[Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate
Marx, Peter
Peter.Marx at knorr-bremse.com
Mon Aug 22 10:55:19 UTC 2016
I'm testing with certmonger 0.78.6 (patched for the GETCACertChain bug) against two EJBCA servers. For verification I a use a second SCEP client called jSCEP.
I started certmonger in debug mode with "/usr/libexec/certmonger/certmonger-session -n -d 15"
The CA file in /root/.config/certmonger/cas looks like this:
id=Test_Sweden
ca_aka=SCEP (certmonger 0.78.6)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/scep-submit -u http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe -i "mx_kd3"
ca_capabilities=POSTPKIOperation,Renewal,SHA-1
scep_ca_identifier=iCOM Kunde1 Schweden
ca_encryption_cert=-----BEGIN CERTIFICATE-----
<bla>
-----END CERTIFICATE-----
ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----
<bla>
-----END CERTIFICATE-----
Issuing the request
"getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky201 -p /tmp/pwd.txt -n husky201 -L abcd -N CN='husky201' -s"
gives this log:
2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0.
2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request
2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 135
2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 136
2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0aa690.
2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0aa690.
2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0.
2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->135->73
2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->136->74
2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
2016-08-22 10:31:13 [23135] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:31:13 [23135] Not attempting to set NSS FIPS mode.
2016-08-22 10:31:13 [23135] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:31:13 [23135] Found token 'NSS Certificate DB'.
2016-08-22 10:31:13 [23135] Located the key 'husky201'.
2016-08-22 10:31:13 [23135] Converted private key 'husky201' to public key.
2016-08-22 10:31:13 [23135] Key is an RSA key.
2016-08-22 10:31:13 [23135] Key size is 2048.
2016-08-22 10:31:13 [23136] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:31:13 [23136] Not attempting to set NSS FIPS mode.
2016-08-22 10:31:13 [23136] Found token 'NSS Generic Crypto Services'.
2016-08-22 10:31:13 [23136] Cert storage slot still needs user PIN to be set.
2016-08-22 10:31:13 [23136] Found token 'NSS Certificate DB'.
2016-08-22 10:31:13 [23136] Error locating certificate.
2016-08-22 10:31:13 [22931] Request7('husky201') starts in state 'NEWLY_ADDED'
2016-08-22 10:31:13 [22931] Request7('husky201') taking writing lock
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_START_READING_KEYINFO'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Started Request7('husky201').
2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_READING_KEYINFO'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 11.
2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0.
2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname
2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 140
2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 141
2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0ae0a0.
2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b0ae0a0.
2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 0x7fbe6b0c02e0.
2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->140->75
2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->141->76
2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called /org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname.
2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
2016-08-22 10:31:13 [23137] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:31:13 [23137] Not attempting to set NSS FIPS mode.
2016-08-22 10:31:13 [23137] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:31:13 [23137] Found token 'NSS Certificate DB'.
2016-08-22 10:31:13 [23137] Located the key 'husky201'.
2016-08-22 10:31:13 [23137] Converted private key 'husky201' to public key.
2016-08-22 10:31:13 [23137] Key is an RSA key.
2016-08-22 10:31:13 [23137] Key size is 2048.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_START_READING_CERT'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_READING_CERT'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 11.
2016-08-22 10:31:13 [23138] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:31:13 [23138] Not attempting to set NSS FIPS mode.
2016-08-22 10:31:13 [23138] Found token 'NSS Generic Crypto Services'.
2016-08-22 10:31:13 [23138] Cert storage slot still needs user PIN to be set.
2016-08-22 10:31:13 [23138] Found token 'NSS Certificate DB'.
2016-08-22 10:31:13 [23138] Error locating certificate.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEWLY_ADDED_DECIDING'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') releasing writing lock
2016-08-22 10:31:13 [22931] Request7('husky201') has no certificate, will attempt enrollment using already-present key
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEED_CSR'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'GENERATING_CSR'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 11.
2016-08-22 10:31:13 [23139] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:31:13 [23139] Not attempting to set NSS FIPS mode.
2016-08-22 10:31:13 [23139] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:31:13 [23139] Found token 'NSS Certificate DB'.
2016-08-22 10:31:13 [23139] Located the key 'husky201'.
