<div dir="ltr">> What is your reasoning for setting up your own CA configuration? Why not just use either ipa-getcert or getcert -c IPA? I am not yet familiar with the entire setup enough to give a good answer. I assume that requires full freeIPA setup, which i don't really need. I just wanted a simplistic dogtag ca instance + certmonger setup for watching certs on various machines and checking if the requests get filled in correctly, and then expanding on it once i get more familiar with other workings of it. And i got stuck on certmonger. </div><div class="gmail_extra"> <div class="gmail_quote">2015-02-11 19:14 GMT+01:00 Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">marcin kowalski wrote: > |Edit: i acceditanlly forgot to send copy to the list, so resubmitting. > > > I tried this command : > > getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey > -N "cn=mywebserver" > > i've setup the 'dogtag-ipa' ca in certmonger like so : > > id=dogtag-ipa > ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) > ca_is_default=0 > ca_type=EXTERNAL > ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > -E <a href="https://fedora.box.net:8443/ca/ee/ca" target="_blank">https://fedora.box.net:8443/ca/ee/ca</a> -A > <a href="https://fedora.box.net:8443/ca/agent/ca/" target="_blank">https://fedora.box.net:8443/ca/agent/ca/</a> -n "CN=<a href="http://BOX.NET" target="_blank">BOX.NET</a> <<a href="http://BOX.NET" target="_blank">http://BOX.NET</a>> > admin" -d /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v > > > Since i haven't fully figured out how to setup authentication for > certmonger yet, i've temporarily reused one from the dogtag's pki > instance. Hopefully it's not a fatal mistake on my end. What is your reasoning for setting up your own CA configuration? Why not just use either ipa-getcert or getcert -c IPA? rob > > From the certmonger logs i get : > > lut 11 09:52:19 <a href="http://fedora.box.net" target="_blank">fedora.box.net</a> <<a href="http://fedora.box.net" target="_blank">http://fedora.box.net</a>> > dogtag-ipa-renew-agent-submit[2887]: GET > <a href="https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ" target="_blank">https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ</a>! K%2B%0A6O7 LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true > lut 11 09:52:19 <a href="http://fedora.box.net" target="_blank">fedora.box.net</a> <<a href="http://fedora.box.net" target="_blank">http://fedora.box.net</a>> > dogtag-ipa-renew-agent-submit[2887]: <?xml version="1.0" > encoding="UTF-8" > standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred > - {0}</Error><RequestId> 49</RequestId></XMLResponse> > > > And the request #49 is placed in Dogtag's CA Agent services, and can be > acknowledged/rejected correctly. It's just that certmonger is stuck and > doesn't notice the successful delivery. > > Machine is in isolated network, so there is probably no issue wrt using > <a href="http://box.net" target="_blank">box.net</a> <<a href="http://box.net" target="_blank">http://box.net</a>> as test domain.| > > 2015-02-10 18:40 GMT+01:00 Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a> > <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>: > > On 02/10/2015 12:35 PM, marcin kowalski wrote: >> Hi all, i'm getting dogtag figured out slowly, and i noticed one >> odd thing. >> >> I've setup certmonger to request an arbitrary certificate through >> dogtag, and while the request seems to go into the dogtag system, >> certmonger acts as if communication with the CA failed. The >> certificate is considered in need of user attention because the >> process got stuck. >> >> Request ID ‘20150210125814’: >> status: NEED_GUIDANCE >> stuck: yes >> key pair storage: type=FILE,location=’/etc/pki/testkey’ >> certificate: type=FILE,location=’/etc/pki/testcert’ >> CA: dogtag-ipa >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> >> [root@fedora pki]# systemctl status -l certmonger >> (….) >> lut 10 13:57:04 <a href="http://fedora.box.net" target="_blank">fedora.box.net</a> <<a href="http://fedora.box.net" target="_blank">http://fedora.box.net</a>> <div class="HOEnZb"><div class="h5">>> certmonger[7845]: Request for certificate to be stored in file >> “/etc/pki/testcert” rejected by CA. >> >> >> The request is present in dogtag and is valid, can be >> accepted/rejected, etc. Even though certmonger never notices that. >> I wonder if there is some obvious mistake in my setup, or perhaps >> there is known bug in interaction of both components on F21 (i'm >> using only standard repositories). >> >> When i post the query from certmonger's agent defined in ca >> definition through curl, i get no errors. >> >> What would be the best way to debug this issue? >> >> > Can you post your certmonger get-cert command? > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > > > > </div></div></blockquote></div> </div>