[Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)

[Endi Sukma Dewata]

On 5/12/2015 1:11 PM, Nalin Dahyabhai wrote:
> On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote:
>> There is no more this weird "friendlyName             :unable to print
>> attribute" thing, but the NoSuchTokenException is still in the debug log
>> of pki-ca
>>
>> Thank you for you answer though, we've still made some progress in
>> identifying that I messed the CA used for this certificate !
>
> Hmm, so what you've got there looks pretty normal for a renewal request.
> Just to rule out a problem with the request's signature or the encoding
> of the subject name in the request (the latter is a bug in versions of
> certmonger before 0.72), can you check the version of the certmonger
> package and show us the base64-encoded form of the signing request?
>
> I'm just about grasping at straws here, but the NoSuchTokenException
> exception appears to be coming from the jss library, and is thrown when
> it can't find the software module that is used for accessing the
> server's keys.  Can you verify that your /etc/pki-ca/CS.cfg file
> contains these lines?
>
>    jss.configDir=/var/lib/pki-ca/alias/
>    jss.enable=true
>    jss.secmodName=secmod.db
>
> Is there a ca.requestVerify.token value set in /etc/pki-ca/CS.cfg?  I
> don't have one.  The Dogtag logic looks like it would try to use one set
> there rather than the default, but letting it use the default looks like
> the intended way of doing things.
>
> Which version of the jss and tomcatjss packages are installed?  I'm
> using jss-4.2.6-24.el6 and tomcatjss-2.1.0-3.el6 here.
>
> If none of this turns up anything, then I'm going to have to defer to
> the Dogtag team, too.
>
> Nalin

I think you're on to something. The "Invalid Request" message is 
misleading. The actual error is NoSuchTokenException and it happens 
before the PKCS10 request is parsed. So yes, we need to check the 
ca.requestVerify.token parameter.

-- 
Endi S. Dewata