From Julius.Adewumi at gdc4s.com Mon Nov 3 21:15:53 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 3 Nov 2008 14:15:53 -0700 Subject: [Pki-users] CA publishing to external Directory Message-ID: <150446754087724BA4B8F287083846B2032DDC21@AZ25EXM04.gddsi.com> Any idea why CA couldn't publish to external Directory? From the enable publishing console, I put the directory server host and port number, and the credentials. When "saved" it successfully said "CRL is published". But not on the external hostname. Network trace showed ldap bindrequest and searchrequest successfully sent across and unbindrequest was the final packet. The CA console logged the error "sdr PWsdrCache addEntry failed" each time. The failure seemed to be from the CA rather than from the directory server. Any info will help. Julius -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Mon Nov 3 21:15:53 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 3 Nov 2008 14:15:53 -0700 Subject: [Pki-users] CA publishing to external Directory Message-ID: <150446754087724BA4B8F287083846B2032DDC21@AZ25EXM04.gddsi.com> Any idea why CA couldn't publish to external Directory? From the enable publishing console, I put the directory server host and port number, and the credentials. When "saved" it successfully said "CRL is published". But not on the external hostname. Network trace showed ldap bindrequest and searchrequest successfully sent across and unbindrequest was the final packet. The CA console logged the error "sdr PWsdrCache addEntry failed" each time. The failure seemed to be from the CA rather than from the directory server. Any info will help. Julius -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Nov 4 00:27:55 2008 From: cfu at redhat.com (Christina Fu) Date: Mon, 03 Nov 2008 16:27:55 -0800 Subject: [Pki-users] CA publishing to external Directory In-Reply-To: <150446754087724BA4B8F287083846B2032DDC21@AZ25EXM04.gddsi.com> References: <150446754087724BA4B8F287083846B2032DDC21@AZ25EXM04.gddsi.com> Message-ID: <490F970B.2040304@redhat.com> Hi, I believe this is fixed in https://bugzilla.redhat.com/show_bug.cgi?id=446685. You can either refresh your tree and rebuild and update the pki-common rpm, or you can wait for the next release. Hope this helps. Christina Adewumi, Julius-p99373 wrote: > > Any idea why CA couldn't publish to external Directory? From the > enable publishing console, I put the directory server host and port > number, > > and the credentials. When "saved" it successfully said "CRL is > published". But not on the external hostname. Network trace showed > ldap bindrequest and searchrequest successfully sent across and > unbindrequest was the final packet. The CA console logged the error > "sdr PWsdrCache addEntry failed" each time. The failure seemed to be > from the CA rather than from the directory server. > > Any info will help. > > Julius > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From Julius.Adewumi at gdc4s.com Tue Nov 4 17:03:39 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 4 Nov 2008 10:03:39 -0700 Subject: [Pki-users] CA publishing to external Directory In-Reply-To: <490F970B.2040304@redhat.com> References: <150446754087724BA4B8F287083846B2032DDC21@AZ25EXM04.gddsi.com> <490F970B.2040304@redhat.com> Message-ID: <150446754087724BA4B8F287083846B2033312BD@AZ25EXM04.gddsi.com> This is Certificate System v 7.3 and I used the cn=Directory Manager and the password is the same Directory Manager password for the publishing. The Ldap bindrequest was successful , therefore the problem is definitely diferent from 446685 fix. -----Original Message----- From: Christina Fu [mailto:cfu at redhat.com] Sent: Monday, November 03, 2008 5:28 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] CA publishing to external Directory Hi, I believe this is fixed in https://bugzilla.redhat.com/show_bug.cgi?id=446685. You can either refresh your tree and rebuild and update the pki-common rpm, or you can wait for the next release. Hope this helps. Christina Adewumi, Julius-p99373 wrote: > > Any idea why CA couldn't publish to external Directory? From the > enable publishing console, I put the directory server host and port > number, > > and the credentials. When "saved" it successfully said "CRL is > published". But not on the external hostname. Network trace showed > ldap bindrequest and searchrequest successfully sent across and > unbindrequest was the final packet. The CA console logged the error > "sdr PWsdrCache addEntry failed" each time. The failure seemed to be > from the CA rather than from the directory server. > > Any info will help. > > Julius > > ---------------------------------------------------------------------- > -- > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From KLAUS.HEYDEN at ALLIANZ.DE Wed Nov 12 15:29:09 2008 From: KLAUS.HEYDEN at ALLIANZ.DE (Heyden, Klaus (Allianz ASIC SE)) Date: Wed, 12 Nov 2008 16:29:09 +0100 Subject: [Pki-users] failed Administrator logon Message-ID: <613BB4A6A18A9C44B1D029946BD525BA0DEDF47C@naimuclh.wwg00m.rootdom.net> Hi, i have fixed it, it was the certificate issued at the installation. I added a user via pkiconsole and issued a new certificate for User admin, think it is the changed Subject DN which i changed at installation. regards Klaus Heyden -------------- next part -------------- An HTML attachment was scrubbed... URL: From KLAUS.HEYDEN at ALLIANZ.DE Thu Nov 13 09:17:21 2008 From: KLAUS.HEYDEN at ALLIANZ.DE (Heyden, Klaus (Allianz ASIC SE)) Date: Thu, 13 Nov 2008 10:17:21 +0100 Subject: [Pki-users] Build CMS fom