<div dir="ltr">I forgot to add - usually removing the "-v" bit in ca external helper definition produces the aforementioned 'rejected by CA' message, instead of verbose output.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-02-11 10:00 GMT+01:00 marcin kowalski <span dir="ltr"><<a href="mailto:yoshi314@gmail.com" target="_blank">yoshi314@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><code>Edit: i acceditanlly forgot to send copy to the list, so resubmitting.<br><br><br>I tried this command : <br><span class=""><br>getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N "cn=mywebserver"<br><br>i've setup the 'dogtag-ipa' ca in certmonger like so : <br><br>id=dogtag-ipa<br>ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)<br>ca_is_default=0<br>ca_type=EXTERNAL<br>ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E <a href="https://fedora.box.net:8443/ca/ee/ca" target="_blank">https://fedora.box.net:8443/ca/ee/ca</a> -A <a href="https://fedora.box.net:8443/ca/agent/ca/" target="_blank">https://fedora.box.net:8443/ca/agent/ca/</a> -n "CN=<a href="http://BOX.NET" target="_blank">BOX.NET</a> admin" -d /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v<br><br><br>Since
 i haven't fully figured out how to setup authentication for certmonger 
yet, i've temporarily reused one from the dogtag's pki instance. 
Hopefully it's not a fatal mistake on my end. <br><br>From the certmonger logs i get : <br><br>lut 11 09:52:19 <a href="http://fedora.box.net" target="_blank">fedora.box.net</a> dogtag-ipa-renew-agent-submit[2887]: GET <a href="https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true" target="_blank">https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true</a><br>lut 11 09:52:19 <a href="http://fedora.box.net" target="_blank">fedora.box.net</a> dogtag-ipa-renew-agent-submit[2887]: <?xml version="1.0" encoding="UTF-8" standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred - {0}</Error><RequestId>  49</RequestId></XMLResponse><br><br><br>And
 the request #49 is placed in Dogtag's CA Agent services, and can be 
acknowledged/rejected correctly. It's just that certmonger is stuck and 
doesn't notice the successful delivery.<br><br>Machine is in isolated network, so there is probably no issue wrt using <a href="http://box.net" target="_blank">box.net</a> as test domain.</span></code></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="">2015-02-10 18:40 GMT+01:00 Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF"><div><div>
    <div>On 02/10/2015 12:35 PM, marcin kowalski
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hi all, i'm getting dogtag figured out slowly, and
        i noticed one odd thing. <br>
        <br>
        I've setup certmonger to request an arbitrary certificate
        through dogtag, and while the request seems to go into the
        dogtag system, certmonger acts as if communication with the CA
        failed. The certificate is considered in need of user attention
        because the process got stuck.<br>
        <br>
        <p>Request ID ‘20150210125814’:<br>
          status: NEED_GUIDANCE<br>
          stuck: yes<br>
          key pair storage: type=FILE,location=’/etc/pki/testkey’<br>
          certificate: type=FILE,location=’/etc/pki/testcert’<br>
          CA: dogtag-ipa<br>
          issuer:<br>
          subject:<br>
          expires: unknown<br>
          pre-save command:<br>
          post-save command:<br>
          track: yes<br>
          auto-renew: yes<br>
        </p>
        <p><br>
        </p>
        <p>[root@fedora pki]# systemctl status -l certmonger<br>
          (….)<br>
          lut 10 13:57:04 <a href="http://fedora.box.net" target="_blank">fedora.box.net</a>
          certmonger[7845]: Request for certificate to be stored in file
          “/etc/pki/testcert” rejected by CA.</p>
        <br>
        The request is present in dogtag and is valid, can be
        accepted/rejected, etc. Even though certmonger never notices
        that. I wonder if there is some obvious mistake in my setup, or
        perhaps there is  known bug in interaction of both components on
        F21 (i'm using only standard repositories). <br>
        <br>
        When i post the query from certmonger's agent defined in ca
        definition through curl, i get no errors.<br>
        <br>
        What would be the best way to debug this issue?<br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
    </blockquote></div></div>
    Can you post your certmonger get-cert command?<span><font color="#888888"><br>
    <br>
    <br>
    <pre cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </font></span></div>

<br></div></div><span class="">--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></span></blockquote></div><br></div>
</blockquote></div><br></div>