[Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate
Rob Crittenden
rcritten at redhat.com
Mon Aug 22 14:09:08 UTC 2016
Marx, Peter wrote:
> I’m testing with certmonger 0.78.6 (patched for the GETCACertChain bug)
> against two EJBCA servers. For verification I a use a second SCEP client
> called jSCEP.
>
> I started certmonger in debug mode with
> “/usr/libexec/certmonger/certmonger-session -n -d 15”
>
> The CA file in /root/.config/certmonger/cas looks like this:
>
> id=Test_Sweden
>
> ca_aka=SCEP (certmonger 0.78.6)
>
> ca_is_default=0
>
> ca_type=EXTERNAL
>
> ca_external_helper=/usr/libexec/certmonger/scep-submit -u
> http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe
> -i "mx_kd3"
>
> ca_capabilities=POSTPKIOperation,Renewal,SHA-1
>
> scep_ca_identifier=iCOM Kunde1 Schweden
>
> ca_encryption_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
It looks to me that certmonger can't verify the signature of the
returned PKCS#7 data. I'd double check the value of
ca_encryption_issuer_cert.
rob
>
> Issuing the request
>
> “getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky201 -p
> /tmp/pwd.txt -n husky201 -L abcd -N CN='husky201' –s”
>
> gives this log:
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message
> 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 135
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 136
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
> 0x7fbe6b0c02e0:0x7fbe6b0aa690.
>
> 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for
> 0x7fbe6b0c02e0:0x7fbe6b0aa690.
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->135->73
>
> 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->136->74
>
> 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called
> /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
>
> 2016-08-22 10:31:13 [23135] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23135] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23135] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:31:13 [23135] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23135] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23135] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [23135] Key is an RSA key.
>
> 2016-08-22 10:31:13 [23135] Key size is 2048.
>
> 2016-08-22 10:31:13 [23136] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23136] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23136] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:31:13 [23136] Cert storage slot still needs user PIN to be
> set.
>
> 2016-08-22 10:31:13 [23136] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23136] Error locating certificate.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') starts in state
> 'NEWLY_ADDED'
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') taking writing lock
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEWLY_ADDED_START_READING_KEYINFO'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Started Request7('husky201').
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
> 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEWLY_ADDED_READING_KEYINFO'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
> from 11.
>
> 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for
> 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message
> 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 140
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 141
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
> 0x7fbe6b0c02e0:0x7fbe6b0ae0a0.
>
> 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for
> 0x7fbe6b0c02e0:0x7fbe6b0ae0a0.
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->140->75
>
> 2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->141->76
>
> 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called
> /org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname.
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
> 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
>
> 2016-08-22 10:31:13 [23137] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23137] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23137] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:31:13 [23137] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23137] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23137] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [23137] Key is an RSA key.
>
> 2016-08-22 10:31:13 [23137] Key size is 2048.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEWLY_ADDED_START_READING_CERT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEWLY_ADDED_READING_CERT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
> from 11.
>
> 2016-08-22 10:31:13 [23138] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23138] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23138] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:31:13 [23138] Cert storage slot still needs user PIN to be
> set.
>
> 2016-08-22 10:31:13 [23138] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23138] Error locating certificate.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEWLY_ADDED_DECIDING'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') releasing writing lock
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') has no certificate,
> will attempt enrollment using already-present key
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEED_CSR'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'GENERATING_CSR'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
> from 11.
>
> 2016-08-22 10:31:13 [23139] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23139] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23139] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:31:13 [23139] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23139] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23139] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'HAVE_CSR'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
> from 15.
>
> 2016-08-22 10:31:13 [22931] Certificate submission attempt complete.
>
> 2016-08-22 10:31:13 [22931] Child status = 16.
>
> 2016-08-22 10:31:13 [22931] Child output:
>
> "Error reading request, expected PKCS7 data.
>
> "
>
> 2016-08-22 10:31:13 [22931] Error reading request, expected PKCS7 data.
>
> 2016-08-22 10:31:13 [22931] Certificate not (yet?) issued.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') goes to a CA over SCEP,
> need to generate SCEP data.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEED_SCEP_DATA'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'GENERATING_SCEP_DATA'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
> from 11.
>
> 2016-08-22 10:31:13 [23141] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23141] Generating dummy key.
>
> 2016-08-22 10:31:13 [23141] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23141] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:31:13 [23141] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23141] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23141] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [23141] Server does not support DES3, using DES.