Subversion Message-ID: <613BB4A6A18A9C44B1D029946BD525BA0DEDF4C5@naimuclh.wwg00m.rootdom.net> Hello, i've a problem by buildung the PKI from Subversion source. When building the PK12util i've got the following error: [root at ca4sit-2 util]# ./build_linux Buildfile: config/release.xml [echo] Importing shared properties ... [echo] Completed importing shared properties. main: [echo] Generating 'pki-util' RPMS and SRPMS ... [echo] Established the '/usr/src/release/pki/base/util' top-level directory. [echo] Creating the 'pki-util' source distribution ... [exec] Buildfile: build.xml [exec] distribute_source: [exec] [echo] Creating 'pki-util' source distributions ... [exec] [mkdir] Created dir: /usr/src/release/pki/base/util/dist/source [exec] [echo] Creating 'pki-util' source zip files ... [exec] [zip] Building zip: /usr/src/release/pki/base/util/dist/source/pki-util-1.0.0.zip [exec] [echo] Completed creating 'pki-util' source zip files. [exec] [echo] Creating 'pki-util' source tar files ... [exec] [tar] Building tar: /usr/src/release/pki/base/util/dist/source/pki-util-1.0.0.tar [exec] [echo] Completed creating 'pki-util' source tar files. [exec] [echo] Creating 'pki-util' source gzip files ... [exec] [gzip] Building: /usr/src/release/pki/base/util/dist/source/pki-util-1.0.0.tar.gz [exec] [delete] Deleting: /usr/src/release/pki/base/util/dist/source/pki-util-1.0.0.tar [exec] [echo] Completed creating 'pki-util' source gzip files. [exec] [echo] Completed creating 'pki-util' source distributions. [exec] BUILD SUCCESSFUL [exec] Total time: 1 second [echo] Completed creating the 'pki-util' source distribution. [echo] Creating 'pki-util' RPM directories ... [mkdir] Created dir: /usr/src/release/pki/base/util/dist/rpmpkg [mkdir] Created dir: /usr/src/release/pki/base/util/dist/rpmpkg/SOURCES [mkdir] Created dir: /usr/src/release/pki/base/util/dist/rpmpkg/RPMS [mkdir] Created dir: /usr/src/release/pki/base/util/dist/rpmpkg/SRPMS [mkdir] Created dir: /usr/src/release/pki/base/util/dist/rpmpkg/SPECS [mkdir] Created dir: /usr/src/release/pki/base/util/dist/rpmpkg/BUILD [echo] Completed creating 'pki-util' RPM directories. [echo] Building 'pki-util' RPMS and SRPMS ... [exec] Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.20981 [exec] + umask 022 [exec] + cd /usr/src/release/pki/base/util/./dist/rpmpkg/BUILD [exec] + cd /usr/src/release/pki/base/util/dist/rpmpkg/BUILD [exec] + rm -rf pki-util-1.0.0 [exec] + /bin/gzip -dc /usr/src/release/pki/base/util/dist/source/pki-util-1.0.0.tar.gz [exec] + tar -xf - [exec] + STATUS=0 [exec] + '[' 0 -ne 0 ']' [exec] + cd pki-util-1.0.0 [exec] ++ /usr/bin/id -u [exec] + '[' 0 = 0 ']' [exec] + /bin/chown -Rhf root . [exec] ++ /usr/bin/id -u [exec] + '[' 0 = 0 ']' [exec] + /bin/chgrp -Rhf root . [exec] + /bin/chmod -Rf a+rX,u+w,g-w,o-w . [exec] + exit 0 [exec] Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.90748 [exec] + umask 022 [exec] + cd /usr/src/release/pki/base/util/./dist/rpmpkg/BUILD [exec] + cd pki-util-1.0.0 [exec] + ant -Dspecfile=pki-util.spec [exec] Buildfile: build.xml [exec] clean: [exec] [echo] Removing 'pki-util' component directories ... [exec] [echo] Completed removing 'pki-util' component directories. [exec] clean_javadocs: [exec] [echo] Removing 'pki-util' javadocs directory ... [exec] [echo] Completed removing 'pki-util' javadocs directory. [exec] compile_java: [exec] [echo] Compiling 'pki-util' java code from 'src' into 'build/classes' ... [exec] [mkdir] Created dir: /usr/src/release/pki/base/util/dist/rpmpkg/BUILD/pki-util-1.0.0/build/classes [exec] [javac] Compiling 179 source files to /usr/src/release/pki/base/util/dist/rpmpkg/BUILD/pki-util-1.0.0/build/classes [exec] [javac] /usr/src/release/pki/base/util/dist/rpmpkg/BUILD/pki-util-1.0.0/src/netscape/security/extensions/AuthInfoAccessExtension.java:239: cannot access com.netscape.osutil.OSUtil [exec] [javac] bad class file: /usr/lib/java/osutil.jar(com/netscape/osutil/OSUtil.class) [exec] [javac] class file has wrong version 50.0, should be 49.0 [exec] [javac] Please remove or make sure it appears in the correct subdirectory of the classpath. [exec] [javac] System.out.println(com.netscape.osutil.OSUtil.BtoA(os.toByteArray())); [exec] [javac] ^ [exec] [javac] Note: * uses or overrides a deprecated API. [exec] [javac] Note: Recompile with -Xlint:deprecation for details. [exec] [javac] Note: Some input files use unchecked or unsafe operations. [exec] [javac] Note: Recompile with -Xlint:unchecked for details. [exec] [javac] 1 error [exec] BUILD FAILED [exec] /usr/src/release/pki/base/util/dist/rpmpkg/BUILD/pki-util-1.0.0/build.xml:66: Compile failed; see the compiler error output for details. [exec] Total time: 1 second [exec] error: Bad exit status from /var/tmp/rpm-tmp.90748 (%build) [exec] RPM build errors: [exec] Bad exit status from /var/tmp/rpm-tmp.90748 (%build) [exec] Result: 1 [echo] Completed building 'pki-util' RPMS and SRPMS. [echo] Removing various 'pki-util' RPM directories and files ... [delete] Deleting directory /usr/src/release/pki/base/util/dist/rpmpkg/BUILD [echo] Completed removing various 'pki-util' RPM directories and files. [echo] Completed generating 'pki-util' RPMS and SRPMS. Reagards Klaus Heyden -------------- next part -------------- An HTML attachment was scrubbed... URL: From graham at vpac.org Fri Nov 14 01:18:23 2008 From: graham at vpac.org (Graham Jenkins) Date: Fri, 14 Nov 2008 12:18:23 +1100 Subject: [Pki-users] DogTag Response to CMC Request from SLCS Server .. Message-ID: <1226625503.6831.18.camel@sys04.in.vpac.org> We're using Dogtag pki-ca-1.0.0-1.fc8 as an Online CA to provide certificates in response to requests from a SLCS server. And the log file we're seeing on the SLCS server is saying: -- INFO [TP-Processor7] CertificateServlet.doProcess: CertificateSigningRequest= -----BEGIN CERTIFICATE REQUEST----- MIICTjCCAbcCAQAwgaExFDASBgoJkiaJk/IsZAEZFgRzbGNzMRQwEgYKCZImiZPy .. 