2016-08-22 10:31:13 [23139] Converted private key 'husky201' to public key.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'HAVE_CSR'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEED_TO_SUBMIT'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 15.
2016-08-22 10:31:13 [22931] Certificate submission attempt complete.
2016-08-22 10:31:13 [22931] Child status = 16.
2016-08-22 10:31:13 [22931] Child output:
"Error reading request, expected PKCS7 data.
"
2016-08-22 10:31:13 [22931] Error reading request, expected PKCS7 data.
2016-08-22 10:31:13 [22931] Certificate not (yet?) issued.
2016-08-22 10:31:13 [22931] Request7('husky201') goes to a CA over SCEP, need to generate SCEP data.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEED_SCEP_DATA'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'GENERATING_SCEP_DATA'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 11.
2016-08-22 10:31:13 [23141] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.
2016-08-22 10:31:13 [23141] Generating dummy key.
2016-08-22 10:31:13 [23141] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.
2016-08-22 10:31:13 [23141] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:31:13 [23141] Found token 'NSS Certificate DB'.
2016-08-22 10:31:13 [23141] Located the key 'husky201'.
2016-08-22 10:31:13 [23141] Converted private key 'husky201' to public key.
2016-08-22 10:31:13 [23141] Server does not support DES3, using DES.
2016-08-22 10:31:13 [23141] Server does not support better digests, using MD5.
2016-08-22 10:31:13 [23141] Generating PKCSREQ pkiMessage.
2016-08-22 10:31:13 [23141] Setting transaction ID "46763632748922674693649122043315271915873922247404248201497767686509312971065".
2016-08-22 10:31:13 [23141] Setting message type "19".
2016-08-22 10:31:13 [23141] Setting sender nonce.
2016-08-22 10:31:13 [23141] Signed data.
2016-08-22 10:31:13 [23141] Generating GetCertInitial pkiMessage.
2016-08-22 10:31:13 [23141] Setting transaction ID "46763632748922674693649122043315271915873922247404248201497767686509312971065".
2016-08-22 10:31:13 [23141] Setting message type "20".
2016-08-22 10:31:13 [23141] Setting sender nonce.
2016-08-22 10:31:13 [23141] Signed data.
2016-08-22 10:31:13 [23141] Signing using old key.
2016-08-22 10:31:13 [23141] Re-signing PKCSREQ message with old key.
2016-08-22 10:31:13 [23141] Re-signing GetCertInitial message with old key.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'HAVE_SCEP_DATA'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEED_TO_SUBMIT'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'
2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic from 15.
2016-08-22 10:31:15 [22931] Certificate submission attempt complete.
2016-08-22 10:31:15 [22931] Child status = 3.
2016-08-22 10:31:15 [22931] Child output:
"Error: failed to verify signature on server response.
"
2016-08-22 10:31:15 [22931] Error: failed to verify signature on server response.
2016-08-22 10:31:15 [22931] Certificate not (yet?) issued.
2016-08-22 10:31:15 [22931] Request7('husky201') moved to state 'CA_UNREACHABLE'
2016-08-22 10:31:15 [22931] Will revisit Request7('husky201') in 604800 seconds.
I recorded the client server communication and can clearly see that the server transmitted the certificate.
When using jSCEP client I can successfully download certificates from that server with e.g.
$ openssl req -key test.key -new -days 30 -out test.pemreq -outform PEM # end entity set to mx_pre2
$ java -jar target/jscepcli-1.0-SNAPSHOT-exe.jar --ca-identifier mx_kd3 --challenge abcd --csr-file test.pemreq --dn "CN=mx_pre2" --key-file test.key \
--url http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe
With certmonger I can successfully get a cert using another CA with an internal EJBCA server and this request:
"getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky100 -p /tmp/pwd.txt -n husky100 -L abcd -N CN='husky100' -s"
id=KBCA
ca_aka=SCEP (certmonger 0.78.6)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/scep-submit -u http://mucs70202.corp.knorr-bremse.com:8080/ejbca/publicweb/apply/scep/pkiclient.exe -i "iCOM%20Kunde1%20Dev%20SubCA"
ca_capabilities=POSTPKIOperation,Renewal,SHA-1
scep_ca_identifier=KBCA
ca_encryption_cert=-----BEGIN CERTIFICATE-----
<bla>
-----END CERTIFICATE-----
ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----
<bla>
-----END CERTIFICATE-----
ca_encryption_cert_pool=-----BEGIN CERTIFICATE-----
<bla>
-----END CERTIFICATE-----
2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
2016-08-22 10:05:24 [22280] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:24 [22280] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:24 [22280] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:05:24 [22280] Found token 'NSS Certificate DB'.
