freeipa server -- problems with certificates

thanks for the bugs, keep 'em coming ;)

I wonder if 4.7.0-pre2 and dogtag 10.6.1 would help here, I'll try to get them on a ppa soon

dogtag 10.6.1 is uploaded to https://launchpad.net/~freeipa/+archive/ubuntu/staging now, not built yet

I tried the new dogtag but there is no difference. What about 4.7.0-pre2?

I would like to help debug this. Like gianluca, I've managed to sort out the other bugs and am hitting this certificate issue.

Where can I find the Git repository for 4.7.0-pre2? The associated repos only seem to contain 4.7.0-pre1

https://code.launchpad.net/ubuntu/+source/freeipa/+git

I haven't finished it yet..

Dogtag needs jboss-annotations-1.2-api which isn't even in the archive yet :/ Running 'pki cert-find' would show some errors when it's missing, but even with it installed it still fails with 'internal server error' and I've no idea where that comes from. Upstream irc channel seems quite silent.

Strange. I am able to execute 'pki cert-find' without error.

$ pki cert-find
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-jdk14.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-simple.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.JDK14LoggerFactory]
----------------
13 entries found
----------------

...

Is there some other stage you think may be responsible for the error? I can dig into the Java layer if you have any hypotheses that lead there...

So far, the only clue I can find in the logs is a 'null' value for authType and principal:

[ajp-nio-127.0.0.1-8009-exec-1] INFO com.netscape.cms.tomcat.ExternalAuthenticationValve - ExternalAuthenticationValve: authType: null
[ajp-nio-127.0.0.1-8009-exec-1] INFO com.netscape.cms.tomcat.ExternalAuthenticationValve - ExternalAuthenticationValve: principal: null

Status changed to 'Confirmed' because the bug affects multiple users.

huh, ok.. could be that my test install is messed up somehow.. I'll reinstall ipa on it to see if things work then

At this stage, I am just trying to make it work so apologies for the hacks.

For context:

* I am using your PPAs for FreeIPA and dogtag
* I linked named-pkcs11 to named
* /etc/hostname is set to fqdn (kvm-10.ipa.kvm)

And the following script for installation:

#!/usr/bin/env bash

sudo ipa-server-install \
-r IPA.KVM \
-n ipa.kvm \
--setup-dns \
--no-host-dns \
-p xxxxxxxxx \
-a xxxxxxxxx \
--mkhomedir \
--domain=ipa.kvm \
--hostname=kvm-10.ipa.kvm \
--no-dns-sshfp \
--no-dnssec-validation \
--auto-forwarders \
--auto-reverse \
--<email address hidden>

pre2 uploaded to ppa:freeipa/staging

I also uploaded tomcat8 there with a fixed (lower) version than what's in the updates ppa.. will take a while until these have been built

In my case, with dogtag 10.6.1-0ubuntu0.1, giving the "pki cert-find" command returns tons of warning of the kind

WARN: RESTEASY002145: NoClassDefFoundError: Unable to load builtin provider org.jboss.resteasy.plugins.providers.InputStreamProvider from jar:file:/usr/share/java/resteasy-jaxrs.jar!/META-INF/services/javax.ws.rs.ext.Providers

with different class names. Finally, it ends with

NoClassDefFoundError: javax/annotation/Priority

interesting.. I'll push libjboss-annotations-1.2-api-java to the staging ppa to see how far you get with it

and a new dogtag to depend on it and add the necessary links

I did a clean installation with all the new components and it works... at least more than before. "pki cert-find", "pki cert-show 1" and "ipa cert-show 1" all works. However, the "Authentication -> Certificates" tab in the web ui still returns error:

Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1)

ok thanks for testing, I think it's on the dogtag side still.. hope there's something in the pki-tomcat logs

it's getting invalid xml from somewhere..

adding debug=true to /etc/ipa/default.conf and restarting apache gives debug output in apache error.log, and looks like it gets gzipped data from dogtag (which is fine) but somehow either the header is missing or it can't deflate it.

It's related to mod_deflate somehow, probably missing some configuration. Dropping "'Accept-Encoding': 'gzip, deflate'," from plugins/dogtag.py works around this issue, but is not the solution.

note that on Fedora dogtag/tomcat does not return gzipped data although it's accepted on the ipa side, so could be that this bug would manifest there too in the same situation

filed upstream

https://pagure.io/freeipa/issue/7563

after disabling mod_deflate it works, but since it's an essential module it's probably best to just patch plugins/dogtag.py for now.

~ppa3 on the way to the ppa

For me this ~ppa3 seems a regression w.r.t. ~ppa2. Commands "pki cert-find" and "pki cert-show" only worked for a couple of attempts, than they stopped working with "PKIException: Internal Server Error" and now this behavior is permanent also across reboots.

I will retry ~pps2 and see if it this also was happening there.

No, I cannot retry ~ppa2 since it seems not to be available anymore and I deleted my previous installation my mistake.

Actually, on a second attempt, ~ppa3 works fine. Wierd.. both my attempts were clean installations.

What can I do to fix this? I can't deduce a workaround from these posts.

This bug was fixed in the package freeipa - 4.7.0-1ubuntu4

---------------
freeipa (4.7.0-1ubuntu4) cosmic; urgency=medium

  * Actually build server on architecture any.

 -- Dimitri John Ledkov <email address hidden> Tue, 02 Oct 2018 23:32:01 +0100

Hi guys,

I can confirm bug is still present on a fresh bionic installation: any ETA about cosmic backports?

Thanks a lot