9ChQYHcP8EpaseH8XymdH1bw -----END CERTIFICATE REQUEST----- INFO [TP-Processor7] CertificateServlet.doProcess: send certificate request to CA server ERROR [TP-Processor7] CMCConnection.checkResponseHeaders: Invalid Content-Type in HTTP response header: text/html -- So what we're thinking is that perhaps we are sending our request to the wrong URL .. viz: https://slcscadev.vpac.org:9443/ca/ee/ca/ Does anyone have any ideas about this please? -- Graham Jenkins Australian Research Collaboration Service Victorian Partnership for Advanced Computing (+613) 9925-4862 From msauton at redhat.com Fri Nov 14 01:46:55 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 13 Nov 2008 17:46:55 -0800 Subject: [Pki-users] DogTag Response to CMC Request from SLCS Server .. In-Reply-To: <1226625503.6831.18.camel@sys04.in.vpac.org> References: <1226625503.6831.18.camel@sys04.in.vpac.org> Message-ID: <491CD88F.9040805@redhat.com> Graham Jenkins wrote: > We're using Dogtag pki-ca-1.0.0-1.fc8 as an Online CA to provide > certificates in response to requests from a SLCS server. > > And the log file we're seeing on the SLCS server is saying: > > -- > INFO [TP-Processor7] CertificateServlet.doProcess: CertificateSigningRequest= > -----BEGIN CERTIFICATE REQUEST----- > MIICTjCCAbcCAQAwgaExFDASBgoJkiaJk/IsZAEZFgRzbGNzMRQwEgYKCZImiZPy > .. > 9ChQYHcP8EpaseH8XymdH1bw > -----END CERTIFICATE REQUEST----- > > INFO [TP-Processor7] CertificateServlet.doProcess: send certificate request to CA server > ERROR [TP-Processor7] CMCConnection.checkResponseHeaders: Invalid Content-Type in HTTP response header: text/html > -- > > So what we're thinking is that perhaps we are sending our request to the > wrong URL .. viz: > https://slcscadev.vpac.org:9443/ca/ee/ca/ > > Does anyone have any ideas about this please? > > What are the DogTag logs like? I would try /ca/ee/ca/profileSubmitCMCSimple or /ca/profileSubmitCMCSimple There is a profileSubmitCMCFull if using client auth There is also a tool called HttpClient for tests: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Command_Line_Tools_Guide/HTTP_Client.html M. From msauton at redhat.com Fri Nov 14 01:48:15 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 13 Nov 2008 17:48:15 -0800 Subject: [Pki-users] DogTag Response to CMC Request from SLCS Server .. In-Reply-To: <491CD88F.9040805@redhat.com> References: <1226625503.6831.18.camel@sys04.in.vpac.org> <491CD88F.9040805@redhat.com> Message-ID: <491CD8DF.50701@redhat.com> Marc Sauton wrote: > Graham Jenkins wrote: >> We're using Dogtag pki-ca-1.0.0-1.fc8 as an Online CA to provide >> certificates in response to requests from a SLCS server. >> >> And the log file we're seeing on the SLCS server is saying: >> >> -- >> INFO [TP-Processor7] CertificateServlet.doProcess: >> CertificateSigningRequest= >> -----BEGIN CERTIFICATE REQUEST----- >> MIICTjCCAbcCAQAwgaExFDASBgoJkiaJk/IsZAEZFgRzbGNzMRQwEgYKCZImiZPy >> .. >> 9ChQYHcP8EpaseH8XymdH1bw >> -----END CERTIFICATE REQUEST----- >> >> INFO [TP-Processor7] CertificateServlet.doProcess: send certificate >> request to CA server >> ERROR [TP-Processor7] CMCConnection.checkResponseHeaders: Invalid >> Content-Type in HTTP response header: text/html >> -- >> >> So what we're thinking is that perhaps we are sending our request to the >> wrong URL .. viz: >> https://slcscadev.vpac.org:9443/ca/ee/ca/ >> >> Does anyone have any ideas about this please? >> >> > What are the DogTag logs like? > I would try /ca/ee/ca/profileSubmitCMCSimple or > /ca/profileSubmitCMCSimple Should be /ca/profileSubmitCMCSimple > There is a profileSubmitCMCFull if using client auth > There is also a tool called HttpClient for tests: > http://www.redhat.com/docs/manuals/cert-system/7.3/html/Command_Line_Tools_Guide/HTTP_Client.html > > M. > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From graham at vpac.org Fri Nov 14 03:57:40 2008 From: graham at vpac.org (Graham Jenkins) Date: Fri, 14 Nov 2008 14:57:40 +1100 Subject: [Pki-users] DogTag Response to CMC Request from SLCS Server .. In-Reply-To: <491CD88F.9040805@redhat.com> References: <1226625503.6831.18.camel@sys04.in.vpac.org> <491CD88F.9040805@redhat.com> Message-ID: <1226635060.6831.110.camel@sys04.in.vpac.org> On Thu, 2008-11-13 at 17:46 -0800, Marc Sauton wrote: > Graham Jenkins wrote: > > We're using Dogtag pki-ca-1.0.0-1.fc8 as an Online CA to provide > > certificates in response to requests from a SLCS server. > > .. > What are the DogTag logs like? > I would try /ca/ee/ca/profileSubmitCMCSimple .. > There is a profileSubmitCMCFull if using client auth .. Thanks Marc. Both of these give a similar response, with the DogTag logs showing something like: -- 14/Nov/2008:13:19:07][http-9443-Processor23]: ProfileSubmitServlet: profileId caSimpleCMCUserCert [14/Nov/2008:13:19:07][http-9443-Processor23]: ProfileSubmitServlet: authenticator not found [14/Nov/2008:13:19:07][http-9443-Processor23]: ProfileSubmistServlet: set Inputs into Context [14/Nov/2008:13:19:07][http-9443-Processor23]: ProfileSubmitServlet: set sslClientCertProvider [14/Nov/2008:13:19:07][http-9443-Processor23]: xx Start parsePKCS10 LS12VWxXZHZWNHAxT .. ZFlCODANCi0tdlVsV2R2VjRwMU1vdGlmQTg2OHE5dzZ5eXk2TTRvLS0NCg== [14/Nov/2008:13:19:07][http-9443-Processor23]: EnrollProfile: parsePKCS10: signature verification enabled [14/Nov/2008:13:19:07][http-9443-Processor23]: EnrollProfile: parsePKCS10 setting thread token [14/Nov/2008:13:19:07][http-9443-Processor23]: EnrollProfile: parsePKCS10 java.io.IOException: Sequence tag error 45 Any ideas from this? > There is also a tool called HttpClient for tests: > http://www.redhat.com/docs/manuals/cert-system/7.3/html/Command_Line_Tools_Guide/HTTP_Client.html Trying to make sense of this now, not getting very far. :( -- Graham Jenkins Australian Research Collaboration Service Victorian Partnership for Advanced Computing (+613) 9925-4862 From zach.casper at envieta.com Wed Nov 19 23:20:00 2008 From: zach.casper at envieta.com (Zach Casper) Date: Wed, 19 Nov 2008 18:20:00 -0500 Subject: [Pki-users] DogTag Setup https problems Message-ID: <000801c94a9d$5bc4b9f0$134e2dd0$@casper@envieta.com> I'm having issues w/ the default configurations of the pki-ca and other https required services. I continue to receive HTTP Status 500 messages Apache Tomcat/5.5.23 "The server encountered an internal error () that prevented it from fulfilling this request." Any advice would be greatly appreciated. -- Zach Casper Envieta LLC 410/290-1136 x105 (Office) ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From msauton at redhat.com Thu Nov 20 00:22:32 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 19 Nov 2008 16:22:32 -0800 Subject: [Pki-users] DogTag Setup https problems In-Reply-To: <000801c94a9d$5bc4b9f0$134e2dd0$@casper@envieta.com> References: <000801c94a9d$5bc4b9f0$134e2dd0$@casper@envieta.com> Message-ID: <4924ADC8.2060102@redhat.com> What operating system and platform is this about? Make sure your installation meet all requirements, (jre, directory server), like in: http://pki.fedoraproject.org/wiki/PKI_Prerequisites http://pki.fedoraproject.org/wiki/PKI_Runtime_Environments from http://pki.fedoraproject.org/wiki/PKI_Install_Guide Did you complete the web wizard configuration after the yum install or pkicreate command? Like in: http://pki.fedoraproject.org/wiki/PKI_Subsystem_Configuration You may want to review the ca instance logs in /var/lib/pki-/logs/ More specifically debug, system and catalina.out files. M. Zach Casper wrote: > > I?m having issues w/ the default configurations of the pki-ca and > other https required services. > > I continue to receive HTTP Status 500 messages > > Apache Tomcat/5.5.23 > > ?The server encountered an internal error () that prevented it from > fulfilling this request.? > > Any advice would be greatly appreciated. > > -- > > Zach Casper > > Envieta LLC > > 410/290-1136 x105 (Office) > > ---------------------------------------- > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From zach.casper at envieta.com Thu Nov 20 16:35:03 2008 From: zach.casper at envieta.com (Zach Casper) Date: Thu, 20 Nov 2008 11:35:03 -0500 Subject: [Pki-users] Cannot get fedora-ds to start Message-ID: <001001c94b2d$f3424d70$d9c6e850$@casper@envieta.com> My created fedora-ds instance for Dogtag will not start Following all instructions on Dogtag site on Fedora 8 - I successfully had this working about 2 months ago - moved to something else - came back and have encountered this. Receive the following error when trying to start dirsrv "createprlistensockets - PR_Bind() on All Interfaces port 389 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)" Any advice? -- Zach Casper Envieta LLC 410/290-1136 x105 (Office) 330/618-5618 (Mobile) zach.casper at envieta.com ---------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 486 bytes Desc: not available URL: From msauton at redhat.com Thu Nov 20 18:28:38 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 20 Nov 2008 10:28:38 -0800 Subject: [Pki-users] Cannot get fedora-ds to start In-Reply-To: <001001c94b2d$f3424d70$d9c6e850$@casper@envieta.com> References: <001001c94b2d$f3424d70$d9c6e850$@casper@envieta.com> Message-ID: <4925AC56.9010809@redhat.com> Is some other process alreay listening on tcp port 389? M. Zach Casper wrote: > > My created fedora-ds instance for Dogtag will not start > > Following all instructions on Dogtag site on Fedora 8 ? I successfully > had this working about 2 months ago ? moved to something else ? came > back and have encountered this? > > Receive the following error when trying to start dirsrv > > "createprlistensockets - PR_Bind() on All Interfaces port 389 failed: > Netscape Portable Runtime error -5982 (Local Network address is in use.)? > > Any advice? > > -- > > Zach Casper > > Envieta LLC > > 410/290-1136 x105 (Office) > > 330/618-5618 (Mobile) > > zach.casper at envieta.com > > ---------------------------------------- > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From ehansen at spyrus.com Sat Nov 22 01:40:32 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Fri, 21 Nov 2008 17:40:32 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS Message-ID: I am not successful connecting the ESC (Smart Card Manager) client to the TPS. I have configured TPS and ESC as documented in ESC Guide. The error message says: "Could not establish an encrypted connection because your certificate was rejected. Error -12271". Looks like the ESC needs a user certificate and key to establish SSL connection. Not sure how the ESC can be configured to access a dedicated user certificate & key? Can ESC detect and possibly use the TPS Admin cert/key if running on same platform? Ehansen @ SPYRUS Corp. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Mon Nov 24 17:54:07 2008 From: jmagne at redhat.com (Jack Magne) Date: Mon, 24 Nov 2008 09:54:07 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS In-Reply-To: References: Message-ID: <492AEA3F.1030801@redhat.com> Ebbe: Could you state exactly what operation you are trying to do with ESC with respect to TPS. Are you performing the "phone home" step or actually attempting an enrollment? The default case should not require client auth which appears to be the case with your error. thanks, jack Ebbe Hansen wrote: > > I am not successful connecting the ESC (Smart Card Manager) client to > the TPS. I have configured TPS and ESC as documented in ESC Guide. > > The error message says: ?Could not establish an encrypted connection > because your certificate was rejected. Error -12271?. > > Looks like the ESC needs a user certificate and key to establish SSL > connection. > > Not sure how the ESC can be configured to access a dedicated user > certificate & key? Can ESC detect and possibly use the TPS Admin > cert/key if running on same platform? > > Ehansen @ SPYRUS Corp. > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From ehansen at spyrus.com Tue Nov 25 01:44:29 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Mon, 24 Nov 2008 17:44:29 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS In-Reply-To: <492AEA3F.1030801@redhat.com> References: <492AEA3F.1030801@redhat.com> Message-ID: Jack, I am trying to setup the initial "phone home" configuration with the intent to Format a blank token. The ESC User guide (and the ESC) is indicating the initial Phone Hole connection must be secured using https (e.g. "https://smartcardserver.example.com:7888"). When connecting to the Admin services for all other PKI components (CA, DRM, TKS and TPS) a client certificate is required to gain access. The error message I observe when trying to connect with the ESC indicates a client certificate is also expected in this case - but I haven't found anything in the ESC Guide that documents this? Ebbe -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Monday, November 24, 2008 9:54 AM To: Ebbe Hansen Cc: pki-users at redhat.com Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS Ebbe: Could you state exactly what operation you are trying to do with ESC with respect to TPS. Are you performing the "phone home" step or actually attempting an enrollment? The default case should not require client auth which appears to be the case with your error. thanks, jack Ebbe Hansen wrote: > > I am not successful connecting the ESC (Smart Card Manager) client to > the TPS. I have configured TPS and ESC as documented in ESC Guide. > > The error message says: "Could not establish an encrypted connection > because your certificate was rejected. Error -12271". > > Looks like the ESC needs a user certificate and key to establish SSL > connection. > > Not sure how the ESC can be configured to access a dedicated user > certificate & key? Can ESC detect and possibly use the TPS Admin > cert/key if running on same platform? > > Ehansen @ SPYRUS Corp. > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From jmagne at redhat.com Tue Nov 25 02:29:38 2008 From: jmagne at redhat.com (Jack Magne) Date: Mon, 24 Nov 2008 18:29:38 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS In-Reply-To: References: <492AEA3F.1030801@redhat.com> Message-ID: <492B6312.3050903@redhat.com> Ebbe: Try this as your phone home URL. https://smartcardserver.example.com:7888/cgi-bin/home.cgi Also , you can try this with a browser and it should simply print out a simple XML file for you. I will take a look at the doc and see how it can be improved. Ebbe Hansen wrote: > Jack, > > I am trying to setup the initial "phone home" configuration with the > intent to Format a blank token. > The ESC User guide (and the ESC) is indicating the initial Phone Hole > connection must be secured using https (e.g. > "https://smartcardserver.example.com:7888"). > > When connecting to the Admin services for all other PKI components (CA, > DRM, TKS and TPS) a client certificate is required to gain access. The > error message I observe when trying to connect with the ESC indicates a > client certificate is also expected in this case - but I haven't found > anything in the ESC Guide that documents this? > > Ebbe > > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Monday, November 24, 2008 9:54 AM > To: Ebbe Hansen > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS > > Ebbe: > > Could you state exactly what operation you are trying to do with ESC > with respect to TPS. > Are you performing the "phone home" step or actually attempting an > enrollment? > The default case should not require client auth which appears to be the > case with your error. > > thanks, > jack > > Ebbe Hansen wrote: > >> I am not successful connecting the ESC (Smart Card Manager) client to >> the TPS. I have configured TPS and ESC as documented in ESC Guide. >> >> The error message says: "Could not establish an encrypted connection >> because your certificate was rejected. Error -12271". >> >> Looks like the ESC needs a user certificate and key to establish SSL >> connection. >> >> Not sure how the ESC can be configured to access a dedicated user >> certificate & key? Can ESC detect and possibly use the TPS Admin >> cert/key if running on same platform? >> >> Ehansen @ SPYRUS Corp. >> >> >> > ------------------------------------------------------------------------ > >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From ehansen at spyrus.com Tue Nov 25 17:46:34 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Tue, 