[Bug 1905473] Re: NSS DB can't be created with barbican stein
Jan Wasilewski
1905473 at bugs.launchpad.net
Fri Nov 27 14:50:35 UTC 2020
After some troubleshooting, we found a nice solution for this bug, which
is transforming password to string with utf-8 as below:
def setup_database(
db_dir, password=None, over_write=False, password_file=None):
""" Create an NSS database """
if os.path.exists(db_dir):
if not over_write:
raise IOError("Directory already exists.")
if os.path.isdir(db_dir):
shutil.rmtree(db_dir)
else:
os.remove(db_dir)
os.makedirs(db_dir)
try:
if password:
(f, password_file) = tempfile.mkstemp()
os.write(f, str(password).encode('utf-8'))
os.close(f)
command = ['certutil', '-N', '-d', db_dir, '-f', password_file]
subprocess.check_call(command)
except Exception as e:
LOG.info(str(e))
finally:
if password and password_file:
os.remove(password_file)
However, that was not the last problem with this library. I faced another error inside import_cert function:
# certutil -A -d db_dir -n cert_nick -t trust -i cert_file
with tempfile.NamedTemporaryFile() as cert_file:
cert_file.write(content)
cert_file.flush()
command = ['certutil', '-A', '-d', self.certdb_dir,
'-n', cert_nick, '-t', trust,
'-i', cert_file.name]
subprocess.check_call(command)
Which finished with such error:
Command '['/us
r/bin/certutil', '-A', '-d', '/etc/barbican/alias', '-n', 'KRA transport cert', '-t', 'u,u,u', '-i', '/tmp/tmp7djgq3r6']' returned non-zero exit status 255.
I believe there can be more issues with testing it against ubuntu.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to barbican in Ubuntu.
https://bugs.launchpad.net/bugs/1905473
Title:
NSS DB can't be created with barbican stein
Status in barbican package in Ubuntu:
Confirmed
Bug description:
During integration barbican with dogtag, I faced an issue that NSS DB
is not possible to be created during first request. It seems that file
which has to be temporarly created for storing NSS DB password, has
some troubles during creation. A part of failing code is:
https://raw.githubusercontent.com/dogtagpki/pki/master/base/common/python/pki/crypto.py
Specific part of code responsible for fault is:
http://paste.openstack.org/show/800374/
It leads to this error in barbican api logs:
When I made a "dirty hack" which is:
- creation of /etc/barbican/temp file with chmod 777
- add such part of code to crypto.py: http://paste.openstack.org/show/800375/
This problem is solved. But for me it looks like some kind of issues
with python versions, but it's just my guess.
OS and packages details:
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
Barbican packages:
ii barbican-api 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - API Server
ii barbican-common 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - common files
ii barbican-keystone-listener 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - Keystone Listener
ii barbican-worker 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - Worker Node
ii python3-barbican 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - Python 3 files
PKI packages:
ii pki-base 10.6.0-1ubuntu2 all Certificate System - PKI Framework
ii pki-base-java 10.6.0-1ubuntu2 all Certificate System - PKI Framework -- java client support
ii pki-tools 10.6.0-1ubuntu2 amd64 Certificate System - PKI Tools
ii python3-pki-base 10.6.0-1ubuntu2 all Certificate System - PKI Framework -- python3 client support
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1905473/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list