>
> 2016-08-22 10:31:13 [23141] Server does not support better digests,
> using MD5.
>
> 2016-08-22 10:31:13 [23141] Generating PKCSREQ pkiMessage.
>
> 2016-08-22 10:31:13 [23141] Setting transaction ID
> "46763632748922674693649122043315271915873922247404248201497767686509312971065".
>
> 2016-08-22 10:31:13 [23141] Setting message type "19".
>
> 2016-08-22 10:31:13 [23141] Setting sender nonce.
>
> 2016-08-22 10:31:13 [23141] Signed data.
>
> 2016-08-22 10:31:13 [23141] Generating GetCertInitial pkiMessage.
>
> 2016-08-22 10:31:13 [23141] Setting transaction ID
> "46763632748922674693649122043315271915873922247404248201497767686509312971065".
>
> 2016-08-22 10:31:13 [23141] Setting message type "20".
>
> 2016-08-22 10:31:13 [23141] Setting sender nonce.
>
> 2016-08-22 10:31:13 [23141] Signed data.
>
> 2016-08-22 10:31:13 [23141] Signing using old key.
>
> 2016-08-22 10:31:13 [23141] Re-signing PKCSREQ message with old key.
>
> 2016-08-22 10:31:13 [23141] Re-signing GetCertInitial message with old key.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'HAVE_SCEP_DATA'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
> from 15.
>
> 2016-08-22 10:31:15 [22931] Certificate submission attempt complete.
>
> 2016-08-22 10:31:15 [22931] Child status = 3.
>
> 2016-08-22 10:31:15 [22931] Child output:
>
> "Error: failed to verify signature on server response.
>
> "
>
> 2016-08-22 10:31:15 [22931] Error: failed to verify signature on server
> response.
>
> 2016-08-22 10:31:15 [22931] Certificate not (yet?) issued.
>
> 2016-08-22 10:31:15 [22931] Request7('husky201') moved to state
> 'CA_UNREACHABLE'
>
> 2016-08-22 10:31:15 [22931] Will revisit Request7('husky201') in 604800
> seconds.
>
> I recorded the client server communication and can clearly see that the
> server transmitted the certificate.
>
> When using jSCEP client I can successfully download certificates from
> that server with e.g.
>
> $ openssl req -key test.key -new -days 30 -out test.pemreq -outform PEM
> # end entity set to mx_pre2
>
> $ java -jar target/jscepcli-1.0-SNAPSHOT-exe.jar --ca-identifier mx_kd3
> --challenge abcd --csr-file test.pemreq --dn "CN=mx_pre2" --key-file
> test.key \
>
> --url
> http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe
>
> With certmonger I can successfully get a cert using another CA with an
> internal EJBCA server and this request:
>
> “getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky100 -p
> /tmp/pwd.txt -n husky100 -L abcd -N CN='husky100' –s”
>
> id=KBCA
>
> ca_aka=SCEP (certmonger 0.78.6)
>
> ca_is_default=0
>
> ca_type=EXTERNAL
>
> ca_external_helper=/usr/libexec/certmonger/scep-submit -u
> http://mucs70202.corp.knorr-bremse.com:8080/ejbca/publicweb/apply/scep/pkiclient.exe
> -i "iCOM%20Kunde1%20Dev%20SubCA"
>
> ca_capabilities=POSTPKIOperation,Renewal,SHA-1
>
> scep_ca_identifier=KBCA
>
> ca_encryption_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> *ca_encryption_cert_pool*=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> 2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called
> /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
>
> 2016-08-22 10:05:24 [22280] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:24 [22280] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:24 [22280] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:05:24 [22280] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:24 [22280] Error locating a key.
>
> 2016-08-22 10:05:24 [22281] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:24 [22281] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:24 [22281] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:05:24 [22281] Cert storage slot still needs user PIN to be
> set.
>
> 2016-08-22 10:05:24 [22281] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:24 [22281] Error locating certificate.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') starts in state
> 'NEWLY_ADDED'
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') taking writing lock
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
> 'NEWLY_ADDED_START_READING_KEYINFO'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:24 [21621] Started Request2('husky100').
>
> 2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for
> 0x7fdf7bf25630:0x7fdf7bf33720.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
> 'NEWLY_ADDED_READING_KEYINFO'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for
> 0x7fdf7bf25630:0x7fdf7bf33720.
>
> 2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for
> 0x7fdf7bf25630.
