<div dir="ltr">Hi Christina,<div><br></div><div>Thank you for your help.</div><div><br></div><div>I think using SCEP there is no enrollment profile that I touch? I thought setting up the flatfile.txt with the relevant values and modifying the config to enable SCEP was all that I needed to do. My intention was for it to be <b>automatically</b> approved because of the IP/password being present in flatfile.txt</div><div><br></div><div>Does that help? Sorry if I'm misunderstanding your questions.</div><div><br></div><div>Thanks,</div><div>Hayg</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 8, 2016 at 9:58 PM, Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Hayg,<br>
<br>
I am running Fedora 22 so I'm not sure if there is any difference at
all.<br>
<br>
I would like to understand your issue(s) better.<br>
When you said that your request failed because it was "getting
deferred", does that mean you have it in the enrollment profile for
manual approval? In other words, it was your intention to have the
request manually approved by the CA agents?<br>
You realize that if you require manual agent approval, there is no
option for sscep to "fetch" the already issued cert right?<br>
<br>
Or, did you not intend to have the request deferred and failed? In
which case, you want to know why it failed? If so, do you have
relevant debug log to give us some clue?<br>
<br>
Did I misunderstand your issue?<br>
<br>
Christina<div><div class="h5"><br>
<br>
<div>On 04/05/2016 02:57 AM,
<a href="mailto:haygastourian@gmail.com" target="_blank">haygastourian@gmail.com</a> wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr"><span style="font-size:12.8px">Hello everyone,</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">I've been trying to enroll with
dogtag via SSCEP for the last few days to no avail and I've
reached the end of my rope, so I'm reaching out for your help
(which I very much would appreciate).</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">I am running Ubuntu and my dogtag
versions are:</div>
<div style="font-size:12.8px">
<div>hayg@hayg:~$ dpkg -l | grep dogtag</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">ii
dogtag-pki 10.2.6-1
all Dogtag Public Key Infrastructure
(PKI) Suite<br>
ii dogtag-pki-console-theme 10.2.6-1
all Certificate System - PKI
Console User Interface<br>
ii dogtag-pki-server-theme 10.2.6-1
all Certificate System - PKI
Server User Interface</blockquote>
<div> </div>
</div>
<div style="font-size:12.8px">My SSCEP:</div>
<div style="font-size:12.8px">
<div>[~/sscep]$ cat VERSION
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">0.6.1</blockquote>
</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">My flatfile.txt:</div>
<div style="font-size:12.8px">
<div>hayg@hayg:~$ sudo cat
/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#UID:172.16.24.238<br>
#PWD:1212<br>
UID:10.129.25.186<br>
PWD:secret</blockquote>
</div>
<div style="font-size:12.8px">(I restarted my pki-tomcatd
service just in case, to make sure it took effect)</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">On the SSCEP side I'm doing:
./sscep enroll -l cert.pem -r local.csr -k local.key -c
astourian.crt -u '<a href="http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27" target="_blank">http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe'</a></div>
<div style="font-size:12.8px">
<p>This fails because the request is getting deferred and I
have fail on defer set to true, per the docs.</p>
<p>The request actually shows up in 'List Certificates' when I
go to the web UI, but when I try to approve it, I get:</p>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">The
Certificate System has encountered an unrecoverable error.<br>
Error Message:<br>
<i>java.lang.NullPointerException<br>
</i>Please contact your local administrator for assistance.</blockquote>
<p>When I try to resume the enrollment by adding the -R flag
to sscep it fails with the following error in the logs:</p>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">CRSEnrollment:
No certificate has been found</blockquote>
<div><br>
</div>
<div>My CSR:</div>
<div>[~/sscep]$ openssl req -in local.csr -noout -text </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Certificate
Request:<br>
Data:<br>
Version: 0 (0x0)<br>
Subject: CN=10.129.25.186<br>
Subject Public Key Info:<br>
Public Key Algorithm: rsaEncryption<br>
Public-Key: (1024 bit)<br>
Modulus:<br>
00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:<br>
83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:<br>
f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:<br>
6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:<br>
1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:<br>
75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:<br>
5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:<br>
4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:<br>
19:93:02:84:40:09:40:44:b1<br>
Exponent: 65537 (0x10001)<br>
Attributes:<br>
challengePassword :secret<br>
Requested Extensions:<br>
X509v3 Subject Alternative Name: critical<br>
IP Address:10.129.25.186<br>
Signature Algorithm: sha1WithRSAEncryption<br>
7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:<br>
8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:<br>
4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:<br>
05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:<br>
16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:<br>
af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:<br>
f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:<br>
ea:ae </blockquote>
<div><br>
</div>
<div>As you can see, the password is "secret" and the CN is
the UID from flatfile.txt.</div>
<div><br>
</div>
<div>I welcome you all to try enrolling with my server. I can
then try approving and see if it works.</div>
<div><br>
</div>
<div>Again, I very much appreciate all of your help. Please
excuse my wall of text x_x</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Hayg</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Pki-devel mailing list
<a href="mailto:Pki-devel@redhat.com" target="_blank">Pki-devel@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-devel" target="_blank">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>