[Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

marcin kowalski yoshi314 at gmail.com
Wed Feb 11 09:00:47 UTC 2015 

Edit: i acceditanlly forgot to send copy to the list, so resubmitting.


I tried this command :

getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N
"cn=mywebserver"

i've setup the 'dogtag-ipa' ca in certmonger like so :

id=dogtag-ipa
ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E
https://fedora.box.net:8443/ca/ee/ca -A
https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET admin" -d
/var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v


Since i haven't fully figured out how to setup authentication for
certmonger yet, i've temporarily reused one from the dogtag's pki instance.
Hopefully it's not a fatal mistake on my end.

>From the certmonger logs i get :

lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET
https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true
lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: <?xml
version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred -
{0}</Error><RequestId>  49</RequestId></XMLResponse>


And the request #49 is placed in Dogtag's CA Agent services, and can be
acknowledged/rejected correctly. It's just that certmonger is stuck and
doesn't notice the successful delivery.

Machine is in isolated network, so there is probably no issue wrt using
box.net as test domain.

2015-02-10 18:40 GMT+01:00 Dmitri Pal <dpal at redhat.com>:

>  On 02/10/2015 12:35 PM, marcin kowalski wrote:
>
> Hi all, i'm getting dogtag figured out slowly, and i noticed one odd
> thing.
>
> I've setup certmonger to request an arbitrary certificate through dogtag,
> and while the request seems to go into the dogtag system, certmonger acts
> as if communication with the CA failed. The certificate is considered in
> need of user attention because the process got stuck.
>
> Request ID ‘20150210125814’:
> status: NEED_GUIDANCE
> stuck: yes
> key pair storage: type=FILE,location=’/etc/pki/testkey’
> certificate: type=FILE,location=’/etc/pki/testcert’
> CA: dogtag-ipa
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
>  [root at fedora pki]# systemctl status -l certmonger
> (….)
> lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate
> to be stored in file “/etc/pki/testcert” rejected by CA.
>
> The request is present in dogtag and is valid, can be accepted/rejected,
> etc. Even though certmonger never notices that. I wonder if there is some
> obvious mistake in my setup, or perhaps there is  known bug in interaction
> of both components on F21 (i'm using only standard repositories).
>
> When i post the query from certmonger's agent defined in ca definition
> through curl, i get no errors.
>
> What would be the best way to debug this issue?
>
>
>  Can you post your certmonger get-cert command?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150211/5ba5f676/attachment.htm>

More information about the Freeipa-users mailing list