<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/12/2015 03:46 AM, marcin kowalski
wrote:<br>
</div>
<blockquote
cite="mid:CABKsJ=Q+uh88kccu7Zw3h6K7atBYbqdSwMZxhY+GgRuVM=uj0g@mail.gmail.com"
type="cite">
<div dir="ltr">> What is your reasoning for setting up your own
CA configuration? Why not<br>
just use either ipa-getcert or getcert -c IPA?<br>
<br>
I am not yet familiar with the entire setup enough to give a
good answer. I assume that requires full freeIPA setup, which i
don't really need.<br>
<br>
I just wanted a simplistic dogtag ca instance + certmonger setup
for watching certs on various machines and checking if the
requests get filled in correctly, and then expanding on it once
i get more familiar with other workings of it. And i got stuck
on certmonger.<br>
</div>
</blockquote>
<br>
I do not think certmonger is currently supported with pure Dogtag
without the IPA. There are some parts of it present but it might not
work end to end.<br>
IN case of IPA certmonger uses kerberos to authenticate to server
and fetch the certs. Without IPA you have to deal with the pure cert
base setup which we have not had a priority complete.<br>
<br>
<blockquote
cite="mid:CABKsJ=Q+uh88kccu7Zw3h6K7atBYbqdSwMZxhY+GgRuVM=uj0g@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-02-11 19:14 GMT+01:00 Rob
Crittenden <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">marcin kowalski wrote:<br>
> |Edit: i acceditanlly forgot to send copy to the
list, so resubmitting.<br>
><br>
><br>
> I tried this command :<br>
><br>
> getcert request -c dogtag-ipa -f /etc/pki/testcert -k
/etc/pki/testkey<br>
> -N "cn=mywebserver"<br>
><br>
> i've setup the 'dogtag-ipa' ca in certmonger like so
:<br>
><br>
> id=dogtag-ipa<br>
> ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)<br>
> ca_is_default=0<br>
> ca_type=EXTERNAL<br>
>
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit<br>
> -E <a moz-do-not-send="true"
href="https://fedora.box.net:8443/ca/ee/ca"
target="_blank">https://fedora.box.net:8443/ca/ee/ca</a>
-A<br>
</span>> <a moz-do-not-send="true"
href="https://fedora.box.net:8443/ca/agent/ca/"
target="_blank">https://fedora.box.net:8443/ca/agent/ca/</a>
-n "CN=<a moz-do-not-send="true" href="http://BOX.NET"
target="_blank">BOX.NET</a> <<a moz-do-not-send="true"
href="http://BOX.NET" target="_blank">http://BOX.NET</a>><br>
<span class="">> admin" -d
/var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v<br>
><br>
><br>
> Since i haven't fully figured out how to setup
authentication for<br>
> certmonger yet, i've temporarily reused one from the
dogtag's pki<br>
> instance. Hopefully it's not a fatal mistake on my
end.<br>
<br>
</span>What is your reasoning for setting up your own CA
configuration? Why not<br>
just use either ipa-getcert or getcert -c IPA?<br>
<br>
rob<br>
<span class=""><br>
><br>
> From the certmonger logs i get :<br>
><br>
</span>> lut 11 09:52:19 <a moz-do-not-send="true"
href="http://fedora.box.net" target="_blank">fedora.box.net</a>
<<a moz-do-not-send="true" href="http://fedora.box.net"
target="_blank">http://fedora.box.net</a>><br>
> dogtag-ipa-renew-agent-submit[2887]: GET<br>
> <a moz-do-not-send="true"
href="https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0g!
ajeP6bZK8z
nQ"
target="_blank">https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk6!
8DVcf1XKZA
RH6MIRmiDWSr0gajeP6bZK8znQ</a>!<br>
K%2B%0A6O7<br>
LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true<br>
> lut 11 09:52:19 <a moz-do-not-send="true"
href="http://fedora.box.net" target="_blank">fedora.box.net</a>
<<a moz-do-not-send="true" href="http://fedora.box.net"
target="_blank">http://fedora.box.net</a>><br>
<span class="">> dogtag-ipa-renew-agent-submit[2887]:
<?xml version="1.0"<br>
> encoding="UTF-8"<br>
>
standalone="no"?><XMLResponse><Status>2</Status><Error>Request
Deferred<br>
> - {0}</Error><RequestId>
49</RequestId></XMLResponse><br>
><br>
><br>
> And the request #49 is placed in Dogtag's CA Agent
services, and can be<br>
> acknowledged/rejected correctly. It's just that
certmonger is stuck and<br>
> doesn't notice the successful delivery.<br>
><br>
> Machine is in isolated network, so there is probably
no issue wrt using<br>
</span>> <a moz-do-not-send="true" href="http://box.net"
target="_blank">box.net</a> <<a moz-do-not-send="true"
href="http://box.net" target="_blank">http://box.net</a>>
as test domain.|<br>
<span class="">><br>
> 2015-02-10 18:40 GMT+01:00 Dmitri Pal <<a
moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>
</span>> <mailto:<a moz-do-not-send="true"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>:<br>
<span class="">><br>
> On 02/10/2015 12:35 PM, marcin kowalski wrote:<br>
>> Hi all, i'm getting dogtag figured out
slowly, and i noticed one<br>
>> odd thing.<br>
>><br>
>> I've setup certmonger to request an arbitrary
certificate through<br>
>> dogtag, and while the request seems to go
into the dogtag system,<br>
>> certmonger acts as if communication with the
CA failed. The<br>
>> certificate is considered in need of user
attention because the<br>
>> process got stuck.<br>
>><br>
>> Request ID ‘20150210125814’:<br>
>> status: NEED_GUIDANCE<br>
>> stuck: yes<br>
>> key pair storage:
type=FILE,location=’/etc/pki/testkey’<br>
>> certificate:
type=FILE,location=’/etc/pki/testcert’<br>
>> CA: dogtag-ipa<br>
>> issuer:<br>
>> subject:<br>
>> expires: unknown<br>
>> pre-save command:<br>
>> post-save command:<br>
>> track: yes<br>
>> auto-renew: yes<br>
>><br>
>><br>
>> [root@fedora pki]# systemctl status -l
certmonger<br>
>> (….)<br>
</span>>> lut 10 13:57:04 <a
moz-do-not-send="true" href="http://fedora.box.net"
target="_blank">fedora.box.net</a> <<a
moz-do-not-send="true" href="http://fedora.box.net"
target="_blank">http://fedora.box.net</a>><br>
<div class="HOEnZb">
<div class="h5">>> certmonger[7845]: Request for
certificate to be stored in file<br>
>> “/etc/pki/testcert” rejected by CA.<br>
>><br>
>><br>
>> The request is present in dogtag and is
valid, can be<br>
>> accepted/rejected, etc. Even though
certmonger never notices that.<br>
>> I wonder if there is some obvious mistake
in my setup, or perhaps<br>
>> there is known bug in interaction of both
components on F21 (i'm<br>
>> using only standard repositories).<br>
>><br>
>> When i post the query from certmonger's
agent defined in ca<br>
>> definition through curl, i get no errors.<br>
>><br>
>> What would be the best way to debug this
issue?<br>
>><br>
>><br>
> Can you post your certmonger get-cert command?<br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager IdM portfolio<br>
> Red Hat, Inc.<br>
><br>
><br>
> --<br>
> Manage your subscription for the Freeipa-users
mailing list:<br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go To <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
><br>
><br>
><br>
><br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>