>
> 2016-08-22 10:05:24 [21621] message
> 0x7fdf7bf25630(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.get_nickname
>
> 2016-08-22 10:05:24 [21621] Pending GetConnectionUnixUser serial 1227
>
> 2016-08-22 10:05:24 [21621] Pending GetConnectionUnixProcessID serial 1228
>
> 2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for
> 0x7fdf7bf25630:0x7fdf7bf2bc00.
>
> 2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for
> 0x7fdf7bf25630:0x7fdf7bf2bc00.
>
> 2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for
> 0x7fdf7bf25630.
>
> 2016-08-22 10:05:24 [21621] message 0x7fdf7bf25630(method_return)->1227->819
>
> 2016-08-22 10:05:24 [21621] message 0x7fdf7bf25630(method_return)->1228->820
>
> 2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called
> /org/fedorahosted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.get_nickname.
>
> 2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for
> 0x7fdf7bf25630:0x7fdf7bf33720.
>
> 2016-08-22 10:05:24 [22282] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:24 [22282] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:24 [22282] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:05:24 [22282] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:24 [22282] Error locating a key.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
> 'NEWLY_ADDED_START_READING_CERT'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
> 'NEWLY_ADDED_READING_CERT'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:25 [22283] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22283] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22283] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:05:25 [22283] Cert storage slot still needs user PIN to be
> set.
>
> 2016-08-22 10:05:25 [22283] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22283] Error locating certificate.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'NEWLY_ADDED_DECIDING'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing lock
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') has no key or
> certificate, will generate keys and attempt enrollment
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'NEED_KEY_PAIR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') taking writing lock
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'GENERATING_KEY_PAIR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:25 [22284] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22284] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22284] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22284] Generating key pair.
>
> 2016-08-22 10:05:25 [22284] Nickname "husky100" appears to be unused.
>
> 2016-08-22 10:05:25 [22284] Set nickname "husky100" on private key.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing lock
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'HAVE_KEY_PAIR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'NEED_KEYINFO'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'READING_KEYINFO'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:25 [22285] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22285] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22285] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:05:25 [22285] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22285] Located the key 'husky100'.
>
> 2016-08-22 10:05:25 [22285] Converted private key 'husky100' to public key.
>
> 2016-08-22 10:05:25 [22285] Key is an RSA key.
>
> 2016-08-22 10:05:25 [22285] Key size is 2048.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'HAVE_KEYINFO'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_CSR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'GENERATING_CSR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:25 [22286] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22286] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22286] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:05:25 [22286] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22286] Located the key 'husky100'.
>
> 2016-08-22 10:05:25 [22286] Converted private key 'husky100' to public key.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'HAVE_CSR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
> from 15.
>
> 2016-08-22 10:05:25 [21621] Certificate submission attempt complete.
>
> 2016-08-22 10:05:25 [21621] Child status = 16.
>
> 2016-08-22 10:05:25 [21621] Child output:
>
> "Error reading request, expected PKCS7 data.
>
> "
>
> 2016-08-22 10:05:25 [21621] Error reading request, expected PKCS7 data.
>
> 2016-08-22 10:05:25 [21621] Certificate not (yet?) issued.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') goes to a CA over SCEP,
> need to generate SCEP data.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'NEED_SCEP_DATA'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'GENERATING_SCEP_DATA'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:25 [22288] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22288] Generating dummy key.
>
> 2016-08-22 10:05:25 [22288] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22288] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:05:25 [22288] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22288] Located the key 'husky100'.
>
> 2016-08-22 10:05:25 [22288] Converted private key 'husky100' to public key.
>
> 2016-08-22 10:05:25 [22288] Server does not support DES3, using DES.
>
> 2016-08-22 10:05:25 [22288] Server does not support better digests,
> using MD5.
>
> 2016-08-22 10:05:25 [22288] Generating PKCSREQ pkiMessage.
>
> 2016-08-22 10:05:25 [22288] Setting transaction ID
> "89399340103492129363376569585892061602695437784280139265051808388486717974760".
>
> 2016-08-22 10:05:25 [22288] Setting message type "19".
>
> 2016-08-22 10:05:25 [22288] Setting sender nonce.
>
> 2016-08-22 10:05:25 [22288] Signed data.
>
> 2016-08-22 10:05:25 [22288] Generating GetCertInitial pkiMessage.
>
> 2016-08-22 10:05:25 [22288] Setting transaction ID
> "89399340103492129363376569585892061602695437784280139265051808388486717974760".
