<div dir="ltr">Hi Christina,<div><br></div><div>I see, good to know. Thanks for the help.</div><div><br></div><div>Best,</div><div>Hayg</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 11, 2016 at 7:05 PM, Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hi Hayg,<br>
Good to hear. To answer your previous question, caRouterCert.cfg is
the default sscep enrollment profile. You can see the
authentication by default using flatfile:<br>
auth.instance_id=flatFileAuth<br>
Earlier, I misunderstood you for removing that and rendering a
manual approval.<span class="HOEnZb"><font color="#888888"><br>
<br>
Christina</font></span><div><div class="h5"><br>
<br>
<div>On 04/11/2016 05:14 AM,
<a href="mailto:haygastourian@gmail.com" target="_blank">haygastourian@gmail.com</a> wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Christina,
<div><br>
</div>
<div>I got this to work with sscep. It seems the IP in my
flatfile was wrong. I think the main issue is the lack of a
clear error message.</div>
<div><br>
</div>
<div>Thanks for your help,</div>
<div>Hayg</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Apr 11, 2016 at 10:54 AM, <a href="mailto:haygastourian@gmail.com" target="_blank"></a><a href="mailto:haygastourian@gmail.com" target="_blank">haygastourian@gmail.com</a>
<span dir="ltr"><<a href="mailto:haygastourian@gmail.com" target="_blank">haygastourian@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Christina,
<div><br>
</div>
<div>Thank you for your help.</div>
<div><br>
</div>
<div>I think using SCEP there is no enrollment profile
that I touch? I thought setting up the flatfile.txt with
the relevant values and modifying the config to enable
SCEP was all that I needed to do. My intention was for
it to be <b>automatically</b> approved because of the
IP/password being present in flatfile.txt</div>
<div><br>
</div>
<div>Does that help? Sorry if I'm misunderstanding your
questions.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Hayg</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Apr 8, 2016 at 9:58
PM, Christina Fu <span dir="ltr"><<a href="mailto:cfu@redhat.com" target="_blank"></a><a href="mailto:cfu@redhat.com" target="_blank">cfu@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hi Hayg,<br>
<br>
I am running Fedora 22 so I'm not sure if there
is any difference at all.<br>
<br>
I would like to understand your issue(s) better.<br>
When you said that your request failed because
it was "getting deferred", does that mean you
have it in the enrollment profile for manual
approval? In other words, it was your intention
to have the request manually approved by the CA
agents?<br>
You realize that if you require manual agent
approval, there is no option for sscep to
"fetch" the already issued cert right?<br>
<br>
Or, did you not intend to have the request
deferred and failed? In which case, you want to
know why it failed? If so, do you have relevant
debug log to give us some clue?<br>
<br>
Did I misunderstand your issue?<br>
<br>
Christina
<div>
<div><br>
<br>
<div>On 04/05/2016 02:57 AM, <a href="mailto:haygastourian@gmail.com" target="_blank"></a><a href="mailto:haygastourian@gmail.com" target="_blank">haygastourian@gmail.com</a>
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr"><span style="font-size:12.8px">Hello
everyone,</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">I've been
trying to enroll with dogtag via SSCEP
for the last few days to no avail and
I've reached the end of my rope, so
I'm reaching out for your help (which
I very much would appreciate).</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">I am
running Ubuntu and my dogtag versions
are:</div>
<div style="font-size:12.8px">
<div>hayg@hayg:~$ dpkg -l | grep
dogtag</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">ii
dogtag-pki
10.2.6-1
all Dogtag Public Key
Infrastructure (PKI) Suite<br>
ii dogtag-pki-console-theme
10.2.6-1
all Certificate System -
PKI Console User Interface<br>
ii dogtag-pki-server-theme
10.2.6-1
all Certificate System
- PKI Server User Interface</blockquote>
<div> </div>
</div>
<div style="font-size:12.8px">My SSCEP:</div>
<div style="font-size:12.8px">
<div>[~/sscep]$ cat VERSION
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">0.6.1</blockquote>
</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">My
flatfile.txt:</div>
<div style="font-size:12.8px">
<div>hayg@hayg:~$ sudo cat
/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">#UID:172.16.24.238<br>
#PWD:1212<br>
UID:10.129.25.186<br>
PWD:secret</blockquote>
</div>
<div style="font-size:12.8px">(I
restarted my pki-tomcatd service just
in case, to make sure it took effect)</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">On the
SSCEP side I'm doing: ./sscep enroll
-l cert.pem -r local.csr -k local.key
-c astourian.crt -u '<a href="http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27" target="_blank"></a><a href="http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe" target="_blank">http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe</a>'</div>
<div style="font-size:12.8px">
<p>This fails because the request is
getting deferred and I have fail on
defer set to true, per the docs.</p>
<p>The request actually shows up in
'List Certificates' when I go to the
web UI, but when I try to approve
it, I get:</p>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">The
Certificate System has encountered
an unrecoverable error.<br>
Error Message:<br>
<i>java.lang.NullPointerException<br>
</i>Please contact your local
administrator for assistance.</blockquote>
<p>When I try to resume the enrollment
by adding the -R flag to sscep it
fails with the following error in
the logs:</p>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">CRSEnrollment:
No certificate has been found</blockquote>
<div><br>
</div>
<div>My CSR:</div>
<div>[~/sscep]$ openssl req -in
local.csr -noout -text </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Certificate
Request:<br>
Data:<br>
Version: 0 (0x0)<br>
Subject: CN=10.129.25.186<br>
Subject Public Key Info:<br>
Public Key Algorithm:
rsaEncryption<br>
Public-Key: (1024
bit)<br>
Modulus:<br>
00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:<br>
83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:<br>
f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:<br>
6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:<br>
1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:<br>
75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:<br>
5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:<br>
4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:<br>
19:93:02:84:40:09:40:44:b1<br>
Exponent: 65537
(0x10001)<br>
Attributes:<br>
challengePassword
:secret<br>
Requested Extensions:<br>
X509v3 Subject
Alternative Name: critical<br>
IP
Address:10.129.25.186<br>
Signature Algorithm:
sha1WithRSAEncryption<br>
7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:<br>
8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:<br>
4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:<br>
05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:<br>
16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:<br>
af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:<br>
f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:<br>
ea:ae </blockquote>
<div><br>
</div>
<div>As you can see, the password is
"secret" and the CN is the UID from
flatfile.txt.</div>
<div><br>
</div>
<div>I welcome you all to try
enrolling with my server. I can then
try approving and see if it works.</div>
<div><br>
</div>
<div>Again, I very much appreciate all
of your help. Please excuse my wall
of text x_x</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Hayg</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Pki-devel mailing list
<a href="mailto:Pki-devel@redhat.com" target="_blank">Pki-devel@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-devel" target="_blank">https://www.redhat.com/mailman/listinfo/pki-devel</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>