From Julius.Adewumi at gdc4s.com Tue Oct 7 20:14:47 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 7 Oct 2008 13:14:47 -0700 Subject: [Pki-users] Certificate Authority fixes Message-ID: FYI only: About RedHat Certificate Systems 7.3 I was having problems configuring DRM, TKS etc after CA was configured. Problems like Error Code SEC_ERROR_REUSED_ISSUER_AND_SERIAL, and in the logfile of CA: CASigningUnit: Object not found. Error org.mozilla.jss.crypto ObjectNotFoundException. I decided to go to redhat.com and download all pertinent patches and updates in their "erratta". Both for firefox browser being used and for CA. After the installs and upgrades, I was able to smoothly create new instances and configure the Subsystems DRM, TKS, TPS. So, the lesson I learn: don't bet on the CD you are delivered, new updates and fixes could be online within weeks after the CD was shipped in this business. Thanks RedHat. Julius Adewumi -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julius.Adewumi at gdc4s.com Tue Oct 7 20:14:47 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 7 Oct 2008 13:14:47 -0700 Subject: [Pki-users] Certificate Authority fixes Message-ID: FYI only: About RedHat Certificate Systems 7.3 I was having problems configuring DRM, TKS etc after CA was configured. Problems like Error Code SEC_ERROR_REUSED_ISSUER_AND_SERIAL, and in the logfile of CA: CASigningUnit: Object not found. Error org.mozilla.jss.crypto ObjectNotFoundException. I decided to go to redhat.com and download all pertinent patches and updates in their "erratta". Both for firefox browser being used and for CA. After the installs and upgrades, I was able to smoothly create new instances and configure the Subsystems DRM, TKS, TPS. So, the lesson I learn: don't bet on the CD you are delivered, new updates and fixes could be online within weeks after the CD was shipped in this business. Thanks RedHat. Julius Adewumi -------------- next part -------------- An HTML attachment was scrubbed... URL: From ehansen at spyrus.com Wed Oct 8 15:10:21 2008 From: ehansen at spyrus.com (Ebbe Hansen) Date: Wed, 8 Oct 2008 08:10:21 -0700 Subject: [Pki-users] Failure to start pki-tps under Fedora9-Live Message-ID: Installed Fedora9-Live (downloaded 8-14-08) on harddisk. Loaded and installed DogTag packages pki-ca, pki-kra, pki-ocsp, pki-tks successfully. However, pki-tps fails to start. Attached error_log indicates "Unknown cipher ecdhe_ecdsa_aes_256_sha". Are there additional "cipher" modules to be installed? Ebbe Hansen @ SPYRUS -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: error_log_tps_start_failure Type: application/octet-stream Size: 1936 bytes Desc: error_log_tps_start_failure URL: From Julius.Adewumi at gdc4s.com Thu Oct 9 00:09:19 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Wed, 8 Oct 2008 17:09:19 -0700 Subject: [Pki-users] TPS --- index.cgi not interpreted by Firefox Message-ID: Firefox couldn't interprete cgi-bin/home/index.cgi script when attempting to Configure Phone Home feature of TPS. It displayed the text with comment: "This XML file does not appear to have any style information associated with it. The document tree is shown below: - <> Red Hat, Inc. - <> http://example.com:7888/nk_service http://example.com:7888/cgi-bin/home/enroll.cgi http://www.redhat.com userKey Can someone point me in the right direction please. Julius -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Thu Oct 9 00:58:18 2008 From: jmagne at redhat.com (Jack Magne) Date: Wed, 08 Oct 2008 17:58:18 -0700 Subject: [Pki-users] TPS --- index.cgi not interpreted by Firefox In-Reply-To: References: Message-ID: <48ED572A.9070307@redhat.com> This is a simple xml file used internally by ESC, the Smart Card Manager. There is really no need to view it with a browser other than for informational purposes. Adewumi, Julius-p99373 wrote: > > Firefox couldn't interprete cgi-bin/home/index.cgi script when > attempting to > Configure Phone Home feature of TPS. It displayed the text with comment: > "This XML file does not appear to have any style information > associated with it. > The document tree is shown below: > > > _-_ > Red Hat, Inc. > _-_ > http://example.com:7888/nk_service > http://example.com:7888/cgi-bin/home/enroll.cgi > http://www.redhat.com > > userKey > > > > Can someone point me in the right direction please. > > Julius > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From kheyden at web.de Mon Oct 20 17:29:42 2008 From: kheyden at web.de (Klaus Heyden) Date: Mon, 20 Oct 2008 19:29:42 +0200 Subject: [Pki-users] Failure to clone a CA Message-ID: <000301c932d9$70205930$50610b90$@de> Hello, I've got a Problem at the Cloning of a CA. At the Web GUI when I import the CA Certificate file (savepkcs12) the WebGui showed me an error like "PKI not active" In the debug-file there are the following entries: [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: process [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet:serice() uri = /ca/admin/console/config/wizard [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() param name='password' value='xxxxxxxx' [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() param name='path' value='/tmp/savepkcs12' [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() param name='p' value='5' [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() param name='op' value='next' [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: op=next [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: size=19 [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: in next 5 [20/Oct/2008:18:32:11][http-9443-Processor21]: RestoreKeyCertPanel: this is the clone subsystem [20/Oct/2008:18:32:11][http-9443-Processor21]: RestoreKeyCertPanel update: clone does not have all the certificates. [20/Oct/2008:18:32:11][http-9443-Processor21]: panel no=5 [20/Oct/2008:18:32:11][http-9443-Processor21]: panel name=restorekeys [20/Oct/2008:18:32:11][http-9443-Processor21]: total number of panels=19 I have bypass it by importing the Certificates with the pk12util at the same time. What can be the Problem because of not reading the file. The contains all necessary certificate (CA, Subsystem and OCSP). This was the export file of the generation of the first instance. The next Problem which I can't avoid, is that the Clone can't finish the LDAP configuration. The Debug-File shows the following: [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel createChangeLog: Changelog entry has already used [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel enableReplication: replicadn: cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping tree,cn=config [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel enableReplication: Successfully create cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping tree,cn=config entry. [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel enableReplication: replicadn: cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping tree,cn=config [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel enableReplication: Successfully create cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping tree,cn=config entry. [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel setupReplication: Finished enabling replication [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel createReplicationAgreement: dn: cn=masterAgreement1-linux2.tampam.de-ca-clone2,cn=replica,cn="dc=linux1.tamp am.de-ca-master",cn=mapping tree,cn=config [20/Oct/2008:19:23:51][http-9443-Processor19]: About to set description attr to masterAgreement1-linux2.tampam.de-ca-clone2 [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel createReplicationAgreement: Successfully create replication agreement masterAgreement1-linux2.tampam.de-ca-clone2 [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel createReplicationAgreement: dn: cn=cloneAgreement1-linux2.tampam.de-ca-clone2,cn=replica,cn="dc=linux1.tampa m.de-ca-master",cn=mapping tree,cn=config [20/Oct/2008:19:23:51][http-9443-Processor19]: About to set description attr to cloneAgreement1-linux2.tampam.de-ca-clone2 [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel createReplicationAgreement: Successfully create replication agreement cloneAgreement1-linux2.tampam.de-ca-clone2 [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel initializeConsumer: initializeConsumer dn: cn=masterAgreement1-linux2.tampam.de-ca-clone2,cn=replica,cn="dc=linux1.tamp am.de-ca-master",cn=mapping tree,cn=config [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel initializeConsumer: initializeConsumer host: linux1.tampam.de port: 389 [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel initializeConsumer: start modifying [20/Oct/2008:19:23:52][http-9443-Processor19]: DatabasePanel initializeConsumer: Finish modification. [20/Oct/2008:19:23:52][http-9443-Processor19]: DatabasePanel initializeConsumer: thread sleeping for 5 seconds. [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel initializeConsumer: finish sleeping. [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel initializeConsumer: Successfully initialize consumer [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not found, let's wait! [20/Oct/2008:19:24:02][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master [20/Oct/2008:19:24:02][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not found, let's wait! [20/Oct/2008:19:24:07][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master [20/Oct/2008:19:24:07][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not found, let's wait! [20/Oct/2008:19:24:13][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master [20/Oct/2008:19:24:13][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not found, let's wait! [20/Oct/2008:19:24:18][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master [20/Oct/2008:19:24:18][http-9443-Processor19]: DatabasePanel comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not found, let's wait! etc. at the last entries it repeats ever 5 seconds and the WebGUI "Internal Database" stops there