[Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
Nalin Dahyabhai
nalin at redhat.com
Wed Feb 11 18:15:04 UTC 2015
On Wed, Feb 11, 2015 at 10:04:42AM +0100, marcin kowalski wrote:
> I forgot to add - usually removing the "-v" bit in ca external helper
> definition produces the aforementioned 'rejected by CA' message, instead of
> verbose output.
Ah. Yes, the verbose output goes to stdout, where it confuses the main
daemon (it's expecting a very specific format from stdout), rather than
stderr, which probably would have been a better idea.
> > Since i haven't fully figured out how to setup authentication for
> > certmonger yet, i've temporarily reused one from the dogtag's pki instance.
> > Hopefully it's not a fatal mistake on my end.
The agent authentication is set up using a combination of the -d, -n,
and optionally the -P or -p flags. If you leave off all options,
dogtag-ipa-renew-agent-submit more or less assumes:
-d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt
I tried this on my own box, and Dogtag threw a curve ball by putting a
blank line in before the -----END CERTIFICATE----- line at the end of
the issued certificate. It's something we can work around, but it's not
something the current version knows that it needs to do.
HTH,
Nalin
More information about the Freeipa-users
mailing list