[Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

Dmitri Pal dpal at redhat.com
Thu Feb 12 09:47:37 UTC 2015 

On 02/12/2015 03:46 AM, marcin kowalski wrote:
> > What is your reasoning for setting up your own CA configuration? Why not
> just use either ipa-getcert or getcert -c IPA?
>
> I am not yet familiar with the entire setup enough to give a good 
> answer. I assume that requires full freeIPA setup, which i don't 
> really need.
>
> I just wanted a simplistic dogtag ca instance + certmonger setup for 
> watching certs on various machines and checking if the requests get 
> filled in correctly, and then expanding on it once i get more familiar 
> with other workings of it.  And i got stuck on certmonger.

I do not think certmonger is currently supported with pure Dogtag 
without the IPA. There are some parts of it present but it might not 
work end to end.
IN case of IPA certmonger uses kerberos to authenticate to server and 
fetch the certs. Without IPA you have to deal with the pure cert base 
setup which we have not had a priority complete.

>
> 2015-02-11 19:14 GMT+01:00 Rob Crittenden <rcritten at redhat.com 
> <mailto:rcritten at redhat.com>>:
>
>     marcin kowalski wrote:
>     > |Edit: i acceditanlly forgot to send copy to the list, so
>     resubmitting.
>     >
>     >
>     > I tried this command :
>     >
>     > getcert request -c dogtag-ipa -f /etc/pki/testcert -k
>     /etc/pki/testkey
>     > -N "cn=mywebserver"
>     >
>     > i've setup the 'dogtag-ipa' ca in certmonger like so :
>     >
>     > id=dogtag-ipa
>     > ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
>     > ca_is_default=0
>     > ca_type=EXTERNAL
>     >
>     ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
>     > -E https://fedora.box.net:8443/ca/ee/ca -A
>     > https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET
>     <http://BOX.NET> <http://BOX.NET>
>     > admin" -d /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v
>     >
>     >
>     > Since i haven't fully figured out how to setup authentication for
>     > certmonger yet, i've temporarily reused one from the dogtag's pki
>     > instance. Hopefully it's not a fatal mistake on my end.
>
>     What is your reasoning for setting up your own CA configuration?
>     Why not
>     just use either ipa-getcert or getcert -c IPA?
>
>     rob
>
>     >
>     > From the certmonger logs i get :
>     >
>     > lut 11 09:52:19 fedora.box.net <http://fedora.box.net>
>     <http://fedora.box.net>
>     > dogtag-ipa-renew-agent-submit[2887]: GET
>     >
>     https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ!
>      K%2B%0A6O7
>     LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true
>     > lut 11 09:52:19 fedora.box.net <http://fedora.box.net>
>     <http://fedora.box.net>
>     > dogtag-ipa-renew-agent-submit[2887]: <?xml version="1.0"
>     > encoding="UTF-8"
>     > standalone="no"?><XMLResponse><Status>2</Status><Error>Request
>     Deferred
>     > - {0}</Error><RequestId> 49</RequestId></XMLResponse>
>     >
>     >
>     > And the request #49 is placed in Dogtag's CA Agent services, and
>     can be
>     > acknowledged/rejected correctly. It's just that certmonger is
>     stuck and
>     > doesn't notice the successful delivery.
>     >
>     > Machine is in isolated network, so there is probably no issue
>     wrt using
>     > box.net <http://box.net> <http://box.net> as test domain.|
>     >
>     > 2015-02-10 18:40 GMT+01:00 Dmitri Pal <dpal at redhat.com
>     <mailto:dpal at redhat.com>
>     > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>:
>     >
>     >     On 02/10/2015 12:35 PM, marcin kowalski wrote:
>     >>     Hi all, i'm getting dogtag figured out slowly, and i
>     noticed one
>     >>     odd thing.
>     >>
>     >>     I've setup certmonger to request an arbitrary certificate
>     through
>     >>     dogtag, and while the request seems to go into the dogtag
>     system,
>     >>     certmonger acts as if communication with the CA failed. The
>     >>     certificate is considered in need of user attention because the
>     >>     process got stuck.
>     >>
>     >>     Request ID ‘20150210125814’:
>     >>     status: NEED_GUIDANCE
>     >>     stuck: yes
>     >>     key pair storage: type=FILE,location=’/etc/pki/testkey’
>     >>     certificate: type=FILE,location=’/etc/pki/testcert’
>     >>     CA: dogtag-ipa
>     >>     issuer:
>     >>     subject:
>     >>     expires: unknown
>     >>     pre-save command:
>     >>     post-save command:
>     >>     track: yes
>     >>     auto-renew: yes
>     >>
>     >>
>     >>     [root at fedora pki]# systemctl status -l certmonger
>     >>     (….)
>     >>     lut 10 13:57:04 fedora.box.net <http://fedora.box.net>
>     <http://fedora.box.net>
>     >>     certmonger[7845]: Request for certificate to be stored in file
>     >>     “/etc/pki/testcert” rejected by CA.
>     >>
>     >>
>     >>     The request is present in dogtag and is valid, can be
>     >>     accepted/rejected, etc. Even though certmonger never
>     notices that.
>     >>     I wonder if there is some obvious mistake in my setup, or
>     perhaps
>     >>     there is  known bug in interaction of both components on
>     F21 (i'm
>     >>     using only standard repositories).
>     >>
>     >>     When i post the query from certmonger's agent defined in ca
>     >>     definition through curl, i get no errors.
>     >>
>     >>     What would be the best way to debug this issue?
>     >>
>     >>
>     >     Can you post your certmonger get-cert command?
>     >
>     >
>     >     --
>     >     Thank you,
>     >     Dmitri Pal
>     >
>     >     Sr. Engineering Manager IdM portfolio
>     >     Red Hat, Inc.
>     >
>     >
>     >     --
>     >     Manage your subscription for the Freeipa-users mailing list:
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>     >     Go To http://freeipa.org for more info on the project
>     >
>     >
>     >
>     >
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150212/37581da8/attachment.htm>

More information about the Freeipa-users mailing list