waiting.. Perhaps some can help me Regard Klaus Heyden -------------- next part -------------- An HTML attachment was scrubbed... URL: From kheyden at web.de Mon Oct 20 18:20:25 2008 From: kheyden at web.de (Klaus Heyden) Date: Mon, 20 Oct 2008 20:20:25 +0200 Subject: [Pki-users] Failure to clone a CA Message-ID: <001901c932e0$85d45cc0$917d1640$@de> Hello, i've found that the replication in the directory server was incorrect. The Master Server say's that there is a duplicate Replica ID. But there is no other replication configured ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Mon Oct 20 18:45:28 2008 From: msauton at redhat.com (Marc Sauton) Date: Mon, 20 Oct 2008 11:45:28 -0700 Subject: [Pki-users] Failure to clone a CA In-Reply-To: <000301c932d9$70205930$50610b90$@de> References: <000301c932d9$70205930$50610b90$@de> Message-ID: <48FCD1C8.4050400@redhat.com> Klaus Heyden wrote: > > Hello, > > I?ve got a Problem at the Cloning of a CA. > > At the Web GUI when I import the CA Certificate file (savepkcs12) the > WebGui showed me an error like ?PKI not active? > > In the debug-file there are the following entries: > > [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: process > > [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet:serice() > uri = /ca/admin/console/config/wizard > > [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() > param name='password' value='xxxxxxxx' > > [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() > param name='path' value='/tmp/savepkcs12' > > [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() > param name='p' value='5' > > [20/Oct/2008:18:32:11][http-9443-Processor21]: CMSServlet::service() > param name='op' value='next' > > [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: op=next > > [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: size=19 > > [20/Oct/2008:18:32:11][http-9443-Processor21]: WizardServlet: in next 5 > > [20/Oct/2008:18:32:11][http-9443-Processor21]: RestoreKeyCertPanel: > this is the clone subsystem > > [20/Oct/2008:18:32:11][http-9443-Processor21]: RestoreKeyCertPanel > update: clone does not have all the certificates. > > [20/Oct/2008:18:32:11][http-9443-Processor21]: panel no=5 > > [20/Oct/2008:18:32:11][http-9443-Processor21]: panel name=restorekeys > > [20/Oct/2008:18:32:11][http-9443-Processor21]: total number of panels=19 > > I have bypass it by importing the Certificates with the pk12util at > the same time. What can be the Problem because of not reading the > file. The contains all necessary certificate (CA, Subsystem and OCSP). > This was the export file of the generation of the first instance. > > Is it possible the file /tmp/savepkcs12 copied on the cloned ca system could not be read by the uid running the clone instance ? > The next Problem which I can?t avoid, is that the Clone can?t finish > the LDAP configuration. The Debug-File shows the following: > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > createChangeLog: Changelog entry has already used > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > enableReplication: replicadn: > cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping tree,cn=config > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > enableReplication: Successfully create > cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping > tree,cn=config entry. > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > enableReplication: replicadn: > cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping tree,cn=config > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > enableReplication: Successfully create > cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping > tree,cn=config entry. > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > setupReplication: Finished enabling replication > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > createReplicationAgreement: dn: > cn=masterAgreement1-linux2.tampam.de-ca-clone2,cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping > tree,cn=config > > [20/Oct/2008:19:23:51][http-9443-Processor19]: About to set > description attr to masterAgreement1-linux2.tampam.de-ca-clone2 > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > createReplicationAgreement: Successfully create replication agreement > masterAgreement1-linux2.tampam.de-ca-clone2 > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > createReplicationAgreement: dn: > cn=cloneAgreement1-linux2.tampam.de-ca-clone2,cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping > tree,cn=config > > [20/Oct/2008:19:23:51][http-9443-Processor19]: About to set > description attr to cloneAgreement1-linux2.tampam.de-ca-clone2 > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > createReplicationAgreement: Successfully create replication agreement > cloneAgreement1-linux2.tampam.de-ca-clone2 > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > initializeConsumer: initializeConsumer dn: > cn=masterAgreement1-linux2.tampam.de-ca-clone2,cn=replica,cn="dc=linux1.tampam.de-ca-master",cn=mapping > tree,cn=config > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > initializeConsumer: initializeConsumer host: linux1.tampam.de port: 389 > > [20/Oct/2008:19:23:51][http-9443-Processor19]: DatabasePanel > initializeConsumer: start modifying > > [20/Oct/2008:19:23:52][http-9443-Processor19]: DatabasePanel > initializeConsumer: Finish modification. > > [20/Oct/2008:19:23:52][http-9443-Processor19]: DatabasePanel > initializeConsumer: thread sleeping for 5 seconds. > > [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel > initializeConsumer: finish sleeping. > > [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel > initializeConsumer: Successfully initialize consumer > > [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master > > [20/Oct/2008:19:23:57][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not > found, let's wait! > > [20/Oct/2008:19:24:02][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master > > [20/Oct/2008:19:24:02][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not > found, let's wait! > > [20/Oct/2008:19:24:07][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master > > [20/Oct/2008:19:24:07][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not > found, let's wait! > > [20/Oct/2008:19:24:13][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master > > [20/Oct/2008:19:24:13][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not > found, let's wait! > > [20/Oct/2008:19:24:18][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=linux1.tampam.de-ca-master > > [20/Oct/2008:19:24:18][http-9443-Processor19]: DatabasePanel > comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not > found, let's wait! > > etc? at the last entries it repeats ever 5 seconds and the WebGUI > ?Internal Database? stops there waiting?. > That seem quite unsual, could you provide more details on the exact platform used, as well as rpm and directory server used ? And may be file a bugzilla with the exact steps that were used. > > Perhaps some can help me > > Regard Klaus Heyden > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From msauton at redhat.com Mon Oct 20 18:47:31 2008 From: msauton at redhat.com (Marc Sauton) Date: Mon, 20 Oct 2008 11:47:31 -0700 Subject: [Pki-users] Failure to clone a CA In-Reply-To: <001901c932e0$85d45cc0$917d1640$@de> References: <001901c932e0$85d45cc0$917d1640$@de> Message-ID: <48FCD243.9030804@redhat.com> Klaus Heyden wrote: > > Hello, > > i?ve found that the replication in the directory server was incorrect. > The Master Server say?s that there is a duplicate Replica ID. But > there is no other replication configured ? > We may want more details on the exact platform used, as well as rpm and directory server used, and to collect the matching slapd logs with the ca debug log provided earlier (also, the ca system log file) And may be file a bugzilla with the exact steps that were used. Thanks, M. > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From alee at redhat.com Mon Oct 20 18:51:34 2008 From: alee at redhat.com (Ade Lee) Date: Mon, 20 Oct 2008 14:51:34 -0400 Subject: [Pki-users] Failure to clone a CA In-Reply-To: <48FCD243.9030804@redhat.com> References: <001901c932e0$85d45cc0$917d1640$@de> <48FCD243.9030804@redhat.com> Message-ID: <1224528694.10661.1.camel@localhost.localdomain> Klaus, There is a problem with CA cloning currently. I have a fix which I hope to check in within the next couple of days. This will allow you to import the certs using a pk12util file through the install wizard. Ade On Mon, 2008-10-20 at 11:47 -0700, Marc Sauton wrote: > Klaus Heyden wrote: > > > > Hello, > > > > i?ve found that the replication in the directory server was incorrect. > > The Master Server say?s that there is a duplicate Replica ID. But > > there is no other replication configured ? > > > We may want more details on the exact platform used, as well as rpm and > directory server used, and to collect the matching slapd logs with the > ca debug log provided earlier (also, the ca system log file) > And may be file a bugzilla with the exact steps that were used. > Thanks, > M. > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From Julius.Adewumi at gdc4s.com Tue Oct 21 00:27:05 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Mon, 20 Oct 2008 17:27:05 -0700 Subject: [Pki-users] Cannot write to MasterCRL at CA startup Message-ID: Is anyone familiar with this problem: I configured Ldap-Publishing on Friday and after the weekend, Whenever the CA attempts to publish into tne MasterCRL it couldn't and also The Directory Server dies. This is Redhat Dirsrv. Anyone aware of a fix for this? Julius -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Tue Oct 21 02:01:42 2008 From: msauton at redhat.com (Marc Sauton) Date: Mon, 20 Oct 2008 19:01:42 -0700 Subject: [Pki-users] Cannot write to MasterCRL at CA startup In-Reply-To: References: Message-ID: <48FD3806.1040304@redhat.com> Adewumi, Julius-p99373 wrote: > > Is anyone familiar with this problem: I configured Ldap-Publishing on > Friday and after the