>
> 2016-08-22 10:05:25 [22288] Setting message type "20".
>
> 2016-08-22 10:05:25 [22288] Setting sender nonce.
>
> 2016-08-22 10:05:25 [22288] Signed data.
>
> 2016-08-22 10:05:25 [22288] Signing using old key.
>
> 2016-08-22 10:05:25 [22288] Re-signing PKCSREQ message with old key.
>
> 2016-08-22 10:05:25 [22288] Re-signing GetCertInitial message with old key.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'HAVE_SCEP_DATA'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
> from 15.
>
> 2016-08-22 10:05:26 [21621] Certificate submission attempt complete.
>
> 2016-08-22 10:05:26 [21621] Child status = 0.
>
> 2016-08-22 10:05:26 [21621] Child output:
>
> "-----BEGIN PKCS7-----
>
> MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1
>
> c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI
>
> hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc
>
> h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj
>
> jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p
>
> 39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc
>
> k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW
>
> xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D
>
> AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7
>
> vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4
>
> l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8
>
> vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5
>
> +bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL
>
> GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6
>
> TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr
>
> HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE
>
> +GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f
>
> SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg
>
> blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1
>
> GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd
>
> XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/
>
> x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L
>
> NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv
>
> EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF
>
> DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8
>
> YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4
>
> nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==
>
> -----END PKCS7-----
>
> "
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:26 [22292] Postprocessing output "-----BEGIN PKCS7-----
>
> MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1
>
> c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI
>
> hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc
>
> h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj
>
> jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p
>
> 39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc
>
> k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW
>
> xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D
>
> AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7
>
> vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4
>
> l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8
>
> vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5
>
> +bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL
>
> GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6
>
> TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr
>
> HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE
>
> +GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f
>
> SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg
>
> blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1
>
> GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd
>
> XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/
>
> x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L
>
> NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv
>
> EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF
>
> DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8
>
> YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4
>
> nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==
>
> -----END PKCS7-----
>
> ".
>
> 2016-08-22 10:05:26 [22292] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:26 [22292] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:26 [22292] Skipping NSS internal slot (NSS Generic
> Crypto Services).
>
> 2016-08-22 10:05:26 [22292] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag
>
> 2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>
> 2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag
>
> 2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.
>
> 2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.
>
> 2016-08-22 10:05:26 [21621] Certificate submission postprocessing complete.
>
> 2016-08-22 10:05:26 [21621] Child status = 0.
>
> 2016-08-22 10:05:26 [21621] Child output:
>
> "{"certificate":"-----BEGIN
> CERTIFICATE-----\nMIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE\nAwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw\nOTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO\nDykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl\nVkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz\nyP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj\nq4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb\n3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB\n/wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww\nCgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud\nDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA\nVijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY\nHG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2\nW6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2!
UppEjwWAv4
r8QH8VWuz\n97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/\nexdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==\n-----END
> CERTIFICATE-----\n","key_checked":true}
>
> "
>
> 2016-08-22 10:05:26 [21621] Issued certificate is "-----BEGIN
> CERTIFICATE-----
>
> MIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE
>
> AwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw
>
> OTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA
>
> A4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO
>
> Dykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl
>
> Vkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz
>
> yP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj
>
> q4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb
>
> 3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB
>
> /wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww
>
> CgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud
>
> DwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA
>
> VijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY
>
> HG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2
>
> W6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2UppEjwWAv4r8QH8VWuz
>
> 97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/
>
> exdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==
>
> -----END CERTIFICATE-----
>
> ".
>
> 2016-08-22 10:05:26 [21621] Certificate issued (0 chain certificates, 0
> roots).
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'NEED_TO_SAVE_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') taking writing lock
>
> 2016-08-22 10:05:26 [21621] No hooks set for pre-save command.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'START_SAVING_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'SAVING_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:26 [22293] No duplicate nickname entries.
>
> 2016-08-22 10:05:26 [22293] No duplicate subject name entries.
>
> 2016-08-22 10:05:26 [22293] Imported certificate "husky100", got
> nickname "husky100".
>
> 2016-08-22 10:05:26 [22293] Removed name from old key.