25 Nov 2008 09:46:34 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS In-Reply-To: <492B6312.3050903@redhat.com> References: <492B6312.3050903@redhat.com> Message-ID: Jack, In my configuration the URL actually is: https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi After clicking the "Test URL" button on the ESC (Smart Card Manager) I observe the error: "Could not establish an encrypted connection bacause your certfcite was rejected by Redhat4.spyrus.com. Error Code: -12271" When accessting the TPS with a browser I receive the following display: - Spyrus, Inc. - https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi http://www.spyrus.com userKey Ebbe -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Monday, November 24, 2008 6:30 PM To: Ebbe Hansen Cc: pki-users at redhat.com Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS Ebbe: Try this as your phone home URL. https://smartcardserver.example.com:7888/cgi-bin/home.cgi Also , you can try this with a browser and it should simply print out a simple XML file for you. I will take a look at the doc and see how it can be improved. Ebbe Hansen wrote: > Jack, > > I am trying to setup the initial "phone home" configuration with the > intent to Format a blank token. > The ESC User guide (and the ESC) is indicating the initial Phone Hole > connection must be secured using https (e.g. > "https://smartcardserver.example.com:7888"). > > When connecting to the Admin services for all other PKI components (CA, > DRM, TKS and TPS) a client certificate is required to gain access. The > error message I observe when trying to connect with the ESC indicates a > client certificate is also expected in this case - but I haven't found > anything in the ESC Guide that documents this? > > Ebbe > > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Monday, November 24, 2008 9:54 AM > To: Ebbe Hansen > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS > > Ebbe: > > Could you state exactly what operation you are trying to do with ESC > with respect to TPS. > Are you performing the "phone home" step or actually attempting an > enrollment? > The default case should not require client auth which appears to be the > case with your error. > > thanks, > jack > > Ebbe Hansen wrote: > >> I am not successful connecting the ESC (Smart Card Manager) client to >> the TPS. I have configured TPS and ESC as documented in ESC Guide. >> >> The error message says: "Could not establish an encrypted connection >> because your certificate was rejected. Error -12271". >> >> Looks like the ESC needs a user certificate and key to establish SSL >> connection. >> >> Not sure how the ESC can be configured to access a dedicated user >> certificate & key? Can ESC detect and possibly use the TPS Admin >> cert/key if running on same platform? >> >> Ehansen @ SPYRUS Corp. >> >> >> > ------------------------------------------------------------------------ > >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > > From jmagne at redhat.com Tue Nov 25 19:24:47 2008 From: jmagne at redhat.com (Jack Magne) Date: Tue, 25 Nov 2008 11:24:47 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS In-Reply-To: References: <492B6312.3050903@redhat.com> Message-ID: <492C50FF.50308@redhat.com> Ebbe: When you go to the URL with the browser, does it ask you for a cert? This is unusual, I will have to check around for you. thanks, jack Ebbe Hansen wrote: > Jack, > > In my configuration the URL actually is: > https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi > > After clicking the "Test URL" button on the ESC (Smart Card Manager) I > observe the error: > > "Could not establish an encrypted connection bacause your certfcite was > rejected by > Redhat4.spyrus.com. Error Code: -12271" > > > When accessting the TPS with a browser I receive the following display: > > > - > Spyrus, Inc. > - > > https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi tion> > https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi > > http://www.spyrus.com > > > userKey > > > > > Ebbe > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Monday, November 24, 2008 6:30 PM > To: Ebbe Hansen > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS > > Ebbe: > > Try this as your phone home URL. > > https://smartcardserver.example.com:7888/cgi-bin/home.cgi > > Also , you can try this with a browser and it should simply print out a > simple XML file for you. > > I will take a look at the doc and see how it can be improved. > > Ebbe Hansen wrote: > >> Jack, >> >> I am trying to setup the initial "phone home" configuration with the >> intent to Format a blank token. >> The ESC User guide (and the ESC) is indicating the initial Phone Hole >> connection must be secured using https (e.g. >> "https://smartcardserver.example.com:7888"). >> >> When connecting to the Admin services for all other PKI components >> > (CA, > >> DRM, TKS and TPS) a client certificate is required to gain access. The >> error message I observe when trying to connect with the ESC indicates >> > a > >> client certificate is also expected in this case - but I haven't found >> anything in the ESC Guide that documents this? >> >> Ebbe >> >> >> -----Original Message----- >> From: Jack Magne [mailto:jmagne at redhat.com] >> Sent: Monday, November 24, 2008 9:54 AM >> To: Ebbe Hansen >> Cc: pki-users at redhat.com >> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS >> >> Ebbe: >> >> Could you state exactly what operation you are trying to do with ESC >> with respect to TPS. >> Are you performing the "phone home" step or actually attempting an >> enrollment? >> The default case should not require client auth which appears to be >> > the > >> case with your error. >> >> thanks, >> jack >> >> Ebbe Hansen wrote: >> >> >>> I am not successful connecting the ESC (Smart Card Manager) client to >>> > > >>> the TPS. I have configured TPS and ESC as documented in ESC Guide. >>> >>> The error message says: "Could not establish an encrypted connection >>> because your certificate was rejected. Error -12271". >>> >>> Looks like the ESC needs a user certificate and key to establish SSL >>> connection. >>> >>> Not sure how the ESC can be configured to access a dedicated user >>> certificate & key? Can ESC detect and possibly use the TPS Admin >>> cert/key if running on same platform? >>> >>> Ehansen @ SPYRUS Corp. >>> >>> >>> >>> > ------------------------------------------------------------------------ > >> >> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From ehansen at spyrus.com Tue Nov 25 19:32:29 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Tue, 25 Nov 2008 11:32:29 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS In-Reply-To: <492C50FF.50308@redhat.com> References: <492B6312.3050903@redhat.com> <492C50FF.50308@redhat.com> Message-ID: If I do not have a certificate in my cert-store issued by the RedHat CA (ESC running on windows-XP) the browser (IE) indicates "The page cannot be displayed" The server is a "straight" RadHat 7.3 PKI installation with latest FireFox installed. Could FireFox have changed come of the original RedHat 7.3 SSL libraries? Ebbe -----Original Message----- From: Jack Magne [mailto:jmagne at redhat.com] Sent: Tuesday, November 25, 2008 11:25 AM To: Ebbe Hansen Cc: pki-users at redhat.com Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS Ebbe: When you go to the URL with the browser, does it ask you for a cert? This is unusual, I will have to check around for you. thanks, jack Ebbe Hansen wrote: > Jack, > > In my configuration the URL actually is: > https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi > > After clicking the "Test URL" button on the ESC (Smart Card Manager) I > observe the error: > > "Could not establish an encrypted connection bacause your certfcite was > rejected by > Redhat4.spyrus.com. Error Code: -12271" > > > When accessting the TPS with a browser I receive the following display: > > > - > Spyrus, Inc. > - > > https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi tion> > https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi > > http://www.spyrus.com > > > userKey > > > > > Ebbe > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Monday, November 24, 2008 6:30 PM > To: Ebbe Hansen > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS > > Ebbe: > > Try this as your phone home URL. > > https://smartcardserver.example.com:7888/cgi-bin/home.cgi > > Also , you can try this with a browser and it should simply print out a > simple XML file for you. > > I will take a look at the doc and see how it can be improved. > > Ebbe Hansen wrote: > >> Jack, >> >> I am trying to setup the initial "phone home" configuration with the >> intent to Format a blank token. >> The ESC User guide (and the ESC) is indicating the initial Phone Hole >> connection must be secured using https (e.g. >> "https://smartcardserver.example.com:7888"). >> >> When connecting to the Admin services for all other PKI components >> > (CA, > >> DRM, TKS and TPS) a client certificate is required to gain access. The >> error message I observe when trying to connect with the ESC indicates >> > a > >> client certificate is also expected in this case - but I haven't found >> anything in the ESC Guide that documents this? >> >> Ebbe >> >> >> -----Original Message----- >> From: Jack Magne [mailto:jmagne at redhat.com] >> Sent: Monday, November 24, 2008 9:54 AM >> To: Ebbe Hansen >> Cc: pki-users at redhat.com >> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS >> >> Ebbe: >> >> Could you state exactly what operation you are trying to do with ESC >> with respect to TPS. >> Are you performing the "phone home" step or actually attempting an >> enrollment? >> The default case should not require client auth which appears to be >> > the > >> case with your error. >> >> thanks, >> jack >> >> Ebbe Hansen wrote: >> >> >>> I am not successful connecting the ESC (Smart Card Manager) client to >>> > > >>> the TPS. I have configured TPS and ESC as documented in ESC Guide. >>> >>> The error message says: "Could not establish an encrypted connection >>> because your certificate was rejected. Error -12271". >>> >>> Looks like the ESC needs a user certificate and key to establish SSL >>> connection. >>> >>> Not sure how the ESC can be configured to access a dedicated user >>> certificate & key? Can ESC detect and possibly use the TPS Admin >>> cert/key if running on same platform? >>> >>> Ehansen @ SPYRUS Corp. >>> >>> >>> >>> > ------------------------------------------------------------------------ > >> >> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >>> >> >> From jmagne at redhat.com Tue Nov 25 22:23:36 2008 From: jmagne at redhat.com (Jack Magne) Date: Tue, 25 Nov 2008 14:23:36 -0800 Subject: [Pki-users] error -12271 trying to ESC connect to TPS In-Reply-To: References: <492B6312.3050903@redhat.com> <492C50FF.50308@redhat.com> Message-ID: <492C7AE8.8020109@redhat.com> Ebbe: I will continue to investigate to see if we have a bug. When you are asked for the phone home URL, try the non secure version. Something like: http://host:7888/cgin-bin/home/index.cgi