Installing ACME with pkispawn breaks pki-tomcat instance with a cert that is not created. #5185
Description
Fedora 42 server
Dog tag pki 11.7.0.1
After my issues with OCSP, I shifted to 11.7, and that problem got solved, see #5177
I attempted to install the ACME module, but ran into issues.
Using the steps in this doc https://github.com/dogtagpki/pki/wiki/Installing-ACME-Responder-using-pkispawn
It shows this step
-f /usr/share/pki/server/examples/installation/acme.cfg \
-s ACME \
-D acme_database_url=ldap://ds.example.com:3389 \
-D acme_issuer_url=https://pki.example.com:8443 \
-D acme_realm_url=ldap://ds.example.com:3389
First problem, the port 3389 is the RDP port; it should be port 389, which is the LDAP port.
If we then look at acme.cfg, the default template file.
[DEFAULT]
pki_server_database_password=Secret.123
pki_cert_chain_nickname=ca_signing
[ACME]
pki_sslserver_nickname=sslserver
acme_database_type=ds
acme_database_url=ldap://localhost.localdomain:3389
acme_database_bind_password=Secret.123
acme_issuer_type=pki
acme_issuer_url=https://localhost.localdomain:8443
acme_issuer_password=Secret.123
acme_realm_type=ds
acme_realm_url=ldap://localhost.localdomain:3389
acme_realm_bind_password=Secret.123
Why are we specifying the URLs through the -D to pkispawn when they are in the acme.cfg
Now, of course, I edit the cfg to more correctly represent my layout
[DEFAULT]
pki_server_database_password=secret-password
pki_cert_chain_nickname=caSigningCert cert-pki-tomcat CA
[ACME]
pki_sslserver_nickname=Server-Cert cert-pki-tomcat
acme_database_type=ds
acme_database_url=ldap://dog-tag-pki.userful.ca:389
acme_database_bind_password=secret-password
acme_issuer_type=pki
acme_issuer_url=https://dog-tag-pki.userful.ca:8443
acme_issuer_password=secret-password
acme_realm_type=ds
acme_realm_url=ldap://dog-tag-pki.userful.ca:389
acme_realm_bind_password=secret-password
You can see that I adjusted the first three key settings, removed sslserver, and corrected the ports and URLs.
First, this worked for the ports change, but not for pki_sslserver_nickname
For some reason, it keeps using sslserver. I can see the CSR for it in /etc/pki/pki-tomcat/certs.
But this cert never gets created and installed in the nssDB, so when you restart, you get this error
pki-server[11177]: ERROR: Certificate chain not found: sslserver
And since the tomcat is now in an unstartable state, you cannot do the following
pkidestroy -s ACME
To get rid of the bad instance, I ended up making a dummy sslserver cert to just get the pki-tomcat to start which then let me get rid of ACME. This was not perfect since installing that dummy cert caused pki-tomcat to think that it was the root signing cert and broke the site's SSL.
Also, I was forced to use the -D options since it did not listen to the acme.cfg properly and seemed to ignore the specified URL lines.
pkispawn -f acme.cfg -s ACME -D acme_database_url=ldap://dog-tag-pki.userful.ca:389 -D acme_issuer_url=https://dog-tag-pki.userful.ca:8443 -D acme_realm_url=ldap://dog-tag-pki.userful.ca:389
I ended up restoring a backup that I had to a state before I installed ACME.
I am stuck. I have tried a few ways to get around the sslserver cert that does not exist. I feel it's hard-coded somewhere, and why is a CSR created for it, but it is never actually created.