>
> 2016-08-22 10:05:26 [22293] Error shutting down NSS.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'SAVED_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'NEED_TO_SAVE_CA_CERTS'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'START_SAVING_CA_CERTS'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'SAVING_CA_CERTS'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'NEED_TO_READ_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'READING_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:26 [22295] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:26 [22295] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:05:26 [22295] Cert storage slot still needs user PIN to be
> set.
>
> 2016-08-22 10:05:26 [22295] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:26 [22295] Located the certificate "husky100".
>
> 2016-08-22 10:05:26 [22295] Read value "0" from
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:26 [21621] No hooks set for post-save command.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'NEED_TO_NOTIFY_ISSUED_SAVED'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') releasing writing lock
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
> 'NOTIFYING_ISSUED_SAVED'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
> from 11.
>
> 2016-08-22 10:05:26 [22296] 0x1d Certificate named "husky100" in token
> "NSS Certificate DB" in database "/tmp/nssdb" issued by CA and saved.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'MONITORING'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') soon.
>
> 2016-08-22 10:05:31 [21621] Will revisit Request2('husky100') in 86400
> seconds.
>
> Besides this "Error reading request, expected PKCS7 data” which always
> shows up and “Error decrypting bulk key: SEC_ERROR_BAD_DATA” errors (?)
> finally the cert is issued and stored into the nSS DB.
>
> Certificate:
>
> Data:
>
> Version: 3 (0x2)
>
> Serial Number: 8344117917752670949 (0x73cc4309839ebae5)
>
> Signature Algorithm: sha1WithRSAEncryption
>
> Issuer: CN=mx_kd3
>
> Validity
>
> Not Before: Aug 19 16:03:29 2016 GMT
>
> Not After : Aug 2 15:23:36 2017 GMT
>
> Subject: CN=mx_pre2
>
> Subject Public Key Info:
>
> Public Key Algorithm: rsaEncryption
>
> Public-Key: (2048 bit)
>
> Modulus:
>
> 00:89:01:fc:d4:a0:5c:df:8d:b6:f6:e3:49:8c:93:
>
> 77:7a:1e:26:34:4e:37:90:c3:6c:b0:e0:5d:a7:47:
>
> 8e:81:8f:d8:04:d5:c0:03:26:1a:a5:49:c8:82:98:
>
> 40:25:34:2e:43:c5:7d:cc:10:0e:b0:13:26:25:c0:
>
> 3d:87:15:fc:7f:90:6d:3d:2f:d6:ce:31:1f:af:38:
>
> 3f:8c:e9:fc:01:4c:a6:c5:3f:82:cb:c0:f8:8c:e7:
>
> 30:75:ba:68:b8:69:a6:6b:6c:04:a3:58:fb:b0:10:
>
> 94:4b:a2:f6:bd:24:f7:75:97:c0:f2:4e:ee:d9:df:
>
> 7b:61:8b:46:a9:d4:46:96:05:31:e5:60:87:3e:8d:
>
> 9b:8e:b2:f6:0f:03:1f:b7:49:1d:83:ec:9f:66:b1:
>
> f9:76:dd:dd:c5:b6:fa:52:5f:56:ce:2e:00:87:11:
>
> 90:6d:ba:c3:d7:fd:19:e0:64:c1:5d:0b:62:59:ad:
>
> 61:80:a7:76:d4:08:39:6b:2e:6f:05:68:c9:10:b4:
>
> 9f:3e:b9:d0:63:9f:7d:e1:a7:74:4f:f8:f4:17:34:
>
> f5:bf:ab:c6:bf:b9:48:80:59:ec:00:41:de:8b:46:
>
> 30:9d:8c:2b:d4:f3:2e:bd:39:e6:da:cd:d9:32:04:
>
> 55:04:29:26:66:0f:ac:ac:d2:bf:b1:19:56:62:0a:
>
> 56:69
>
> Exponent: 65537 (0x10001)
>
> X509v3 extensions:
>
> X509v3 Subject Key Identifier:
>
