[Freeipa-users] certmonger + dogtag, bad parsing of returned certificate
marcin kowalski
yoshi314 at gmail.com
Tue May 19 15:19:42 UTC 2015
Thanks for the tip, I am using whatever is in current fedora, which is 0.76
or similar version. I'll give an updated version a shot.
I had similar results with ubuntu's 0.75.x
2015-05-19 16:30 GMT+02:00 Nalin Dahyabhai <nalin at redhat.com>:
> On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski wrote:
> > Hi, all. I am trying to integrate certmonger with dogtag instance, and so
> > far i've stumbled on one odd problem. Hopefully this is the right list.
> >
> > I've generated some random cert with getcert request, it has communicated
> > with dogtag, and i approved it there.
> >
> > However, when certmonger retrieves it, it cannot save it to disk (
> > NEED_TO_NOTIFY_ISSUED_SAVE_FAILED )
> >
> > Upon inspection of certmonger's request file (in
> > /var/lib/certmonger/requests ), it turns out that there is an extra empty
> > line before end certificate marker line. There is no such line when
> > looking at the cert in dogtag web interface.
> >
> > Is there some method/hook i could use to post process such request files
> to
> > fix them up?
>
> There's no hook for doing that with the data files themselves, because
> they're meant to be internal details of the implementation, but the data
> coming back from the enrollment helper, which is what's malformed to
> begin with, can be corrected at the point when the helper is run.
>
> Essentially, you'd replace the configured call to dogtag-submit with a
> script or other program that checked $CERTMONGER_OPERATION for the
> values "SUBMIT" and "POLL", ran the dogtag-submit helper, filtered its
> output to fix this mistake, and returned the helper's exit status to
> keep things in line with the daemon's expectations.
>
> Though, if you're running something older than 0.77, please give 0.77.4
> (currently in testing for Fedora 20 and 21) or a development snapshot
> (from the ipa-devel repo) a try. The 0.77 release had a lot of its
> parsing reworked as part of adding support for SCEP reply formats, which
> I think fixed this. The development snapshots add more authentication
> options to the generic Dogtag helper which you may also want, depending
> on the enrollment profile you're using.
>
> HTH,
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150519/01118061/attachment.htm>
More information about the Freeipa-users
mailing list