weekend, > Whenever the CA attempts to publish into tne MasterCRL it couldn't and > also The Directory Server dies. > I will assume the "The Directory Server" is an external publishing directory server for your ca instance. If for any reasons the publishing directory is not running, you should see some error messages in the ca debug or system logs. Could you provide with exact platform info, rpm versions for jre, rhpki-ca and redhat-ds, and some sanitized ca system and debug logs along with matching publishing rhds error logs just before the publishing directory shuts down, or contact off list? Thx, M. > > This is Redhat Dirsrv. Anyone aware of a fix for this? > > Julius > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From msauton at redhat.com Tue Oct 21 02:03:45 2008 From: msauton at redhat.com (Marc Sauton) Date: Mon, 20 Oct 2008 19:03:45 -0700 Subject: [Pki-users] Cannot write to MasterCRL at CA startup In-Reply-To: <48FD3806.1040304@redhat.com> References: <48FD3806.1040304@redhat.com> Message-ID: <48FD3881.3010107@redhat.com> You can also have a statement to not publish your master crl at start time in your CS.cfg: ca.crl.MasterCRL.publishOnStart=false M. Marc Sauton wrote: > Adewumi, Julius-p99373 wrote: >> >> Is anyone familiar with this problem: I configured Ldap-Publishing >> on Friday and after the weekend, >> Whenever the CA attempts to publish into tne MasterCRL it couldn't >> and also The Directory Server dies. >> > I will assume the "The Directory Server" is an external publishing > directory server for your ca instance. > If for any reasons the publishing directory is not running, you should > see some error messages in the ca debug or system logs. > Could you provide with exact platform info, rpm versions for jre, > rhpki-ca and redhat-ds, and some sanitized ca system and debug logs > along with matching publishing rhds error logs just before the > publishing directory shuts down, or contact off list? > Thx, > M. >> >> This is Redhat Dirsrv. Anyone aware of a fix for this? >> >> Julius >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From kheyden at web.de Tue Oct 21 17:01:36 2008 From: kheyden at web.de (Klaus Heyden) Date: Tue, 21 Oct 2008 19:01:36 +0200 Subject: AW: [Pki-users] Failure to clone a CA In-Reply-To: <48FCD1C8.4050400@redhat.com> References: <000301c932d9$70205930$50610b90$@de> <48FCD1C8.4050400@redhat.com> Message-ID: <001501c9339e$ade5aed0$09b10c70$@de> Hello, -----Urspr?ngliche Nachricht----- >> I?ve got a Problem at the Cloning of a CA. >> >> At the Web GUI when I import the CA Certificate file (savepkcs12) the >> WebGui showed me an error like ?PKI not active? [some log deleted] >> [20/Oct/2008:18:32:11][http-9443-Processor21]: RestoreKeyCertPanel: >> this is the clone subsystem >> [20/Oct/2008:18:32:11][http-9443-Processor21]: RestoreKeyCertPanel >> update: clone does not have all the certificates. >> [20/Oct/2008:18:32:11][http-9443-Processor21]: panel no=5 >> [20/Oct/2008:18:32:11][http-9443-Processor21]: panel name=restorekeys >> [20/Oct/2008:18:32:11][http-9443-Processor21]: total number of panels=19 >> I have bypass it by importing the Certificates with the pk12util at >> the same time. What can be the Problem because of not reading the >> file. The contains all necessary certificate (CA, Subsystem and OCSP). >> This was the export file of the generation of the first instance. > Is it possible the file /tmp/savepkcs12 copied on the cloned ca system > could not be read by the uid running the clone instance ? The file have chmod 666 so it must be readable by nobody, I've checked it >> The next Problem which I can?t avoid, is that the Clone can?t finish >> the LDAP configuration. The Debug-File shows the following: >> >> >> [20/Oct/2008:19:24:18][http-9443-Processor19]: DatabasePanel >> comparetAndWaitEntries ou=people,dc=linux1.tampam.de-ca-master not >> found, let's wait! >> etc at the last entries it repeats ever 5 seconds and the WebGUI >> ?Internal Database? stops there waiting . >> > That seem quite unsual, could you provide more details on the exact > platform used, as well as rpm and directory server used ? > And may be file a bugzilla with the exact steps that were used. I am using this in a Fedora Core 9 installation and i've also this Problem in RHEL 5.2 (target platform), with actual updates. The Directory server is Fedora 1.1.3-2 (Fedora base package), the certificate server is 1.0.0-6 (pki-ca package), pki-common package is 1.0.0-8. This are the packages: Certificate Server: pki-java-tools-1.0.0-1.fc9.noarch pki-setup-1.0.0-2.fc9.noarch pki-util-1.0.0-2.fc9.noarch pki-native-tools-1.0.0-1.fc9.i386 pki-common-ui-1.0.0-2.fc9.noarch pki-ca-ui-1.0.0-1.fc9.noarch pki-ca-1.0.0-6.fc9.noarch pki-common-1.0.0-8.fc9.noarch Directory Server: fedora-ds-dsgw-1.1.1-1.fc9.i386 fedora-ds-admin-1.1.6-1.fc9.i386 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-console-1.1.2-2.fc9.noarch fedora-ds-base-1.1.3-2.fc9.i386 fedora-ds-1.1.2-1.fc9.i386 regards Klaus From Julius.Adewumi at gdc4s.com Tue Oct 21 17:25:38 2008 From: Julius.Adewumi at gdc4s.com (Adewumi, Julius-p99373) Date: Tue, 21 Oct 2008 10:25:38 -0700 Subject: [Pki-users] Cannot write to MasterCRL at CA startup In-Reply-To: <48FD3881.3010107@redhat.com> References: <48FD3806.1040304@redhat.com> <48FD3881.3010107@redhat.com> Message-ID: Marc, I saw the publishOnStart flag and to my surprise yesterday it was already "false". Below are the logs in CA:logs/system, logs/debug. This morning I restarted RH-DS and the rhpki-ca. DS stayed up after I started CA, however the CA console will not start just like it was doing throughout yesterday. Here are the logs. This is a test pki system so I am going to re-install the pki system But I need to know what I am doing/not-doing wrong. The Dirsrv is on separate node from the CA. For RH -DS versions: Redhat-idm-console-1.0.0-21.el4idm Redhat-admin-console-8.0.0.9.el4dsrv Java-1.4.2-ibm-javacomm-1.4.2.10-1jpp.2.el4 Java-1.6.0-ibm-plugin-1.6.0.1-1jpp.2.el4 >From rhpki-ca : (This is version 7.3 with the downloaded fixes) rhpki-native-tools-7.3.0-5.el4 rhpki-kra-7.3.0-8.el4 rhpki-ocsp-7.3.0-8.el4 rhpki-manage-7.3.0-12.el4 rhpki-util-7.3.0-11.el4 rhpki-java-tools-7.3.0-9.el4 rhpki-console-7.3.0-10.el4 rhpki-migrate-7.3.0-9.el4 rhpki-common-7.3.0-16.el4 rhpki-ca-7.3.0-9.el4 rhpki-tks-7.3.0-9.el4 rhpki-tps-7.3.0-15.el4 Here are the logs: # tail system 7020.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:48:35 MST] [3] [3] CRLIssuingPoint MasterCRL - Failed to sign or store CRL LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001.-rhpki-ca netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7020.main - [20/Oct/2008:16:48:35 MST] [8] [3] In Ldap (bound) connection pool t o host tf1-tve-qpki001 port 389, Cannot connect to LDAP server. E rror: netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7020.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:48:35 MST] [3] [3] CRLIssuingPoint MasterCRL - Cannot update CRL. Error: Failed constructing CRL : LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001.-rhpki-ca netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7020.main - [20/Oct/2008:16:48:35 MST] [3] [3] CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the internaldb. Error LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001.-rhpki-ca netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7980.main - [20/Oct/2008:16:52:35 MST] [8] [3] In Ldap (bound) connection pool t o host tf1-tve-qpki001. port 389, Cannot connect to LDAP server. E rror: netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7980.CertStatusUpdateThread - [20/Oct/2008:16:52:35 MST] [5] [3] Operation Error - netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7980.CertStatusUpdateThread - [20/Oct/2008:16:52:35 MST] [5] [3] Null response c ontrol 7980.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:52:35 MST] [3] [3] CRLIssuingPoint MasterCRL - Failed to sign or store CRL LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001-rhpki-ca netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7980.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:52:35 MST] [3] [3] CRLIssuingPoint MasterCRL - Cannot update CRL. Error: Failed constructing CRL : LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001.-rhpki-ca netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) 7980.main - [20/Oct/2008:16:52:35 MST] [3] [3] CRLIssuingPoint MasterCRL - Cannot store the CRL cache in the internaldb. Error LDAP operation failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001-rhpki-ca netscape.ldap.LDAPException: failed to connect to server ldap://tf1-tve-qpki001:389 (91) # #tail localhost.2008-10-20.log at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :105) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:526 ) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 48) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:85 6) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC onnection(Http11Protocol.java:744) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint .java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow erWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:684) at java.lang.Thread.run(Thread.java:810) ########################################## # Re-do today "service rhpki-ca restart" # after "service dirsrv restart" ########################################## # tail system 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] Operation Error - netscape.ldap.LDAPException: not connected (80) 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] Null response control 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] Operation Error - netscape.ldap.LDAPException: not connected (80) 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] Null response control 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Operation Error - netscape.ldap.LDAPException: not connected (80) 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Null response control 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Operation Error - netscape.ldap.LDAPException: not connected (80) 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Null response control 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Operation Error - netscape.ldap.LDAPException: not connected (80) 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Null response control # tail debug at org.apache.catalina.core.StandardService.start(StandardService.java:450) at org.apache.catalina.core.StandardServer.start(StandardServer.java:683) at org.apache.catalina.startup.Catalina.start(Catalina.java:537) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:79) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:43) at java.lang.reflect.Method.invoke(Method.java:618) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409) [21/Oct/2008:09:24:57][main]: CMSEngine.shutdown() # Why is CA console not coming up? -----Original Message----- From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Marc Sauton Sent: Monday, October 20, 2008 7:04 PM To: Adewumi, Julius-p99373 Cc: pki-users at redhat.com Subject: Re: [Pki-users] Cannot write to MasterCRL at CA startup You can also have a statement to not publish your master crl at start time in your CS.cfg: ca.crl.MasterCRL.publishOnStart=false M. Marc Sauton wrote: > Adewumi, Julius-p99373 wrote: >> >> Is anyone familiar with this problem: I configured Ldap-Publishing >> on Friday and after the weekend, Whenever the CA attempts to publish >> into tne MasterCRL it couldn't and also The Directory Server dies. >> > I will assume the "The Directory Server" is an external publishing > directory server for your ca instance. > If for any reasons the publishing directory is not running, you should > see some error messages in the ca debug or system logs. > Could you provide with exact platform info, rpm versions for jre, > rhpki-ca and redhat-ds, and some sanitized ca system and debug logs > along with matching publishing rhds error logs just before the > publishing directory shuts down, or contact off list? > Thx, > M. >> >> This is Redhat Dirsrv. Anyone aware of a fix for this? >> >> Julius >> >> --------------------------------------------------------------------- >> --- >> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users From kheyden at web.de Tue Oct 21 17:30:13 2008 From: kheyden at web.de (Klaus Heyden) Date: Tue, 21 Oct 2008 19:30:13 +0200 Subject: AW: [Pki-users] Failure to clone a CA In-Reply-To: <1224528694.10661.1.camel@localhost.localdomain> References: <001901c932e0$85d45cc0$917d1640$@de> <48FCD243.9030804@redhat.com> <1224528694.10661.1.camel@localhost.localdomain> Message-ID: <001601c933a2$ad151b90$073f52b0$@de> Hi, thanks, this will be fix my bypass via import with pk12util at the same time. More serious is the problem with the directory server. At the generation of the clone instance it will stop with the replication problem. I think the replication is configured by the pkicreate command. There might be the reason. Regards -----Urspr?ngliche Nachricht----- Von: alee at redhat.com [mailto:alee at redhat.com] Gesendet: Montag, 20. Oktober 2008 20:52 An: Marc Sauton Cc: Klaus Heyden; pki-users at redhat.com Betreff: Re: [Pki-users] Failure to clone a CA Klaus, There is a problem with CA cloning currently. I have a fix which I hope to check in within the next couple of days. This will allow you to import the certs using a pk12util file through the install wizard. Ade On Mon, 2008-10-20 at 11:47 -0700, Marc Sauton wrote: > Klaus Heyden wrote: > > > > Hello, > > > > i?ve found that the replication in the directory server was incorrect. > > The Master Server say?s that there is a duplicate Replica ID. But > > there is no other replication configured ? > > > We may want more details on the exact platform used, as well as rpm and > directory server used, and to collect the matching slapd logs with the > ca debug log provided earlier (also, the ca system log file) > And may be file a bugzilla with the exact steps that were used. > Thanks, > M. > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users From msauton at redhat.com Tue Oct 21 18:20:46 2008 From: msauton at redhat.com (Marc Sauton) Date: Tue, 21 Oct 2008 11:20:46 -0700 Subject: [Pki-users] Cannot write to MasterCRL at CA startup In-Reply-To: References: <48FD3806.1040304@redhat.com> <48FD3881.3010107@redhat.com> Message-ID: <48FE1D7E.1050203@redhat.com> Adewumi, Julius-p99373 wrote: > Marc, > I saw the publishOnStart flag and to my surprise yesterday it was > already "false". > So the ca is likely trying to publish the crl after the instance started. > Below are the logs in CA:logs/system, logs/debug. > This morning I restarted RH-DS and the rhpki-ca. DS stayed up after I > started CA, however the CA console will not start just like it was doing > throughout yesterday. > The internal db must run before the ca instance starts. > Here are the logs. This is a test pki system so I am going to > re-install the pki system > But I need to know what I am doing/not-doing wrong. > The Dirsrv is on separate node from the CA. > You should also have redhat-ds installed on the CA for the internal db. The publishing directory can be a remote system, assuming tcp connections are available as well as reliable network connection. > For RH -DS versions: > > Redhat-idm-console-1.0.0-21.el4idm > Redhat-admin-console-8.0.0.9.el4dsrv > Java-1.4.2-ibm-javacomm-1.4.2.10-1jpp.2.el4 > Java-1.6.0-ibm-plugin-1.6.0.1-1jpp.2.el4 > You may want to verify with a: /usr/sbin/alternatives --config java For DogTag the 1.6 JRE is ok as per http://pki.fedoraproject.org/wiki/PKI_Runtime_Environments But it seem like you are using RHCS, so I would expect to see a 1.5 JRE: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Installation_and_Configuration-Prerequisites.html#Administration_Guide-Prerequisites-Required_Programs_and_Dependencies " /Java? 1.5.0 Java Runtime Environment (JRE)./ Certificate System does not support earlier versions of the JRE. This JRE is required for running Tomcat, among other applications for the Certificate System. " > From rhpki-ca : (This is version 7.3 with the downloaded fixes) > > rhpki-native-tools-7.3.0-5.el4 > rhpki-kra-7.3.0-8.el4 > rhpki-ocsp-7.3.0-8.el4 > rhpki-manage-7.3.0-12.el4 > rhpki-util-7.3.0-11.el4 > rhpki-java-tools-7.3.0-9.el4 > rhpki-console-7.3.0-10.el4 > rhpki-migrate-7.3.0-9.el4 > rhpki-common-7.3.0-16.el4 > rhpki-ca-7.3.0-9.el4 > rhpki-tks-7.3.0-9.el4 > rhpki-tps-7.3.0-15.el4 > > This is RHCS, not DogTag. Note you are behind several errata's from RHN, there are newer rpms. > Here are the logs: > > # tail system > 7020.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:48:35 MST] [3] [3] > CRLIssuingPoint MasterCRL - Failed to sign or store CRL LDAP operation > failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, > dc=tf1-tve-spki001.-rhpki-ca netscape.ldap.LDAPException: failed to > connect to server ldap://tf1-tve-qpki001:389 (91) > 7020.main - [20/Oct/2008:16:48:35 MST] [8] [3] In Ldap (bound) > connection pool t o host tf1-tve-qpki001 port 389, Cannot connect to > LDAP server. E rror: netscape.ldap.LDAPException: failed to connect to > server ldap://tf1-tve-qpki001:389 (91) > 7020.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:48:35 MST] [3] [3] > CRLIssuingPoint MasterCRL - Cannot update CRL. Error: Failed > constructing CRL : LDAP operation failure - > cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001.-rhpki-ca > netscape.ldap.LDAPException: failed to connect to server > ldap://tf1-tve-qpki001:389 (91) > 7020.main - [20/Oct/2008:16:48:35 MST] [3] [3] CRLIssuingPoint MasterCRL > - Cannot store the CRL cache in the internaldb. Error LDAP operation > failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, > dc=tf1-tve-spki001.-rhpki-ca netscape.ldap.LDAPException: failed to > connect to server ldap://tf1-tve-qpki001:389 (91) > 7980.main - [20/Oct/2008:16:52:35 MST] [8] [3] In Ldap (bound) > connection pool t o host tf1-tve-qpki001. port 389, Cannot connect to > LDAP server. E rror: netscape.ldap.LDAPException: failed to connect to > server ldap://tf1-tve-qpki001:389 (91) > 7980.CertStatusUpdateThread - [20/Oct/2008:16:52:35 MST] [5] [3] > Operation Error - netscape.ldap.LDAPException: failed to connect to > server ldap://tf1-tve-qpki001:389 (91) > 7980.CertStatusUpdateThread - [20/Oct/2008:16:52:35 MST] [5] [3] Null > response c ontrol > 7980.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:52:35 MST] [3] [3] > CRLIssuingPoint MasterCRL - Failed to sign or store CRL LDAP operation > failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, > dc=tf1-tve-spki001-rhpki-ca netscape.ldap.LDAPException: failed to > connect to server ldap://tf1-tve-qpki001:389 (91) > 7980.CRLIssuingPoint-MasterCRL - [20/Oct/2008:16:52:35 MST] [3] [3] > CRLIssuingPoint MasterCRL - Cannot update CRL. Error: Failed > constructing CRL : LDAP operation failure - > cn=MasterCRL,ou=crlIssuingPoints, ou=ca, dc=tf1-tve-spki001.-rhpki-ca > netscape.ldap.LDAPException: failed to connect to server > ldap://tf1-tve-qpki001:389 (91) > 7980.main - [20/Oct/2008:16:52:35 MST] [3] [3] CRLIssuingPoint MasterCRL > - Cannot store the CRL cache in the internaldb. Error LDAP operation > failure - cn=MasterCRL,ou=crlIssuingPoints, ou=ca, > dc=tf1-tve-spki001-rhpki-ca netscape.ldap.LDAPException: failed to > connect to server ldap://tf1-tve-qpki001:389 (91) > > > error 91 is: 91 CONNECT_ERROR Can the system running the ca instance reach the publishing directory on its tcp port? > # > > #tail localhost.2008-10-20.log > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java > :105) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:526 > ) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. > java:107) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1 > 48) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:85 > 6) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC > onnection(Http11Protocol.java:744) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint > .java:527) > at > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow > erWorkerThread.java:80) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool > .java:684) > at java.lang.Thread.run(Thread.java:810) > > > > ########################################## > # Re-do today "service rhpki-ca restart" > # after "service dirsrv restart" > ########################################## > > > # tail system > 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] > Operation Error - netscape.ldap.LDAPException: not connected (80) > 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] Null > response control > 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] > Operation Error - netscape.ldap.LDAPException: not connected (80) > 7980.CertStatusUpdateThread - [21/Oct/2008:09:02:43 MST] [5] [3] Null > response control > 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] > Operation Error - netscape.ldap.LDAPException: not connected (80) > 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Null > response control > 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] > Operation Error - netscape.ldap.LDAPException: not connected (80) > 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Null > response control > 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] > Operation Error - netscape.ldap.LDAPException: not connected (80) > 7980.CertStatusUpdateThread - [21/Oct/2008:09:12:43 MST] [5] [3] Null > response control > > > # tail debug > at > org.apache.catalina.core.StandardService.start(StandardService.java:450) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:683) > at org.apache.catalina.startup.Catalina.start(Catalina.java:537) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav > a:79) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor > Impl.java:43) > at java.lang.reflect.Method.invoke(Method.java:618) > at > org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409) > [21/Oct/2008:09:24:57][main]: CMSEngine.shutdown() > > # > > > Why is CA console not coming up? > > > Probably the internal db was not running at that moment. > > -----Original Message----- > From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] > On Behalf Of Marc Sauton > Sent: Monday, October 20, 2008 7:04 PM > To: Adewumi, Julius-p99373 > Cc: pki-users at redhat.com > Subject: Re: [Pki-users] Cannot write to MasterCRL at CA startup > > You can also have a statement to not publish your master crl at start > time in your CS.cfg: > ca.crl.MasterCRL.publishOnStart=false > M. > > Marc Sauton wrote: > >> Adewumi, Julius-p99373 wrote: >> >>> Is anyone familiar with this problem: I configured Ldap-Publishing >>> on Friday and after the weekend, Whenever the CA attempts to publish >>> into tne MasterCRL it couldn't and also The Directory Server dies. >>> >>> >> I will assume the "The Directory Server" is an external publishing >> directory server for your ca instance. >> If for any reasons the publishing directory is not running, you should >> > > >> see some error messages in the ca debug or system logs. >> Could you provide with exact platform info, rpm versions for jre, >> rhpki-ca and redhat-ds, and some sanitized ca system and debug logs >> along with matching publishing rhds error logs just before the >> publishing directory shuts down, or contact off list? >> Thx, >> M. >> >>> This is Redhat Dirsrv. Anyone aware of a fix for this? >>> >>> Julius >>> >>> --------------------------------------------------------------------- >>> --- >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From alee at redhat.com Mon Oct 27 16:34:13 2008 From: alee at redhat.com (Ade Lee) Date: Mon, 27 Oct 2008 12:34:13 -0400 Subject: AW: [Pki-users] Failure to clone a CA In-Reply-To: <001601c933a2$ad151b90$073f52b0$@de> References: <001901c932e0$85d45cc0$917d1640$@de> <48FCD243.9030804@redhat.com> <1224528694.10661.1.camel@localhost.localdomain> <001601c933a2$ad151b90$073f52b0$@de> Message-ID: <1225125253.31197.3.camel@localhost.localdomain> Klaus, I just checked in changes which should allow you to create a clone. You will need to download and build the latest source to obtain the changes. For reference, the BZ that describes these changes is at https://bugzilla.redhat.com/show_bug.cgi?id=223309 Ade On Tue, 2008-10-21 at 19:30 +0200, Klaus Heyden wrote: > Hi, > > thanks, this will be fix my bypass via import with pk12util at the same time. > > More serious is the problem with the directory server. At the generation of the clone instance it will stop with the replication problem. I think the replication is configured by the pkicreate command. There might be the reason. > > Regards > > -----Urspr?ngliche Nachricht----- > Von: alee at redhat.com [mailto:alee at redhat.com] > Gesendet: Montag, 20. Oktober 2008 20:52 > An: Marc Sauton > Cc: Klaus Heyden; pki-users at redhat.com > Betreff: Re: [Pki-users] Failure to clone a CA > > Klaus, > > There is a problem with CA cloning currently. I have a fix which I hope > to check in within the next couple of days. This will allow you to > import the certs using a pk12util file through the install wizard. > > Ade > > On Mon, 2008-10-20 at 11:47 -0700, Marc Sauton wrote: > > Klaus Heyden wrote: > > > > > > Hello, > > > > > > i?ve found that the replication in the directory server was incorrect. > > > The Master Server say?s that there is a duplicate Replica ID. But > > > there is no other replication configured ? > > > > > We may want more details on the exact platform used, as well as rpm and > > directory server used, and to collect the matching slapd logs with the > > ca debug log provided earlier (also, the ca system log file) > > And may be file a bugzilla with the exact steps that were used. > > Thanks, > > M. > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Pki-users mailing list > > > Pki-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-users > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > From KLAUS.HEYDEN at ALLIANZ.DE Wed Oct 29 18:35:55 2008 From: KLAUS.HEYDEN at ALLIANZ.DE (Heyden, Klaus (Allianz ASIC)) Date: Wed, 29 Oct 2008 19:35:55 +0100 Subject: [Pki-users] failed Administrator logon Message-ID: <34246FDCA62FF54096CF226B2BDFBEAE5F30B0@naimucvl.allianzde.rootdom.net> Hello, i have the problem the the CA don't accept the Administrator login. Either on HTTPS-interface or via pkiconsole. It's a new installation and the Admin-Certificate exists in the Browser with secret key. The problem ist that the CA first dor thier job normal. When i now try to login i got a catalina error like this. i dont reconfigure the CA only restart. I also configured an HSM (Luna) but dont use key's inside the HSM. -------------------catalina.out---------------------------------- Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log" INFO: caListRequests: You did not provide a valid certificate for this operation ---------------------------------------------------------------------- the debug-file shows: ---------------------debug---------------------------------------- [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() uri = /ca/agent/header [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service() param name='selected' value='ca' [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader start to service. [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java: renderTemplate [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed Oct 29 18:15:07 CET 2008 id=caheader time=0 [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() uri = /ca/agent/ca/listRequests.html [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caListRequests start to service. [29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet about to service [29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222 [29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName: certUserDBAuthMgr [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving SSL certificate [29/Oct/2008:18:15:07][http-9443-Processor21]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$] authentication failure [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns now 2 [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84 [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84 [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84 [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn: mNumConns now 3 ---------------------------------------------------------------------- certutil -L -d . shows me: ---------------------------------------------------------------------- Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-ca4-1 u,u,u subsystemCert cert-ca4-1 u,u,u caSigningCert cert-ca4-1 CTu,Cu,Cu Server-Cert cert-ca4-1 u,u,u Allianz Group Root CA II - Allianz Group CT,C,C ---------------------------------------------------------------------- reagards Klaus Heyden -------------- next part -------------- An HTML attachment was scrubbed... URL: From msauton at redhat.com Wed Oct 29 19:37:39 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 29 Oct 2008 12:37:39 -0700 Subject: [Pki-users] failed Administrator logon In-Reply-To: <34246FDCA62FF54096CF226B2BDFBEAE5F30B0@naimucvl.allianzde.rootdom.net> References: <34246FDCA62FF54096CF226B2BDFBEAE5F30B0@naimucvl.allianzde.rootdom.net> Message-ID: <4908BB83.5080507@redhat.com> Heyden, Klaus (Allianz ASIC) wrote: > Hello, > > i have the problem the the CA don't accept the Administrator login. > Either on HTTPS-interface or via pkiconsole. It's a new installation > and the Admin-Certificate exists in the Browser with secret key. The > problem ist that the CA first dor thier job normal. When i now try to > login i got a catalina error like this. i dont reconfigure the CA only > restart. I also configured an HSM (Luna) but dont use key's inside the > HSM. You may want to collect the ca debug log when you try to do client auth in your browser against the https agent pages. Or review the debug log during the ca instance configuration, near the key generation for the ca instance or when you selected either a software token or hsm, for any errors. I suppose the ca instance was restarted after the web based wizard configuration was successfully completed. It is always possible to use another client certificate for an agent or admin user of the certificate system. You may want to verify the browser has and trust the issuer of the agent cert you try to use. > -------------------catalina.out---------------------------------- > Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log" > INFO: caListRequests: You did not provide a valid certificate for this > operation > ---------------------------------------------------------------------- > > the debug-file shows: > ---------------------debug---------------------------------------- > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() > uri = /ca/agent/header > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service() > param name='selected' value='ca' > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader > start to service. > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java: > renderTemplate > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed > Oct 29 18:15:07 CET 2008 id=caheader time=0 > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() > uri = /ca/agent/ca/listRequests.html > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: > caListRequests start to service. > [29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet > about to service > [29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222 > [29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName: > certUserDBAuthMgr > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving > SSL certificate > [29/Oct/2008:18:15:07][http-9443-Processor21]: > SignedAuditEventFactory: create() > message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$] > authentication failure > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns > now 2 > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: > ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84 > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: > ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84 > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: > ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84 > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn: > mNumConns now 3 > ---------------------------------------------------------------------- > > certutil -L -d . shows me: > ---------------------------------------------------------------------- > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > ocspSigningCert cert-ca4-1 u,u,u > subsystemCert cert-ca4-1 u,u,u > caSigningCert cert-ca4-1 CTu,Cu,Cu > Server-Cert cert-ca4-1 u,u,u > Allianz Group Root CA II - Allianz Group CT,C,C > ---------------------------------------------------------------------- > > > reagards > Klaus Heyden > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > From kheyden at web.de Wed Oct 29 21:01:27 2008 From: kheyden at web.de (Klaus Heyden) Date: Wed, 29 Oct 2008 22:01:27 +0100 Subject: [Pki-users] failed Administrator logon Message-ID: <382035744@web.de> Hello, i've checked it, the CA is trusted (Firefox Browser). I have also the problem that the Logon with pkiconsole now crashed. The login-window came up after username/password the pkiconsole exits. Tomorrow i will look for the debug-log what happens and also uses the IE for testing. regards Klaus Heyden > -----Urspr?ngliche Nachricht----- > Von: "Marc Sauton" > Gesendet: 29.10.08 20:38:09 > An: Klaus (Allianz ASIC)" > CC: pki-users at redhat.com > Betreff: Re: [Pki-users] failed Administrator logon > Heyden, Klaus (Allianz ASIC) wrote: > > Hello, > > > > i have the problem the the CA don't accept the Administrator login. > > Either on HTTPS-interface or via pkiconsole. It's a new installation > > and the Admin-Certificate exists in the Browser with secret key. The > > problem ist that the CA first dor thier job normal. When i now try to > > login i got a catalina error like this. i dont reconfigure the CA only > > restart. I also configured an HSM (Luna) but dont use key's inside the > > HSM. > You may want to collect the ca debug log when you try to do client auth > in your browser against the https agent pages. > Or review the debug log during the ca instance configuration, near the > key generation for the ca instance or when you selected either a > software token or hsm, for any errors. > I suppose the ca instance was restarted after the web based wizard > configuration was successfully completed. > It is always possible to use another client certificate for an agent or > admin user of the certificate system. > You may want to verify the browser has and trust the issuer of the agent > cert you try to use. > > -------------------catalina.out---------------------------------- > > Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log" > > INFO: caListRequests: You did not provide a valid certificate for this > > operation > > ---------------------------------------------------------------------- > > > > the debug-file shows: > > ---------------------debug---------------------------------------- > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() > > uri = /ca/agent/header > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service() > > param name='selected' value='ca' > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader > > start to service. > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java: > > renderTemplate > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed > > Oct 29 18:15:07 CET 2008 id=caheader time=0 > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() > > uri = /ca/agent/ca/listRequests.html > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: > > caListRequests start to service. > > [29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet > > about to service > > [29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222 > > [29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName: > > certUserDBAuthMgr > > [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving > > SSL certificate > > [29/Oct/2008:18:15:07][http-9443-Processor21]: > > SignedAuditEventFactory: create() > > message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$] > > authentication failure > > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns > > now 2 > > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: > > ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84 > > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: > > ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84 > > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: > > ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84 > > [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn: > > mNumConns now 3 > > ---------------------------------------------------------------------- > > > > certutil -L -d . shows me: > > ---------------------------------------------------------------------- > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-ca4-1 u,u,u > > subsystemCert cert-ca4-1 u,u,u > > caSigningCert cert-ca4-1 CTu,Cu,Cu > > Server-Cert cert-ca4-1 u,u,u > > Allianz Group Root CA II - Allianz Group CT,C,C > > ---------------------------------------------------------------------- > > > > > > reagards > > Klaus Heyden > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users > _________________________________________________________________________ In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten! Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114 From msauton at redhat.com Wed Oct 29 22:05:32 2008 From: msauton at redhat.com (Marc Sauton) Date: Wed, 29 Oct 2008 15:05:32 -0700 Subject: [Pki-users] failed Administrator logon In-Reply-To: <382035744@web.de> References: <382035744@web.de> Message-ID: <4908DE2C.1040603@redhat.com> Also make sure you have the correct expected java runtime for your platform: http://pki.fedoraproject.org/wiki/PKI_Runtime_Environments M. Klaus Heyden wrote: > Hello, > > i've checked it, the CA is trusted (Firefox Browser). I have also the problem that the Logon with pkiconsole now crashed. The login-window came up after username/password the pkiconsole exits. Tomorrow i will look for the debug-log what happens and also uses the IE for testing. > > regards Klaus Heyden > > >> -----Urspr?ngliche Nachricht----- >> Von: "Marc Sauton" >> Gesendet: 29.10.08 20:38:09 >> An: Klaus (Allianz ASIC)" >> CC: pki-users at redhat.com >> Betreff: Re: [Pki-users] failed Administrator logon >> > > > >> Heyden, Klaus (Allianz ASIC) wrote: >> >>> Hello, >>> >>> i have the problem the the CA don't accept the Administrator login. >>> Either on HTTPS-interface or via pkiconsole. It's a new installation >>> and the Admin-Certificate exists in the Browser with secret key. The >>> problem ist that the CA first dor thier job normal. When i now try to >>> login i got a catalina error like this. i dont reconfigure the CA only >>> restart. I also configured an HSM (Luna) but dont use key's inside the >>> HSM. >>> >> You may want to collect the ca debug log when you try to do client auth >> in your browser against the https agent pages. >> Or review the debug log during the ca instance configuration, near the >> key generation for the ca instance or when you selected either a >> software token or hsm, for any errors. >> I suppose the ca instance was restarted after the web based wizard >> configuration was successfully completed. >> It is always possible to use another client certificate for an agent or >> admin user of the certificate system. >> You may want to verify the browser has and trust the issuer of the agent >> cert you try to use. >> >>> -------------------catalina.out---------------------------------- >>> Oct 29, 2008 5:43:55 PM org.apache.catalina.core.ApplicationContext log" >>> INFO: caListRequests: You did not provide a valid certificate for this >>> operation >>> ---------------------------------------------------------------------- >>> >>> the debug-file shows: >>> ---------------------debug---------------------------------------- >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() >>> uri = /ca/agent/header >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet::service() >>> param name='selected' value='ca' >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: caheader >>> start to service. >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet.java: >>> renderTemplate >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: curDate=Wed >>> Oct 29 18:15:07 CET 2008 id=caheader time=0 >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet:service() >>> uri = /ca/agent/ca/listRequests.html >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: >>> caListRequests start to service. >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: DisplayHtmlServlet >>> about to service >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: IP: 10.94.112.222 >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: AuthMgrName: >>> certUserDBAuthMgr >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: CMSServlet: retrieving >>> SSL certificate >>> [29/Oct/2008:18:15:07][http-9443-Processor21]: >>> SignedAuditEventFactory: create() >>> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=$Unidentified$][AttemptedCred=$Unidentified$] >>> authentication failure >>> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: getConn: mNumConns >>> now 2 >>> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: >>> ObjectStreamMapper:mapObjectToLDAPAttributeSet revokedCerts size=84 >>> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: >>> ObjectStreamMapper:mapObjectToLDAPAttributeSet unrevokedCerts size=84 >>> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: >>> ObjectStreamMapper:mapObjectToLDAPAttributeSet expiredCerts size=84 >>> [29/Oct/2008:18:15:08][CRLIssuingPoint-MasterCRL]: returnConn: >>> mNumConns now 3 >>> ---------------------------------------------------------------------- >>> >>> certutil -L -d . shows me: >>> ---------------------------------------------------------------------- >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> ocspSigningCert cert-ca4-1 u,u,u >>> subsystemCert cert-ca4-1 u,u,u >>> caSigningCert cert-ca4-1 CTu,Cu,Cu >>> Server-Cert cert-ca4-1 u,u,u >>> Allianz Group Root CA II - Allianz Group CT,C,C >>> ---------------------------------------------------------------------- >>> >>> >>> reagards >>> Klaus Heyden >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Pki-users mailing list >>> Pki-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-users >>> >>> >> _______________________________________________ >> Pki-users mailing list >> Pki-users at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-users >> >> > > > _________________________________________________________________________ > In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten! > Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114 > > From Jan.Meijer at uninett.no Thu Oct 30 18:16:22 2008 From: Jan.Meijer at uninett.no (Jan Meijer) Date: Thu, 30 Oct 2008 19:16:22 +0100 (CET) Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 Message-ID: Hi! I'm trying to get CMC signed enrollment to work. What I want to do is create certificate requests via a web based tool on one server, and ship them to the CA for auto-vetting. It looks like in my situation using signed CMC is the most simple solution. I *think* I have set everything up correctly but, when I try to test my assumption by using either CMCEnroll or CMCRequest to create a CMC request I get the following error: [root at ebbe test]# CMCEnroll -d "/root/test/cmc-agent/" -n "cmc" -r "/root/test/test3.csr" -p "bla" cert/key prefix = path = /root/test/cmc-agent/ java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 at com.netscape.cmstools.CMCEnroll.getCMCBlob(CMCEnroll.java:133) at com.netscape.cmstools.CMCEnroll.main(CMCEnroll.java:412) and the same error comes when using CMCRequest. Now, this is NOT an error with the CA setup, as the CA doesn't come in play yet, no? Unfortunately I haven't debugged enough Java problems yet to understand what the error means. Maybe there's some library/class missing somewhere? If anyone could help out that would be great :) I'm running Fedora 9 and DogTag 1.00, package list is below: [root at ebbe test]# yum list | grep pki pki-ca.noarch 1.0.0-6.fc9 installed pki-ca-ui.noarch 1.0.0-1.fc9 installed pki-common.noarch 1.0.0-8.fc9 installed pki-common-ui.noarch 1.0.0-2.fc9 installed pki-console.noarch 1.0.0-4.fc9 installed pki-console-ui.noarch 1.0.0-1.fc9 installed pki-java-tools.noarch 1.0.0-1.fc9 installed pki-native-tools.i386 1.0.0-1.fc9 installed pki-ra.noarch 1.0.0-2.fc9 installed pki-ra-ui.noarch 1.0.0-1.fc9 installed pki-setup.noarch 1.0.0-2.fc9 installed pki-util.noarch 1.0.0-2.fc9 installed krb5-pkinit-openssl.i386 1.6.3-10.fc9 fedora pki-common-javadoc.noarch 1.0.0-8.fc9 pki pki-java-tools-javadoc.noarch 1.0.0-1.fc9 pki pki-kra.noarch 1.0.0-2.fc9 pki pki-kra-ui.noarch 1.0.0-2.fc9 pki pki-manage.noarch 1.0.0-1.fc9 pki pki-migrate.noarch 1.0.0-1.fc9 pki pki-ocsp.noarch 1.0.0-2.fc9 pki pki-ocsp-ui.noarch 1.0.0-1.fc9 pki pki-silent.noarch 1.0.0-1.fc9 pki pki-tks.noarch 1.0.0-2.fc9 pki pki-tks-ui.noarch 1.0.0-1.fc9 pki pki-tps.i386 1.0.0-2.fc9 pki pki-tps-ui.noarch 1.0.0-2.fc9 pki pki-util-javadoc.noarch 1.0.0-2.fc9 pki The contents of test3.csr: [root at ebbe test]# cat test3.csr Certificate request generated by Netscape certutil Phone: (not specified) Common Name: test4 Email: (not specified) Organization: (not specified) State: (not specified) Country: (not specified) -----BEGIN NEW CERTIFICATE REQUEST----- MIIBTzCBuQIBADAQMQ4wDAYDVQQDEwV0ZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA5wv8VPSNH7HH0Nsdr2/3xu3fqglDbQUz8CxhFvFHXm26a1DlyC+l pqZXCgozJzpb1N5EXDR/Wg1VVbcJNnKyvJOa4XqOqqAPFKLfH5GhAijOIIQRuLL/ WHlUeY2LUHcLCZ257b9QEOTrR6iVZPp74r2l7CBkXQ3zvx4PRfX2eY8CAwEAAaAA MA0GCSqGSIb3DQEBBQUAA4GBAB6R3Gf4koSXucYifCIFri3vTSt2ThK7GpKrYe86 JLYOTk4aNdaL/wZDNBLnnw8if8Gv2y/LcpR7Qvto52uckCA2+rRWEYmHhDs8NF6U q0HuaYaUgN1kdOqrzjGFaZxG5eSJkLnmFpKlp+9OsnNfz43v9zzeomzqSdRHpPEZ pmFM -----END NEW CERTIFICATE REQUEST----- The contents of the certificate database that's used for the CMC agent: [root at ebbe test]# certutil -L -d /root/test/cmc-agent Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CMC Agent - NetherNordic SLCS u,u,u cmc u,u,u ca c,c,c -- Jan From msauton at redhat.com Thu Oct 30 19:20:23 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 30 Oct 2008 12:20:23 -0700 Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 In-Reply-To: References: Message-ID: <490A08F7.3020006@redhat.com> Jan Meijer wrote: > Hi! > > I'm trying to get CMC signed enrollment to work. > > What I want to do is create certificate requests via a web based tool > on one server, and ship them to the CA for auto-vetting. It looks like in > my situation using signed CMC is the most simple solution. > > > I *think* I have set everything up correctly but, when I try to test my > assumption by using either CMCEnroll or CMCRequest to create a CMC request > I get the following error: > > [root at ebbe test]# CMCEnroll -d "/root/test/cmc-agent/" -n "cmc" -r > "/root/test/test3.csr" -p "bla" > cert/key prefix = > path = /root/test/cmc-agent/ > java.io.IOException: Internal Error - java.io.IOException: Sequence tag > error 9 > at com.netscape.cmstools.CMCEnroll.getCMCBlob(CMCEnroll.java:133) > at com.netscape.cmstools.CMCEnroll.main(CMCEnroll.java:412) > There is something going on with your certificate request in /root/test/test3.csr > and the same error comes when using CMCRequest. > > Now, this is NOT an error with the CA setup, as the CA doesn't come in > play yet, no? Unfortunately I haven't debugged enough Java problems yet > to understand what the error means. Maybe there's some library/class > missing somewhere? > > If anyone could help out that would be great :) > > > I'm running Fedora 9 and DogTag 1.00, package list is below: > > [root at ebbe test]# yum list | grep pki > pki-ca.noarch 1.0.0-6.fc9 installed > pki-ca-ui.noarch 1.0.0-1.fc9 installed > pki-common.noarch 1.0.0-8.fc9 installed > pki-common-ui.noarch 1.0.0-2.fc9 installed > pki-console.noarch 1.0.0-4.fc9 installed > pki-console-ui.noarch 1.0.0-1.fc9 installed > pki-java-tools.noarch 1.0.0-1.fc9 installed > pki-native-tools.i386 1.0.0-1.fc9 installed > pki-ra.noarch 1.0.0-2.fc9 installed > pki-ra-ui.noarch 1.0.0-1.fc9 installed > pki-setup.noarch 1.0.0-2.fc9 installed > pki-util.noarch 1.0.0-2.fc9 installed > krb5-pkinit-openssl.i386 1.6.3-10.fc9 fedora > pki-common-javadoc.noarch 1.0.0-8.fc9 pki > pki-java-tools-javadoc.noarch 1.0.0-1.fc9 pki > pki-kra.noarch 1.0.0-2.fc9 pki > pki-kra-ui.noarch 1.0.0-2.fc9 pki > pki-manage.noarch 1.0.0-1.fc9 pki > pki-migrate.noarch 1.0.0-1.fc9 pki > pki-ocsp.noarch 1.0.0-2.fc9 pki > pki-ocsp-ui.noarch 1.0.0-1.fc9 pki > pki-silent.noarch 1.0.0-1.fc9 pki > pki-tks.noarch 1.0.0-2.fc9 pki > pki-tks-ui.noarch 1.0.0-1.fc9 pki > pki-tps.i386 1.0.0-2.fc9 pki > pki-tps-ui.noarch 1.0.0-2.fc9 pki > pki-util-javadoc.noarch 1.0.0-2.fc9 pki > > > > The contents of test3.csr: > > [root at ebbe test]# cat test3.csr > > Certificate request generated by Netscape certutil > Phone: (not specified) > > Common Name: test4 > Email: (not specified) > Organization: (not specified) > State: (not specified) > Country: (not specified) > > -----BEGIN NEW CERTIFICATE REQUEST----- > MIIBTzCBuQIBADAQMQ4wDAYDVQQDEwV0ZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB > jQAwgYkCgYEA5wv8VPSNH7HH0Nsdr2/3xu3fqglDbQUz8CxhFvFHXm26a1DlyC+l > pqZXCgozJzpb1N5EXDR/Wg1VVbcJNnKyvJOa4XqOqqAPFKLfH5GhAijOIIQRuLL/ > WHlUeY2LUHcLCZ257b9QEOTrR6iVZPp74r2l7CBkXQ3zvx4PRfX2eY8CAwEAAaAA > MA0GCSqGSIb3DQEBBQUAA4GBAB6R3Gf4koSXucYifCIFri3vTSt2ThK7GpKrYe86 > JLYOTk4aNdaL/wZDNBLnnw8if8Gv2y/LcpR7Qvto52uckCA2+rRWEYmHhDs8NF6U > q0HuaYaUgN1kdOqrzjGFaZxG5eSJkLnmFpKlp+9OsnNfz43v9zzeomzqSdRHpPEZ > pmFM > -----END NEW CERTIFICATE REQUEST----- > > The csr seem to be somehow malformed: 0 335: SEQUENCE { 4 185: SEQUENCE { 7 1: INTEGER 0 10 16: SEQUENCE { 12 14: SET { 14 12: SEQUENCE { 16 3: OBJECT IDENTIFIER commonName (2 5 4 3) : (X.520 id-at (2 5 4)) 21 5: PrintableString 'test4' : } : } : } 28 159: SEQUENCE { 31 13: SEQUENCE { 33 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) : (PKCS #1) 44 0: NULL : } 46 141: BIT STRING, encapsulates { 50 137: SEQUENCE { 53 129: INTEGER : 00 E7 0B FC 54 F4 8D 1F B1 C7 D0 DB 1D AF 6F F7 : C6 ED DF AA 09 43 6D 05 33 F0 2C 61 16 F1 47 5E : 6D BA 6B 50 E5 C8 2F A5 A6 A6 57 0A 0A 33 27 3A : 5B D4 DE 44 5C 34 7F 5A 0D 55 55 B7 09 36 72 B2 : BC 93 9A E1 7A 8E AA A0 0F 14 A2 DF 1F 91 A1 02 : 28 CE 20 84 11 B8 B2 FF 58 79 54 79 8D 8B 50 77 : 0B 09 9D B9 ED BF 50 10 E4 EB 47 A8 95 64 FA 7B : E2 BD A5 EC 20 64 5D 0D F3 BF 1E 0F 45 F5 F6 79 : 8F 185 3: INTEGER 65537 : } : } : } 190 0: [0] * : Error: Object has zero length.* ...snip... > The contents of the certificate database that's used for the CMC agent: > > [root at ebbe test]# certutil -L -d /root/test/cmc-agent > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CMC Agent - NetherNordic SLCS u,u,u > cmc u,u,u > ca c,c,c > > > > From jan.meijer at uninett.no Thu Oct 30 21:45:08 2008 From: jan.meijer at uninett.no (Jan Meijer) Date: Thu, 30 Oct 2008 22:45:08 +0100 (W. Europe Standard Time) Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 In-Reply-To: <490A08F7.3020006@redhat.com> References: <490A08F7.3020006@redhat.com> Message-ID: Hi Marc, On Thu, 30 Oct 2008, Marc Sauton wrote: > The csr seem to be somehow malformed: > snip > 185 3: INTEGER 65537 > : } > : } > : } > 190 0: [0] > * : Error: Object has zero length.* Tnx :) This would certainly explain something. Which tool did you use to parse the request? -- Jan From msauton at redhat.com Thu Oct 30 22:05:59 2008 From: msauton at redhat.com (Marc Sauton) Date: Thu, 30 Oct 2008 15:05:59 -0700 Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 In-Reply-To: References: <490A08F7.3020006@redhat.com> Message-ID: <490A2FC7.50301@redhat.com> Jan Meijer wrote: > Hi Marc, > > On Thu, 30 Oct 2008, Marc Sauton wrote: > >> The csr seem to be somehow malformed: >> > > snip > >> 185 3: INTEGER 65537 >> : } >> : } >> : } >> 190 0: [0] >> * : Error: Object has zero length.* > > Tnx :) This would certainly explain something. Which tool did you > use to parse the request? > With a free third party tool called dumpasn1: dumpasn1 - ASN.1 object dump utility http://www.cs.auckland.ac.nz/~pgut001/ In was in older versions of the Red Hat Certificate System, there is till a small reference in: http://www.redhat.com/docs/manuals/cert-system/7.3/html/Administration_Guide/Administration_Guide-Publishing-Viewing_Certificates_and_CRLs_Published_to_File.html But not fully up to date. You can find it via yum on Fedora. M. From mpeck1 at gmail.com Fri Oct 31 17:17:57 2008 From: mpeck1 at gmail.com (Michael Peck) Date: Fri, 31 Oct 2008 13:17:57 -0400 Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 In-Reply-To: References: Message-ID: <248307980810311017k408bffdfhac6d3580395817a3@mail.gmail.com> Hi, Try removing all of the text from your request file before the -----BEGIN NEW CERTIFICATE REQUEST----- line. (The "Certificate request generated by Netscape certutil...Phone...", etc text.) I tried that and then CMCEnroll worked on your request on my system. I'm not sure if your request is really malformed, it just doesn't have any Attributes in it, so the SET OF Attributes (PKCS#10) is zero length and dumpasn1 complains. Mike On Thu, Oct 30, 2008 at 2:16 PM, Jan Meijer wrote: > Certificate request generated by Netscape certutil > Phone: (not specified) > > Common Name: test4 > Email: (not specified) > Organization: (not specified) > State: (not specified) > Country: (not specified) > -----BEGIN NEW CERTIFICATE REQUEST----- > MIIBTzCBuQIBADAQMQ4wDAYDVQQDEwV0ZXN0NDCBnzANBgkqhkiG9w0BAQEFAAOB > jQAwgYkCgYEA5wv8VPSNH7HH0Nsdr2/3xu3fqglDbQUz8CxhFvFHXm26a1DlyC+l > pqZXCgozJzpb1N5EXDR/Wg1VVbcJNnKyvJOa4XqOqqAPFKLfH5GhAijOIIQRuLL/ > WHlUeY2LUHcLCZ257b9QEOTrR6iVZPp74r2l7CBkXQ3zvx4PRfX2eY8CAwEAAaAA > MA0GCSqGSIb3DQEBBQUAA4GBAB6R3Gf4koSXucYifCIFri3vTSt2ThK7GpKrYe86 > JLYOTk4aNdaL/wZDNBLnnw8if8Gv2y/LcpR7Qvto52uckCA2+rRWEYmHhDs8NF6U > q0HuaYaUgN1kdOqrzjGFaZxG5eSJkLnmFpKlp+9OsnNfz43v9zzeomzqSdRHpPEZ > pmFM > -----END NEW CERTIFICATE REQUEST----- > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jan.Meijer at uninett.no Fri Oct 31 17:40:24 2008 From: Jan.Meijer at uninett.no (Jan Meijer) Date: Fri, 31 Oct 2008 18:40:24 +0100 (CET) Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 In-Reply-To: <248307980810311017k408bffdfhac6d3580395817a3@mail.gmail.com> References: <248307980810311017k408bffdfhac6d3580395817a3@mail.gmail.com> Message-ID: Hi Mike, On Fri, 31 Oct 2008, Michael Peck wrote: > Try removing all of the text from your request file before the -----BEGIN > NEW CERTIFICATE REQUEST----- line. (The "Certificate request generated by > Netscape certutil...Phone...", etc text.) > I tried that and then CMCEnroll worked on your request on my system. > > I'm not sure if your request is really malformed, it just doesn't have any > Attributes in it, so the SET OF Attributes (PKCS#10) is zero length and > dumpasn1 complains. And indeed it does over here as well, working that is. My request is not malformed out of the ordinary. The zero length that dumpasn1 complains about is explained by Steve Henson: http://www.mail-archive.com/openssl-dev at openssl.org/msg10922.html I tested further today and got more frustrated and then got it working and now I think I know what's going on. Thanks for delivering the final piece to my little puzzle :) I tested with requests generated by certutil and openssl. And given my familiarity with openssl I started with that. CMCEnroll bombed on the openssl PEM input, so I figured, well, convert it to DER. And then the bombing was different and I got the error I sent to the list. Because this approach didn't work, switched to certutil *testing with the binary output*. I did test it with ASCII output but apparently didn't test with the stuff in front of the actual request removed, otherwise I'd have found the right way yesterday already. I got it working today with a request generated by the pkiconsole. An ascii request. And then I tried your suggestion and yes, it worked as well. Then I tried again with my openssl ascii output, and no, didn't work. But, then I converted the openssl DER output to binary using the AtoB utility and *then* it worked. I don't know enough intricate details about the formats the requests can be in but am tempted to say that the openssl binary format is incompatible with what is expected by CMCEnroll. And little technologist, what did you learn today? That when confronted with multiple options I should document what I've tested in a proper test matrix. And, oh lucky me, I learned to use certutil. I think that tool is a bit clunky ;) Mike, Marc, thanks for your help :=) I'm now unstuck and on the road to bliss. -- Jan From awnuk at redhat.com Fri Oct 31 18:12:52 2008 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 31 Oct 2008 11:12:52 -0700 Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 In-Reply-To: References: <248307980810311017k408bffdfhac6d3580395817a3@mail.gmail.com> Message-ID: <490B4AA4.7070003@redhat.com> Jan Meijer wrote: > Hi Mike, > > On Fri, 31 Oct 2008, Michael Peck wrote: > > >> Try removing all of the text from your request file before the -----BEGIN >> NEW CERTIFICATE REQUEST----- line. (The "Certificate request generated by >> Netscape certutil...Phone...", etc text.) >> I tried that and then CMCEnroll worked on your request on my system. >> >> I'm not sure if your request is really malformed, it just doesn't have any >> Attributes in it, so the SET OF Attributes (PKCS#10) is zero length and >> dumpasn1 complains. >> > > And indeed it does over here as well, working that is. My request is not > malformed out of the ordinary. The zero length that dumpasn1 complains > about is explained by Steve Henson: > > http://www.mail-archive.com/openssl-dev at openssl.org/msg10922.html > > I tested further today and got more frustrated and then got it working > and now I think I know what's going on. Thanks for delivering the final > piece to my little puzzle :) > > I tested with requests generated by certutil and openssl. And given my > familiarity with openssl I started with that. CMCEnroll bombed on the > openssl PEM input, The difference between NSS and OpenSSL formats is usually in the headers. See: http://pki.fedoraproject.org/wiki/PKI_TechNote_X509_Certificates http://pki.fedoraproject.org/wiki/PKI_TechNote_CRLS > so I figured, well, convert it to DER. And then the > bombing was different and I got the error I sent to the list. > > Because this approach didn't work, switched to certutil *testing with the > binary output*. I did test it with ASCII output but apparently didn't > test with the stuff in front of the actual request removed, otherwise I'd > have found the right way yesterday already. > > I got it working today with a request generated by the pkiconsole. An > ascii request. And then I tried your suggestion and yes, it worked as > well. > > Then I tried again with my openssl ascii output, and no, didn't work. > But, then I converted the openssl DER output to binary using the AtoB > utility and *then* it worked. > > I don't know enough intricate details about the formats the requests can > be in but am tempted to say that the openssl binary format is incompatible > with what is expected by CMCEnroll. > > And little technologist, what did you learn today? That when confronted > with multiple options I should document what I've tested in a proper test > matrix. > > And, oh lucky me, I learned to use certutil. I think that tool is a bit > clunky ;) > > > Mike, Marc, thanks for your help :=) I'm now unstuck and on the road to > bliss. > > From Jan.Meijer at uninett.no Fri Oct 31 18:44:26 2008 From: Jan.Meijer at uninett.no (Jan Meijer) Date: Fri, 31 Oct 2008 19:44:26 +0100 (CET) Subject: [Pki-users] CMCEnroll: java.io.IOException: Internal Error - java.io.IOException: Sequence tag error 9 In-Reply-To: References: <248307980810311017k408bffdfhac6d3580395817a3@mail.gmail.com> Message-ID: And to end the story, I've now got the total setup working, signed CMC enrollment :) Thanks for the help! -- Jan