Ubuntu
barbican package

NSS DB can't be created with barbican stein

Bug #1905473 reported by Jan Wasilewski
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
barbican (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

During integration barbican with dogtag, I faced an issue that NSS DB is not possible to be created during first request. It seems that file which has to be temporarly created for storing NSS DB password, has some troubles during creation. A part of failing code is: https://raw.githubusercontent.com/dogtagpki/pki/master/base/common/python/pki/crypto.py

Specific part of code responsible for fault is: http://paste.openstack.org/show/800374/

It leads to this error in barbican api logs:

When I made a "dirty hack" which is:
- creation of /etc/barbican/temp file with chmod 777
- add such part of code to crypto.py: http://paste.openstack.org/show/800375/

This problem is solved. But for me it looks like some kind of issues with python versions, but it's just my guess.

OS and packages details:

Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic

Barbican packages:
ii barbican-api 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - API Server
ii barbican-common 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - common files
ii barbican-keystone-listener 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - Keystone Listener
ii barbican-worker 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - Worker Node
ii python3-barbican 1:8.0.1-0ubuntu1~cloud0 all OpenStack Key Management Service - Python 3 files

PKI packages:
ii pki-base 10.6.0-1ubuntu2 all Certificate System - PKI Framework
ii pki-base-java 10.6.0-1ubuntu2 all Certificate System - PKI Framework -- java client support
ii pki-tools 10.6.0-1ubuntu2 amd64 Certificate System - PKI Tools
ii python3-pki-base 10.6.0-1ubuntu2 all Certificate System - PKI Framework -- python3 client support

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in barbican (Ubuntu):
status: New → Confirmed
Revision history for this message
Jan Wasilewski (janwasilewski) wrote :

After some troubleshooting, we found a nice solution for this bug, which is transforming password to string with utf-8 as below:

    def setup_database(
            db_dir, password=None, over_write=False, password_file=None):
        """ Create an NSS database """
        if os.path.exists(db_dir):
            if not over_write:
                raise IOError("Directory already exists.")
            if os.path.isdir(db_dir):
                shutil.rmtree(db_dir)
            else:
                os.remove(db_dir)
        os.makedirs(db_dir)

        try:
            if password:
                (f, password_file) = tempfile.mkstemp()
                os.write(f, str(password).encode('utf-8'))
                os.close(f)

            command = ['certutil', '-N', '-d', db_dir, '-f', password_file]
            subprocess.check_call(command)
        except Exception as e:
            LOG.info(str(e))

        finally:
            if password and password_file:
                os.remove(password_file)

However, that was not the last problem with this library. I faced another error inside import_cert function:
        # certutil -A -d db_dir -n cert_nick -t trust -i cert_file
        with tempfile.NamedTemporaryFile() as cert_file:
            cert_file.write(content)
            cert_file.flush()
            command = ['certutil', '-A', '-d', self.certdb_dir,
                       '-n', cert_nick, '-t', trust,
                       '-i', cert_file.name]
            subprocess.check_call(command)

Which finished with such error:
Command '['/us
r/bin/certutil', '-A', '-d', '/etc/barbican/alias', '-n', 'KRA transport cert', '-t', 'u,u,u', '-i', '/tmp/tmp7djgq3r6']' returned non-zero exit status 255.

I believe there can be more issues with testing it against ubuntu.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.