TypeError during spwaning of the clone CA using podman image dogtagpki/pki-ca from quay.io

[Meloknight89]

Hello,

I'm facing an issue while trying to spawn a clone Certificate Authority (CA) using the dogtagpki/pki-ca podman image from quay.io. While the main CA spawns without any issues, spawning the clone CA results in a TypeError. The error message indicates that a NoneType object is being used where a string, bytes, or os.PathLike object is expected.

Steps to Reproduce:

1. Pull the dogtagpki/pki-ca image from quay.io.
2. Successfully spawn the main CA.
3. Attempt to spawn a clone CA using the same image.

Expected Result:
The clone CA should be spawned without any errors, similar to the main CA.

Actual Result:
The following error message is encountered during the cloning process:

ERROR: TypeError: expected str, bytes or os.PathLike object, not NoneType
  File "/usr/lib/python3.12/site-packages/pki/server/pkispawn.py", line 596, in main
    deployer.spawn()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 5209, in spawn
    scriptlet.spawn(self)
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/scriptlets/security_databases.py", line 40, in spawn
    deployer.import_clone_pkcs12()
  File "/usr/lib/python3.12/site-packages/pki/server/deployment/__init__.py", line 701, in import_clone_pkcs12
    pkcs12.show_certs()
  File "/usr/lib/python3.12/site-packages/pki/pkcs12.py", line 78, in show_certs
    subprocess.check_call(cmd)
  File "/usr/lib64/python3.12/subprocess.py", line 408, in check_call
    retcode = call(*popenargs, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 389, in call
    with Popen(*popenargs, **kwargs) as p:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 1026, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib64/python3.12/subprocess.py", line 1885, in _execute_child
    self.pid = _fork_exec(
               ^^^^^^^^^^^
Loading deployment configuration from /etc/pki/pki-tomcat/ca.cfg.
Installation log: /var/log/pkispawn.log
Installing CA into /var/lib/pki/pki-tomcat.
PKCS12 Path: /etc/pki/pki-tomcat/cloned-ca-certs.p12
Password File: /tmp/tmpd4bmml55/password.txt
Command to be executed: ['pki', '-d', '/var/lib/pki/pki-tomcat/conf/alias', '-C', None, 'pkcs12-cert-find', '--pkcs12', '/etc/pki/pki-tomcat/cloned-ca-certs.p12', '--password-file', '/tmp/tmpd4bmml55/password.txt']
Installation failed: expected str, bytes or os.PathLike object, not NoneType

Additional Debug Information:

I added debug statements to the show_certs method in /usr/lib/python3.12/site-packages/pki/pkcs12.py to identify where the NoneType is coming from as follows:

Adjusted "show_certs" method

class PKCS12(object):

    def __init__(self, path, password=None, password_file=None, nssdb=None):

        # The pki CLI needs an NSS database to run PKCS #12 operations
        # as required by JSS. If the nssdb parameter is provided, the CLI
        # will use the specified NSS database object. Otherwise, it will use
        # the default NSS database in ~/.dogtag/nssdb.

        self.path = path
        self.nssdb = nssdb

        self.tmpdir = tempfile.mkdtemp()

        if password:
            self.password_file = os.path.join(self.tmpdir, 'password.txt')
            with open(self.password_file, 'w', encoding='utf-8') as f:
                f.write(password)

        elif password_file:
            self.password_file = password_file

        else:
            raise Exception('Missing PKCS #12 password')

    def close(self):
        shutil.rmtree(self.tmpdir)

    def show_certs(self):
        # Debug statements to print variable values
        print(f"PKCS12 Path: {self.path}")
        print(f"Password File: {self.password_file}")
        
        cmd = ['pki']

        if self.nssdb:
            cmd.extend([
                '-d', self.nssdb.directory,
                '-C', self.nssdb.password_file
            ])

        cmd.extend([
            'pkcs12-cert-find',
            '--pkcs12', self.path,
            '--password-file', self.password_file
        ])

        # Debug statement to print the command
        print(f"Command to be executed: {cmd}")

        subprocess.check_call(cmd)

Environment:

Podman image: dogtagpki/pki-ca
OS: Red Hat Enterprise Linux 8.8
Python version: 3.12
Dogtag PKI version: latest

Cfg content:

[DEFAULT]
#pki_instance_name={{ pki_instance_name }}
pki_server_database_password={{ pki_server_database_password }}
pki_cert_chain_path={{pki_config_path_in_container}}/root-ca_signing.crt


[Tomcat]

pki_clone=True

#https://{{ca_to_clone}}:8443
pki_clone_uri=https://{{root_ca_hostname}}:8443
# To clone with PKCS #12 file, specify the following parameters:
pki_clone_pkcs12_path={{pki_config_path_in_container}}/cloned-ca-certs.p12
pki_clone_pkcs12_password={{ pki_clone_pkcs12_password }}
pki_ds_remove_data=False
pki_clone_setup_replication=False
# replication
#If set to False, the installer does not set up replication agreements from the master to the clone
#as part of the subsystem configuration.
#In this case, it is expected that the top level suffix already exists, and that the data has already been replicated.
#This option is useful if you want to use other tools to create and manage your replication topology,
#or if the baseDN is already replicated as part of a top-level suffix.
#Defaults to True.
#pki_clone_replicate_schema=False



# Defaults to False.
# This parameter is only relevant when **pki_clone_setup_replication** is set to False.
#pki_clone_reindex_data=True



[CA]

pki_ds_url={{ pki_ds_url }}
pki_ds_secure_connection_ca_nickname=ds_signing
pki_ds_secure_connection_ca_pem_file={{podman_cert_folder}}/ds_signing.crt

[email protected]
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password={{ pki_admin_password }}
pki_admin_uid=caadmin

pki_client_pkcs12_password={{ pki_client_pkcs12_password }}

pki_ds_base_dn=dc=ca,dc=pki,{{ ds_base_dn }}
pki_ds_database=userRoot
pki_ds_password={{ pki_ds_password }}
pki_ds_create_new_db=False

pki_security_domain_hostname={{ root_ca_hostname }}
pki_security_domain_user=caadmin
pki_security_domain_password={{ pki_admin_password }}
pki_security_domain_https_port=8443



pki_ca_signing_subject_dn={{pki_ca_signing_subject_dn}}
# pki_ca_signing_nickname is by default: ca_signing
pki_ca_signing_nickname={{ pki_ca_signing_nickname }}
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=ca

# cloned ds
# default is %(pki_hostname)s
#pki_ds_hostname={{directory_server_url}}

Request:

Could you please someone investigate this issue or provide guidance on how to resolve it? Additionally, could you confirm if there might be a missing parameter in the ca.cfg file for the clone CA that I might not be aware of that is causing the NoneType? I have reviewed the documentation but could not find any hint regarding this.

If additional information is needed, please let me know. Some hint would be much appreciated.

Best Regards,
Joel