2016-08-22 10:05:24 [22280] Error locating a key.
2016-08-22 10:05:24 [22281] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:24 [22281] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:24 [22281] Found token 'NSS Generic Crypto Services'.
2016-08-22 10:05:24 [22281] Cert storage slot still needs user PIN to be set.
2016-08-22 10:05:24 [22281] Found token 'NSS Certificate DB'.
2016-08-22 10:05:24 [22281] Error locating certificate.
2016-08-22 10:05:24 [21621] Request2('husky100') starts in state 'NEWLY_ADDED'
2016-08-22 10:05:24 [21621] Request2('husky100') taking writing lock
2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 'NEWLY_ADDED_START_READING_KEYINFO'
2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:24 [21621] Started Request2('husky100').
2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for 0x7fdf7bf25630:0x7fdf7bf33720.
2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 'NEWLY_ADDED_READING_KEYINFO'
2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for 0x7fdf7bf25630:0x7fdf7bf33720.
2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for 0x7fdf7bf25630.
2016-08-22 10:05:24 [21621] message 0x7fdf7bf25630(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.get_nickname
2016-08-22 10:05:24 [21621] Pending GetConnectionUnixUser serial 1227
2016-08-22 10:05:24 [21621] Pending GetConnectionUnixProcessID serial 1228
2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for 0x7fdf7bf25630:0x7fdf7bf2bc00.
2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for 0x7fdf7bf25630:0x7fdf7bf2bc00.
2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for 0x7fdf7bf25630.
2016-08-22 10:05:24 [21621] message 0x7fdf7bf25630(method_return)->1227->819
2016-08-22 10:05:24 [21621] message 0x7fdf7bf25630(method_return)->1228->820
2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called /org/fedorahosted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.get_nickname.
2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for 0x7fdf7bf25630:0x7fdf7bf33720.
2016-08-22 10:05:24 [22282] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:24 [22282] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:24 [22282] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:05:24 [22282] Found token 'NSS Certificate DB'.
2016-08-22 10:05:24 [22282] Error locating a key.
2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 'NEWLY_ADDED_START_READING_CERT'
2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 'NEWLY_ADDED_READING_CERT'
2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:25 [22283] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:25 [22283] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:25 [22283] Found token 'NSS Generic Crypto Services'.
2016-08-22 10:05:25 [22283] Cert storage slot still needs user PIN to be set.
2016-08-22 10:05:25 [22283] Found token 'NSS Certificate DB'.
2016-08-22 10:05:25 [22283] Error locating certificate.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEWLY_ADDED_DECIDING'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing lock
2016-08-22 10:05:25 [21621] Request2('husky100') has no key or certificate, will generate keys and attempt enrollment
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_KEY_PAIR'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') taking writing lock
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'GENERATING_KEY_PAIR'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:25 [22284] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:25 [22284] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:25 [22284] Found token 'NSS Certificate DB'.
2016-08-22 10:05:25 [22284] Generating key pair.
2016-08-22 10:05:25 [22284] Nickname "husky100" appears to be unused.
2016-08-22 10:05:25 [22284] Set nickname "husky100" on private key.
2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing lock
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'HAVE_KEY_PAIR'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_KEYINFO'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'READING_KEYINFO'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:25 [22285] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:25 [22285] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:25 [22285] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:05:25 [22285] Found token 'NSS Certificate DB'.
2016-08-22 10:05:25 [22285] Located the key 'husky100'.
2016-08-22 10:05:25 [22285] Converted private key 'husky100' to public key.
2016-08-22 10:05:25 [22285] Key is an RSA key.
2016-08-22 10:05:25 [22285] Key size is 2048.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'HAVE_KEYINFO'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_CSR'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'GENERATING_CSR'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:25 [22286] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:25 [22286] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:25 [22286] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:05:25 [22286] Found token 'NSS Certificate DB'.