> D7:06:53:64:27:62:69:3B:ED:79:B2:6A:D8:94:DD:EE:B6:9C:51:44
>
> X509v3 Basic Constraints: critical
>
> CA:FALSE
>
> X509v3 Authority Key Identifier:
>
> keyid:8C:DB:52:66:8F:60:01:FA:58:8D:82:06:01:25:9C:2C:7D:D0:A0:14
>
> X509v3 Key Usage: critical
>
> Digital Signature, Key Encipherment
>
> X509v3 Extended Key Usage:
>
> TLS Web Client Authentication
>
> Signature Algorithm: sha1WithRSAEncryption
>
> 45:a1:0c:9b:7b:20:31:0a:90:53:21:b8:d5:e2:05:0f:29:10:
>
> 77:d6:3a:44:38:9d:4a:d0:19:30:99:b9:41:0e:b1:4b:0e:c2:
>
> 35:36:ce:98:5f:0a:54:88:3b:91:d1:fb:df:e5:6f:57:f9:04:
>
> 0d:51:bf:c5:50:c3:c6:4d:88:a0:73:31:99:63:85:69:81:66:
>
> 93:5c:c3:bf:3f:ef:50:cc:db:de:fe:95:43:64:f0:2c:66:c1:
>
> f0:64:6f:8d:75:53:54:48:28:92:05:e1:21:a2:d6:fe:e3:1e:
>
> 5a:af:87:ba:45:06:39:47:5a:b8:df:1c:d8:cc:cf:6a:4a:ac:
>
> 08:92:7c:5b:08:9b:d5:0b:6d:49:33:c3:8f:a3:2c:50:4e:50:
>
> ae:d3:61:27:09:8c:de:c3:04:91:e0:f9:0e:aa:63:49:84:5e:
>
> cc:03:78:14:6e:cc:c3:5e:46:3b:56:6c:ae:20:7b:ce:51:8a:
>
> 78:eb:6b:4b:80:45:45:f3:3f:14:b6:d0:6a:99:d4:46:ad:d2:
>
> 0f:4d:99:4d:31:34:1f:4f:a3:19:92:45:8f:89:29:7e:4e:e7:
>
> 43:b2:15:4d:df:8a:66:70:c4:5d:b0:e3:d8:13:77:c2:51:98:
>
> 67:7d:b4:3c:95:71:54:05:06:1f:69:ae:fc:b1:00:b4:88:84:
>
> da:e0:85:ae
>
> subject= /CN=mx_pre2
>
> issuer= /CN=mx_kd3
>
> -----BEGIN PUBLIC KEY-----
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiQH81KBc34229uNJjJN3
>
> eh4mNE43kMNssOBdp0eOgY/YBNXAAyYapUnIgphAJTQuQ8V9zBAOsBMmJcA9hxX8
>
> f5BtPS/WzjEfrzg/jOn8AUymxT+Cy8D4jOcwdbpouGmma2wEo1j7sBCUS6L2vST3
>
> dZfA8k7u2d97YYtGqdRGlgUx5WCHPo2bjrL2DwMft0kdg+yfZrH5dt3dxbb6Ul9W
>
> zi4AhxGQbbrD1/0Z4GTBXQtiWa1hgKd21Ag5ay5vBWjJELSfPrnQY5994ad0T/j0
>
> FzT1v6vGv7lIgFnsAEHei0YwnYwr1PMuvTnm2s3ZMgRVBCkmZg+srNK/sRlWYgpW
>
> aQIDAQAB
>
> -----END PUBLIC KEY-----
>
> SHA1 Fingerprint=C3:B6:32:E9:70:E8:0F:98:A5:77:8E:96:13:5B:F8:40:63:37:29:7E
>
> So the question is why certmonger fails to verify signature on server
> response depending on which server I try.
>
> What is included in the checks ? hostname of clients/servers?
>
> How can I debug this ? I’m not an experienced C programmer and was just
> able to apply that GetCACertchain fix in scep.c and build certmonger
> with that.
>
> Peter
>
>
> automechanika InnoTrans IAA
> automechanika
> 13.09.-17.09.2016
> Messe Frankfurt
> Hall 3.0
> Stand G98 + E91 InnoTrans
> 20.09.-23.09.2016
> Messe Berlin
> Hall 1.2b
> Stand 104 + 210 IAA
> 22.09.-29.09.2016
> Messe Hannover
> Hall 17
> Stand A30 + D131
>
>
> Knorr-Bremse IT-Services GmbH
> Sitz: München
> Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald
> Schneider
> Registergericht München, HR B 167 268
>
> This transmission is intended solely for the addressee and contains
> confidential information.
> If you are not the intended recipient, please immediately inform the
> sender and delete the message and any attachments from your system.
> Furthermore, please do not copy the message or disclose the contents to
> anyone unless agreed otherwise. To the extent permitted by law we shall
> in no way be liable for any damages, whatever their nature, arising out
> of transmission failures, viruses, external influence, delays and the like.
>
>
More information about the Freeipa-devel
mailing list