[Pki-users] Re: KRA Problem

Hi Robert, I am not sure if there is an async operation to complete before the request can be approved. I should investigate it. However, this was executed during v11.5 and it was working. Not sure what could have happened to create this different behaviour. If v11.6 works, then you could try to update your setup. For the original error, the logs show the same error when you run the approve without the sleep? Cheers, Marco On Mon, 7 Apr 2025 at 16:11, Robert Riemann <robert-dogtag(a)riemann.cc&gt; wrote: > Dear Marco, dear all, > > I run Dogtag v11.5 and have possibly found a race condition error. The > Github > actions you mentioned seem to be specific for version v11.6. The tests for > v11.5 use instead this script: > > > https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar > chival.sh > > I copied the script over, adapted the passwords and gave it a try. I > notice > the following: > > This line 21 fails for me: > pki -u caadmin -w Secret.123 ca-cert-request-approve $REQUEST_ID --force | > tee > output > > Source: > https://github.com/dogtagpki/pki/blob/v11.5/tests/kra/bin/test-cert-key-ar > chival.sh#L21 > > Error: > > Keypair private key id: 1bdb6cfb7c46eb91459ddfa07f9c3b446e190a4 > Submitting CRMF request to pki-test.riemann.cc:8080 > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580 > Request Status: pending > Reason: > Request ID: 0xc2ae6ea6a71d71171c4b3b83b4ce4580 > BadRequestException: Request Sending DRM request failed check KRA log for > detail Rejected - {1} > Cert ID: > ERROR: Missing serial number > > > Workaround: > > I add a "sleep 3" between the call to CRMFPopClient and the call to > "ca-cert- > request-approve". > > Is it possible that a race condition is also responsible for the original > error? > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE: > > ProfileSubmitServlet: error in processing request: KRA Transport > > Certificate > > > needs to be imported into the CA nssdb for Server-Side Kegen Enrollment > > KRA Transport Certificate needs to be imported into the CA nssdb for > > Server-Side Kegen Enrollment > > I have checked the KRA log at /var/log/pki/pki-tomcat/kra/ but couldn't > find > any recent entry. > > $ ls /var/log/pki/pki-tomcat/kra/ > archive debug.2025-04-04.log selftests.log signedAudit > > Best, > Robert > > > On Friday, 4 April 2025 19:43:27 Central European Summer Time Marco > Fargetta > > wrote: > > Hi Robert, > > > > I have not tested your configuration but it seems correct. > > > > You can find documentation on dogtag KRA configuration in the folder: > > https://github.com/dogtagpki/pki/tree/master/docs/installation/kra. > > > There are also several actions performing the operation. Have a look at: > https://github.com/dogtagpki/pki/actions/runs/14269161376/job/39998584048. > > > You can compare the installation steps with your case. > > > > Thanks, > > Marco > > > > On Fri, 4 Apr 2025 at 17:55, Robert Riemann <robert-dogtag(a)riemann.cc&gt; > > > > wrote: > > > Dears, > > > > > > I experience the same issue (KRA missing in CA nssdb) when attempting > > to > > > > enroll via the browser with the profile: > > > Manual User Dual-Use Certificate Enrollment using server-side Key > > > generation > > > > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] INFO: > > > UserSubjectNameDefault: Subject: > > > UID=rriemann,E=robert.riemann(a)work.domain,CN=WORK IT > > > 2025-04-04 15:00:55 [https-jsse-jss-nio-8443-exec-5] SEVERE: > > > ProfileSubmitServlet: error in processing request: KRA Transport > > > Certificate > > > needs to be imported into the CA nssdb for Server-Side Kegen > > > Enrollment > > > KRA Transport Certificate needs to be imported into the CA nssdb for > > > Server- > > > Side Kegen Enrollment > > > > > > at > > com.netscape.cms.profile.def.ServerKeygenUserKeyDefault.populate(ServerKey > > > > genUserKeyDefault.java: 501) > > > > > > at > > com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:237 > > > > ) > > > > > > at > > > > > > com.netscape.cms.profile.common.Profile.populate(Profile.java:1261) > > > > > > > > > The link > > https://www.dogtagpki.org/wiki/PKI_10.9_Server-side_Keygen_Enrollment_for_ > > > > EE provided by > > > Chris Zinda in 2021 is unfortunately broken/empty. > > > > > > What I have done so far: > > > > > > - I have setup the directory server and CA+KRA in the same pki-tomcat > > > instance. > > > - I have checked if the kra_transport certficate in in the CA nssdb: > > > > > > $ certutil -L -d /var/lib/pki/pki-tomcat/ca/alias > > > > > > Certificate Nickname Trust > > > Attributes > > > > > > SSL,S/MIME,JAR/ > > > > > > XPI > > > > > > ca_signing CTu,Cu,Cu > > > ca_ocsp_signing u,u,u > > > sslserver u,u,u > > > subsystem u,u,u > > > ca_audit_signing u,u,Pu > > > kra_transport u,u,u > > > kra_storage u,u,u > > > kra_audit_signing u,u,Pu > > > > > > - I have read https://docs.redhat.com/en/documentation/ > > red_hat_certificate_system/10/html/planning_installation_and_deployment_gu > > > > ide/ configuring_key_recovery_authority > > > > > > - I have edited /var/lib/pki/pki-tomcat/ca/conf/CS.cfg to add the

> > > "ca.connector.KRA.transportCertNickname=kra_transport" > > > (However, ca.connector.KRA.transportCert was already set accurately) > > > > > > - Is the line "ca.connector.KRA.nickName=subsystem" in the same file > > ok? > > > > - I've tested with `pki -n caadmin ca-kraconnector-show`: > > > > > > Host: pki-test.riemann.cc:8443 > > > Enabled: true > > > Local: false > > > Timeout: 30 > > > URI: /kra/agent/kra/connector > > > Transport Cert: > > > > > > MIIEZDCCAsygAwIBAgIQalDV4HnITZHOgPLTCZAtqjANBgkqhkiG9w0BAQsFADBk > > > MSwwKgYDVQQKDCNwa2ktdGVzdC5yaWVtYW5uLmNjIFNlY3VyaXR5IERvbWFpbjET > > > […] > > > > > > What else could be wrong? Find my setup script here below. > > > > > > Best, > > > Robert > > > > > > > > > #!/usr/bin/sudo /bin/bash > > > > > > cat << EOF > /etc/security/limits.d/01-pki > > > # Dogtag CA Settings > > > root hard nofile 4096 > > > root soft nofile 4096 > > > EOF > > > > > > dnf update -y > > > dnf install -y 389-ds-base pki-ca pki-kra dogtag-pki-theme > > > > > > > > > # Create Directory Server Instance: > > > # > > > # > > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/ > > > > creating-ds-instance.adoc > > > < > > https://github.com/dogtagpki/pki/blob/master/docs/installation/others/cre > > > > ating-ds-instance.adoc> # > > > dscreate create-template ds-template.inf > > > > > > sed --silent \ > > > > > > -e "s/;full_machine_name = .*/full_machine_name = $HOSTNAME/" \ > > > -e "s/;root_password = .*/root_password = $DS_PASSWORD/g" \ > > > -e "s/;suffix = .*/suffix = $SUFFIX/g" \ > > > -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \ > > > -e "s/;self_sign_cert = .*/self_sign_cert = True/g" \ > > > -e "w ds.inf" \ > > > ds-template.inf > > > > > > dscreate from-file ds.inf > > > > > > ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w > > "$DS_PASSWORD" > > > > << > > > EOF > > > dn: dc=pki,$SUFFIX > > > objectClass: domain > > > dc: pki > > > EOF > > > > > > systemctl status dirsrv(a)localhost.service > > > > > > # Create PKI CA Server > > > # > > > curl -o ca-template.cfg > > > https://raw.githubusercontent.com/dogtagpki/pki/refs/ > > > heads/master/base/server/examples/installation/ca.cfg > > > < > > https://raw.githubusercontent.com/dogtagpki/pki/refs/heads/master/base/se > > > > rver/examples/installation/ca.cfg> # cp > > > /usr/share/pki/server/examples/installation/ca.cfg ca-template.cfg sed > > > --silent \ > > > > > > -e "s/pki_server_database_password=.*/ > > > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \ > > > > > > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_CA_PASSWORD/" > > > \ > > > -e "s/pki_client_pkcs12_password=.*/ > > > > > > pki_client_pkcs12_password=$PKI_CA_CLIENT_PASSWORD/" \ > > > > > > -e "s/pki_admin_email=.*/pki_admin_email=caadmin@$HOSTNAME/" \ > > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \ > > > -e "w ca.cfg" \ > > > ca-template.cfg > > > > > > pkispawn -f ca.cfg -s CA > > > > > > pki-server cert-export ca_signing --cert-file ca_signing.crt > > > sudo -u fedora pki client-cert-import "CA Signing Certificate" > > --ca-cert > > > > ./ > > > ca_signing.crt > > > # > > https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI > > > > -CLI#importing-admin-certificate sudo -u fedora pki pkcs12-import > > --pkcs12 > > > > ./ca_admin_cert.p12 --pkcs12- password "$PKI_CA_CLIENT_PASSWORD" > > > sudo -u fedora pki info # for testing the setup > > > > > > # Create PKI KRA Server > > > # > > > cp /usr/share/pki/server/examples/installation/kra.cfg > > > kra-template.cfg > > > sed --silent \ > > > > > > -e "s/pki_server_database_password=.*/ > > > > > > pki_server_database_password=$PKI_SERVER_PASSWORD/" \ > > > > > > -e "s/pki_admin_password=.*/pki_admin_password=$PKI_KRA_PASSWORD/" > > \ > > > > -e "s/pki_client_pkcs12_password=.*/ > > > > > > pki_client_pkcs12_password=$PKI_KRA_CLIENT_PASSWORD/" \ > > > > > > -e "s/pki_admin_email=.*/pki_admin_email=kraadmin@$HOSTNAME/" \ > > > -e "s/pki_ds_url=.*/pki_ds_url=ldap:\/\/$HOSTNAME:389/" \ > > > -e "s/pki_security_domain_password=.*/ > > > > > > pki_security_domain_password=$PKI_CA_PASSWORD/" \ > > > > > > -e "w kra.cfg" \ > > > kra-template.cfg > > > > > > pkispawn -f kra.cfg -s KRA > > > > > > > > > _______________________________________________ > > > Pki-users mailing list -- users(a)lists.dogtagpki.org > > > To unsubscribe send an email to users-leave(a)lists.dogtagpki.org > > > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s