2016-08-22 10:05:25 [22286] Located the key 'husky100'.
2016-08-22 10:05:25 [22286] Converted private key 'husky100' to public key.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'HAVE_CSR'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_TO_SUBMIT'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic from 15.
2016-08-22 10:05:25 [21621] Certificate submission attempt complete.
2016-08-22 10:05:25 [21621] Child status = 16.
2016-08-22 10:05:25 [21621] Child output:
"Error reading request, expected PKCS7 data.
"
2016-08-22 10:05:25 [21621] Error reading request, expected PKCS7 data.
2016-08-22 10:05:25 [21621] Certificate not (yet?) issued.
2016-08-22 10:05:25 [21621] Request2('husky100') goes to a CA over SCEP, need to generate SCEP data.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_SCEP_DATA'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'GENERATING_SCEP_DATA'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:25 [22288] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:25 [22288] Generating dummy key.
2016-08-22 10:05:25 [22288] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:25 [22288] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:05:25 [22288] Found token 'NSS Certificate DB'.
2016-08-22 10:05:25 [22288] Located the key 'husky100'.
2016-08-22 10:05:25 [22288] Converted private key 'husky100' to public key.
2016-08-22 10:05:25 [22288] Server does not support DES3, using DES.
2016-08-22 10:05:25 [22288] Server does not support better digests, using MD5.
2016-08-22 10:05:25 [22288] Generating PKCSREQ pkiMessage.
2016-08-22 10:05:25 [22288] Setting transaction ID "89399340103492129363376569585892061602695437784280139265051808388486717974760".
2016-08-22 10:05:25 [22288] Setting message type "19".
2016-08-22 10:05:25 [22288] Setting sender nonce.
2016-08-22 10:05:25 [22288] Signed data.
2016-08-22 10:05:25 [22288] Generating GetCertInitial pkiMessage.
2016-08-22 10:05:25 [22288] Setting transaction ID "89399340103492129363376569585892061602695437784280139265051808388486717974760".
2016-08-22 10:05:25 [22288] Setting message type "20".
2016-08-22 10:05:25 [22288] Setting sender nonce.
2016-08-22 10:05:25 [22288] Signed data.
2016-08-22 10:05:25 [22288] Signing using old key.
2016-08-22 10:05:25 [22288] Re-signing PKCSREQ message with old key.
2016-08-22 10:05:25 [22288] Re-signing GetCertInitial message with old key.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'HAVE_SCEP_DATA'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_TO_SUBMIT'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'
2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic from 15.
2016-08-22 10:05:26 [21621] Certificate submission attempt complete.
2016-08-22 10:05:26 [21621] Child status = 0.
2016-08-22 10:05:26 [21621] Child output:
"-----BEGIN PKCS7-----
MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1
c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI
hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc
h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj
jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p
39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc
k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW
xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D
AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7
vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4
l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8
vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5
+bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL
GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6
TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr
HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE
+GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f
SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg
blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1
GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd
XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/
x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L
NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv
EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF
DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8
YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4
nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==
-----END PKCS7-----
"
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:26 [22292] Postprocessing output "-----BEGIN PKCS7-----
MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1
c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI
hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc
h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj
jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p
39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc
k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW
xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D
AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7
vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4
l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8
vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5
+bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL
GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6
TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr
HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE
+GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f
SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg
blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1
GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd
XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/
x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L
NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv
EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF
DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8
YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4
nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==
-----END PKCS7-----
".
2016-08-22 10:05:26 [22292] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:26 [22292] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:26 [22292] Skipping NSS internal slot (NSS Generic Crypto Services).
2016-08-22 10:05:26 [22292] Found token 'NSS Certificate DB'.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.
2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.
2016-08-22 10:05:26 [21621] Certificate submission postprocessing complete.
2016-08-22 10:05:26 [21621] Child status = 0.