This should keep you testing. thanks, jack Ebbe Hansen wrote: > If I do not have a certificate in my cert-store issued by the RedHat CA > (ESC running on windows-XP) the browser (IE) indicates "The page cannot > be displayed" > > The server is a "straight" RadHat 7.3 PKI installation with latest > FireFox installed. Could FireFox have changed come of the original > RedHat 7.3 SSL libraries? > > Ebbe > > > -----Original Message----- > From: Jack Magne [mailto:jmagne at redhat.com] > Sent: Tuesday, November 25, 2008 11:25 AM > To: Ebbe Hansen > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS > > Ebbe: > > When you go to the URL with the browser, does it ask you for a cert? > This is unusual, I will have to check around for you. > > thanks, > jack > > Ebbe Hansen wrote: > >> Jack, >> >> In my configuration the URL actually is: >> https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi >> >> After clicking the "Test URL" button on the ESC (Smart Card Manager) I >> observe the error: >> >> "Could not establish an encrypted connection bacause your certfcite >> > was > >> rejected by >> Redhat4.spyrus.com. Error Code: -12271" >> >> >> When accessting the TPS with a browser I receive the following >> > display: > >> >> - >> Spyrus, Inc. >> - >> >> >> > https://redhat4.spyrus.com:7889/cgi-bin/home/index.cgi >> tion> >> https://redhat4.spyrus.com:7889/cgi-bin/home/enroll.cgi >> >> >> > http://www.spyrus.com > >> >> userKey >> >> >> >> >> Ebbe >> >> -----Original Message----- >> From: Jack Magne [mailto:jmagne at redhat.com] >> Sent: Monday, November 24, 2008 6:30 PM >> To: Ebbe Hansen >> Cc: pki-users at redhat.com >> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS >> >> Ebbe: >> >> Try this as your phone home URL. >> >> https://smartcardserver.example.com:7888/cgi-bin/home.cgi >> >> Also , you can try this with a browser and it should simply print out >> > a > >> simple XML file for you. >> >> I will take a look at the doc and see how it can be improved. >> >> Ebbe Hansen wrote: >> >> >>> Jack, >>> >>> I am trying to setup the initial "phone home" configuration with the >>> intent to Format a blank token. >>> The ESC User guide (and the ESC) is indicating the initial Phone Hole >>> connection must be secured using https (e.g. >>> "https://smartcardserver.example.com:7888"). >>> >>> When connecting to the Admin services for all other PKI components >>> >>> >> (CA, >> >> >>> DRM, TKS and TPS) a client certificate is required to gain access. >>> > The > >>> error message I observe when trying to connect with the ESC indicates >>> >>> >> a >> >> >>> client certificate is also expected in this case - but I haven't >>> > found > >>> anything in the ESC Guide that documents this? >>> >>> Ebbe >>> >>> >>> -----Original Message----- >>> From: Jack Magne [mailto:jmagne at redhat.com] >>> Sent: Monday, November 24, 2008 9:54 AM >>> To: Ebbe Hansen >>> Cc: pki-users at redhat.com >>> Subject: Re: [Pki-users] error -12271 trying to ESC connect to TPS >>> >>> Ebbe: >>> >>> Could you state exactly what operation you are trying to do with ESC >>> with respect to TPS. >>> Are you performing the "phone home" step or actually attempting an >>> enrollment? >>> The default case should not require client auth which appears to be >>> >>> >> the >> >> >>> case with your error. >>> >>> thanks, >>> jack >>> >>> Ebbe Hansen wrote: >>> >>> >>> >>>> I am not successful connecting the ESC (Smart Card Manager) client >>>> > to > >>>> >>>> >> >> >>>> the TPS. I have configured TPS and ESC as documented in ESC Guide. >>>> >>>> The error message says: "Could not establish an encrypted connection >>>> > > >>>> because your certificate was rejected. Error -12271". >>>> >>>> Looks like the ESC needs a user certificate and key to establish SSL >>>> > > >>>> connection. >>>> >>>> Not sure how the ESC can be configured to access a dedicated user >>>> certificate & key? Can ESC detect and possibly use the TPS Admin >>>> cert/key if running on same platform? >>>> >>>> Ehansen @ SPYRUS Corp. >>>> >>>> >>>> >>>> >>>> > ------------------------------------------------------------------------ > >> >> >>> >>> >>> >>>> _______________________________________________ >>>> Pki-users mailing list >>>> Pki-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-users >>>> >>>> >>>> >>>> >>> >>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From mharmsen at redhat.com Wed Nov 26 22:31:28 2008 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 26 Nov 2008 14:31:28 -0800 Subject: [Pki-users] Problems running TPS? Message-ID: <492DCE40.4040508@redhat.com> It has recently been brought to the attention of the Dogtag developers that numerous users in the Dogtag community have encountered problems successfully running the TPS subsystem. On Fedora 8, we believe that we have isolated this issue as being related to normal Fedora 8 updates of the following two packages: NSS 3.11 --> NSS 3.12 MOD_NSS 1.0.7-2 --> MOD_NSS 1.0.7-3 or later Dogtag developers are currently working on a permanent fix for this issue. However, until such time, users wishing to run a TPS subsystem are urged to use the original Fedora 8 GOLD bits available via http://fedoraproject.org/en/get-fedora. After this fresh install it is important not to apply any updates that affect either the nss or mod_nss packages. As we believe a very similar problem exists on Fedora 9, we would urge users wishing to run a TPS subsystem install this component on the aforementioned Fedora 8 platform. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: