Installation fails at: "requesting RA certificate from CA" with the following logs: Certificate issuance failed (CA_REJECTED: Server at "https://master.ipa.test:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation) Full logs:
Certificate issuance failed (CA_REJECTED: Server at "https://master.ipa.test:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation)
DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [1/30]: configuring certificate server instance DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [2/30]: Add ipa-pki-wait-running DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [3/30]: secure AJP connector DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [4/30]: reindex attributes DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [5/30]: exporting Dogtag certificate store pin DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [6/30]: stopping certificate server instance to update CS.cfg DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [7/30]: backing up CS.cfg DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [8/30]: disabling nonces DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [9/30]: set up CRL publishing DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [10/30]: enable PKIX certificate path discovery and validation DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [11/30]: starting certificate server instance DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [12/30]: configure certmonger for renewals DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [13/30]: requesting RA certificate from CA DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 [error] RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "https://master.ipa.test:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation) DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 Certificate issuance failed (CA_REJECTED: Server at "https://master.ipa.test:8443/ca/agent/ca//profileProcess" replied: 1: You did not provide a valid certificate for this operation) DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:558 The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information DEBUG ipatests.pytest_ipa.integration.host.Host.master.cmd28:transport.py:217 Exit code: 1
This is visible in the nightly PR #4498.
Sample logs: 1, 2, 3, 4.
For worker logs, please remove the "report.html" part of the URL.
Hello @fcami
Thanks for filing the issue. We saw this issue last week and is due to JSS.
JSS.
From the provided Log URL, following version is being pulled from @pki/master COPR repo:
jss-4.6.3-1.20200402162402.0789edca.fc31.x86_64
The issue is related to SSLEngine changes that were introduced in JSS. @cipherboy has been working on fixing it.
PS: we have turned off pulling latest JSS in PKI's official CI.
Metadata Update from @dmoluguw: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
During last weekly test, the ipa-server-install command failed at the same point but with a different error:
2020-04-12T20:39:14Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Certificate issuance failed (CA_REJECTED: Server at "http://master.ipa.test:8080/ca/ee/ca//profileSubmit" replied: Request 7 Rejected - Signing Algorithm Not Matched SHA256withRSA ) 2020-04-12T20:39:14Z ERROR Certificate issuance failed (CA_REJECTED: Server at "http://master.ipa.test:8080/ca/ee/ca//profileSubmit" replied: Request 7 Rejected - Signing Algorithm Not Matched SHA256withRSA ) 2020-04-12T20:39:14Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Version of jss: jss-4.7.0-1.20200409175605.f74dd43e.fc31.x86_64 Is there a jss issue number that we can reference for tracking?
jss-4.7.0-1.20200409175605.f74dd43e.fc31.x86_64
@frenaud Fixed here:
Later branches of Dogtag don't yet have RSA/PSS support.
The latest run shows that the issue was fixed: PR 207 Versions: pki-base-10.9.0-0.1.20200523021925.617a3c1d.fc32.noarch tomcatjss-7.5.0-1.20200518183820.23655272.fc32.noarch jss-4.7.0-1.20200522211756.4791c10f.fc32.x86_64
@cipherboy you can close this issue.
Metadata Update from @cipherboy: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3287
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.