2016-08-22 10:05:26 [21621] Child output:
"{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE\nAwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw\nOTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO\nDykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl\nVkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz\nyP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj\nq4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb\n3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB\n/wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww\nCgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud\nDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA\nVijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY\nHG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2\nW6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2UppEjwWAv4r8QH8VWuz\n97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/\nexdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==\n-----END CERTIFICATE-----\n","key_checked":true}
"
2016-08-22 10:05:26 [21621] Issued certificate is "-----BEGIN CERTIFICATE-----
MIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE
AwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw
OTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO
Dykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl
Vkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz
yP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj
q4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb
3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB
/wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww
CgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud
DwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA
VijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY
HG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2
W6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2UppEjwWAv4r8QH8VWuz
97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/
exdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==
-----END CERTIFICATE-----
".
2016-08-22 10:05:26 [21621] Certificate issued (0 chain certificates, 0 roots).
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'NEED_TO_SAVE_CERT'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:26 [21621] Request2('husky100') taking writing lock
2016-08-22 10:05:26 [21621] No hooks set for pre-save command.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'START_SAVING_CERT'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'SAVING_CERT'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:26 [22293] No duplicate nickname entries.
2016-08-22 10:05:26 [22293] No duplicate subject name entries.
2016-08-22 10:05:26 [22293] Imported certificate "husky100", got nickname "husky100".
2016-08-22 10:05:26 [22293] Removed name from old key.
2016-08-22 10:05:26 [22293] Error shutting down NSS.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'SAVED_CERT'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'NEED_TO_SAVE_CA_CERTS'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'START_SAVING_CA_CERTS'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'SAVING_CA_CERTS'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'NEED_TO_READ_CERT'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'READING_CERT'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:26 [22295] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:26 [22295] Found token 'NSS Generic Crypto Services'.
2016-08-22 10:05:26 [22295] Cert storage slot still needs user PIN to be set.
2016-08-22 10:05:26 [22295] Found token 'NSS Certificate DB'.
2016-08-22 10:05:26 [22295] Located the certificate "husky100".
2016-08-22 10:05:26 [22295] Read value "0" from "/proc/sys/crypto/fips_enabled".
2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.
2016-08-22 10:05:26 [21621] No hooks set for post-save command.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'NEED_TO_NOTIFY_ISSUED_SAVED'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
2016-08-22 10:05:26 [21621] Request2('husky100') releasing writing lock
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'NOTIFYING_ISSUED_SAVED'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic from 11.
