes
> > > > >
> > > > > SSL,S/MIME,JAR/
> > > > >
> > > > > XPI
> > > > >
> > > > > ca_signing
>
> CTu,Cu,Cu
>
> > > > > ca_ocsp_signing
u,u,u
> > > > > sslserver
u,u,u
> > > > > subsystem
u,u,u
> > > > > ca_audit_signing
> > > > > u,u,Pu
> > > > > kra_transport
u,u,u
> > > > > kra_storage
u,u,u
> > > > > kra_audit_signing
> > > > > u,u,Pu
> > > > >
> > > > > - I have read https://docs.redhat.com/en/documentation/
>
> red_hat_certificate_system/10/html/planning_installation_and_deployment_gu
>
> > > > > ide/ configuring_key_recovery_authority
> > > > >
> > > > > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add
the
>
> line:
> > > > >
"ca.connector.KRA.transportCertNickname=kra_transport"
> > > > > (However, ca.connector.KRA.transportCert was already set
>
> accurately)
>
> > > > > - Is the line "ca.connector.KRA.nickName=subsystem" in
the same
>
> file
>
> > > ok?
> > >
> > > > > - I've tested with `pki -n caadmin ca-kraconnector-show`:
> > > > >
> > > > > Host: pki-test.riemann.cc:8443
> > > > > Enabled: true
> > > > > Local: false
> > > > > Timeout: 30
> > > > > URI: /kra/agent/kra/connector
> > > > > Transport Cert:
> > > > >
> > > > >
MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk
> > > > >
MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET
> > > > > […]
> > > > >
> > > > > What else could be wrong? Find my setup script here below.
> > > > >
> > > > > Best,
> > > > > Robert
> > > > >
> > > > >
> > > > > #!/usr/bin/sudo /bin/bash
> > > > >
> > > > > cat << EOF > /etc/security/limits.d/01-pki
> > > > > # Dogtag CA Settings
> > > > > root hard nofile 4096
> > > > > root soft nofile 4096
> > > > > EOF
> > > > >
> > > > > dnf update -y
> > > > > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme
> > > > >
> > > > >
> > > > > # Create Directory Server Instance:
> > > > > #
> > > > > #
> > >
> > > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/
> > >
> > > > > creating-ds-instance.adoc
> > > > > <
>
> https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre
>
> > > > > ating-ds-instance.adoc> #
> > > > > dscreate create-template ds-template.inf
> > > > >
> > > > > sed --silent \
> > > > >
> > > > > -e "s/;full_machine_name = .*/full_machine_name =
$HOSTNAME/"
> > > > > \
> > > > > -e "s/;root_password = .*/root_password =
$DS_PASSWORD/g" \
> > > > > -e "s/;suffix = .*/suffix = $SUFFIX/g" \
> > > > > -e "s/;create_suffix_entry = .*/create_suffix_entry =
True/g"
> > > > > \
> > > > > -e "s/;self_sign_cert = .*/self_sign_cert =
True/g" \
> > > > > -e "w ds.inf" \
> > > > > ds-template.inf
> > > > >
> > > > > dscreate from-file ds.inf
> > > > >
> > > > > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory
Manager" -w
> > >
> > > "$DS_PASSWORD"
> > >
> > > > > <<
> > > > > EOF
> > > > > dn: dc=pki,$SUFFIX
> > > > > objectClass: domain
> > > > > dc: pki
> > > > > EOF
> > > > >
> > > > > systemctl status dirsrv(a)localhost.service
> > > > >
> > > > > # Create PKI CA Server
> > > > > #
> > > > > curl -o ca-template.cfg
> > > > > https://raw.githubusercontent.com/dogtagpki/pki/refs/
> > > > > heads/master/base/server/examples/installation/ca.cfg
> > > > > <
>
> https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se
>
> > > > > rver/examples/installation/ca.cfg> # cp
> > > > > /usr/share/pki/server/examples/installation/ca.cfg
ca-template.cfg
>
> sed
>
> > > > > --silent \
> > > > >
> > > > > -e "s/pki_server_database_password=.*/
> > > > >
> > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > > >
> > > > > -e
>
> "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/"
>
> > > > > \
> > > > > -e "s/pki_client_pkcs12_password=.*/
> > > > >
> > > > > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \
> > > > >
> > > > > -e
"s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \
> > > > > -e
"s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > > > > -e "w ca.cfg" \
> > > > > ca-template.cfg
> > > > >
> > > > > pkispawn -f ca.cfg -s CA
> > > > >
> > > > > pki-server cert-export ca_signing --cert-file ca_signing.crt
> > > > > sudo -u fedora pki client-cert-import "CA Signing
Certificate"
> > >
> > > --ca-cert
> > >
> > > > > ./
> > > > > ca_signing.crt
> > > > > #
>
> https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI
>
> > > > > -CLI#importing-admin-certificate sudo -u fedora pki
pkcs12-import
> > >
> > > --pkcs12
> > >
> > > > > ./ca_admin_cert.p12 --pkcs12- password
"$PKI_CA_CLIENT_PASSWORD"
> > > > > sudo -u fedora pki info # for testing the setup
> > > > >
> > > > > # Create PKI KRA Server
> > > > > #
> > > > > cp /usr/share/pki/server/examples/installation/kra.cfg
> > > > > kra-template.cfg
> > > > > sed --silent \
> > > > >
> > > > > -e "s/pki_server_database_password=.*/
> > > > >
> > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \
> > > > >
> > > > > -e
>
> "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/"
>
> > > \
> > >
> > > > > -e "s/pki_client_pkcs12_password=.*/
> > > > >
> > > > > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \
> > > > >
> > > > > -e
"s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/"
>
> \
>
> > > > > -e
"s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \
> > > > > -e "s/pki_security_domain_password=.*/
> > > > >
> > > > > pki_security_domain_password=$PKI_CA_PASSWORD/" \
> > > > >
> > > > > -e "w kra.cfg" \
> > > > > kra-template.cfg
> > > > >
> > > > > pkispawn -f kra.cfg -s KRA
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Pki-users mailing list -- users(a)lists.dogtagpki.org
> > > > > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org
> > > > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
23
days inactive
24
days old
4 comments
2 participants
participants (2)
-
Marco Fargetta -
Robert Riemann