2016-08-22 10:05:26 [22296] 0x1d Certificate named "husky100" in token "NSS Certificate DB" in database "/tmp/nssdb" issued by CA and saved.
2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'MONITORING'
2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') soon.
2016-08-22 10:05:31 [21621] Will revisit Request2('husky100') in 86400 seconds.
Besides this "Error reading request, expected PKCS7 data" which always shows up and "Error decrypting bulk key: SEC_ERROR_BAD_DATA" errors (?) finally the cert is issued and stored into the nSS DB.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8344117917752670949 (0x73cc4309839ebae5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=mx_kd3
Validity
Not Before: Aug 19 16:03:29 2016 GMT
Not After : Aug 2 15:23:36 2017 GMT
Subject: CN=mx_pre2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:89:01:fc:d4:a0:5c:df:8d:b6:f6:e3:49:8c:93:
77:7a:1e:26:34:4e:37:90:c3:6c:b0:e0:5d:a7:47:
8e:81:8f:d8:04:d5:c0:03:26:1a:a5:49:c8:82:98:
40:25:34:2e:43:c5:7d:cc:10:0e:b0:13:26:25:c0:
3d:87:15:fc:7f:90:6d:3d:2f:d6:ce:31:1f:af:38:
3f:8c:e9:fc:01:4c:a6:c5:3f:82:cb:c0:f8:8c:e7:
30:75:ba:68:b8:69:a6:6b:6c:04:a3:58:fb:b0:10:
94:4b:a2:f6:bd:24:f7:75:97:c0:f2:4e:ee:d9:df:
7b:61:8b:46:a9:d4:46:96:05:31:e5:60:87:3e:8d:
9b:8e:b2:f6:0f:03:1f:b7:49:1d:83:ec:9f:66:b1:
f9:76:dd:dd:c5:b6:fa:52:5f:56:ce:2e:00:87:11:
90:6d:ba:c3:d7:fd:19:e0:64:c1:5d:0b:62:59:ad:
61:80:a7:76:d4:08:39:6b:2e:6f:05:68:c9:10:b4:
9f:3e:b9:d0:63:9f:7d:e1:a7:74:4f:f8:f4:17:34:
f5:bf:ab:c6:bf:b9:48:80:59:ec:00:41:de:8b:46:
30:9d:8c:2b:d4:f3:2e:bd:39:e6:da:cd:d9:32:04:
55:04:29:26:66:0f:ac:ac:d2:bf:b1:19:56:62:0a:
56:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D7:06:53:64:27:62:69:3B:ED:79:B2:6A:D8:94:DD:EE:B6:9C:51:44
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:8C:DB:52:66:8F:60:01:FA:58:8D:82:06:01:25:9C:2C:7D:D0:A0:14
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
45:a1:0c:9b:7b:20:31:0a:90:53:21:b8:d5:e2:05:0f:29:10:
77:d6:3a:44:38:9d:4a:d0:19:30:99:b9:41:0e:b1:4b:0e:c2:
35:36:ce:98:5f:0a:54:88:3b:91:d1:fb:df:e5:6f:57:f9:04:
0d:51:bf:c5:50:c3:c6:4d:88:a0:73:31:99:63:85:69:81:66:
93:5c:c3:bf:3f:ef:50:cc:db:de:fe:95:43:64:f0:2c:66:c1:
f0:64:6f:8d:75:53:54:48:28:92:05:e1:21:a2:d6:fe:e3:1e:
5a:af:87:ba:45:06:39:47:5a:b8:df:1c:d8:cc:cf:6a:4a:ac:
08:92:7c:5b:08:9b:d5:0b:6d:49:33:c3:8f:a3:2c:50:4e:50:
ae:d3:61:27:09:8c:de:c3:04:91:e0:f9:0e:aa:63:49:84:5e:
cc:03:78:14:6e:cc:c3:5e:46:3b:56:6c:ae:20:7b:ce:51:8a:
78:eb:6b:4b:80:45:45:f3:3f:14:b6:d0:6a:99:d4:46:ad:d2:
0f:4d:99:4d:31:34:1f:4f:a3:19:92:45:8f:89:29:7e:4e:e7:
43:b2:15:4d:df:8a:66:70:c4:5d:b0:e3:d8:13:77:c2:51:98:
67:7d:b4:3c:95:71:54:05:06:1f:69:ae:fc:b1:00:b4:88:84:
da:e0:85:ae
subject= /CN=mx_pre2
issuer= /CN=mx_kd3
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiQH81KBc34229uNJjJN3
eh4mNE43kMNssOBdp0eOgY/YBNXAAyYapUnIgphAJTQuQ8V9zBAOsBMmJcA9hxX8
f5BtPS/WzjEfrzg/jOn8AUymxT+Cy8D4jOcwdbpouGmma2wEo1j7sBCUS6L2vST3
dZfA8k7u2d97YYtGqdRGlgUx5WCHPo2bjrL2DwMft0kdg+yfZrH5dt3dxbb6Ul9W
zi4AhxGQbbrD1/0Z4GTBXQtiWa1hgKd21Ag5ay5vBWjJELSfPrnQY5994ad0T/j0
FzT1v6vGv7lIgFnsAEHei0YwnYwr1PMuvTnm2s3ZMgRVBCkmZg+srNK/sRlWYgpW
aQIDAQAB
-----END PUBLIC KEY-----
SHA1 Fingerprint=C3:B6:32:E9:70:E8:0F:98:A5:77:8E:96:13:5B:F8:40:63:37:29:7E
So the question is why certmonger fails to verify signature on server response depending on which server I try.
What is included in the checks ? hostname of clients/servers?
How can I debug this ? I'm not an experienced C programmer and was just able to apply that GetCACertchain fix in scep.c and build certmonger with that.
Peter
automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand G98 + E91
InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - Stand 104 + 210
IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - Stand A30 + D131
Knorr-Bremse IT-Services GmbH
Sitz: Muenchen
Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider
Registergericht Muenchen, HR B 167 268
This transmission is intended solely for the addressee and contains confidential information.
If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160822/9f7380d3/attachment.htm>
More information about the Freeipa-devel
mailing list