[Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit

Steve Neuharth steve at sylvation.com
Tue Apr 7 18:58:24 UTC 2015 

HA! yep, re-requesting the cert using version 0.77.1 solved this... I can
request a cert and after a manual approval, I'm able to download and
monitor the cert. THANK YOU!

I'm also having another problem. When I try to use dogtag-submit like this:

*/usr/libexec/certmonger/dogtag-submit -E
https://dogtag.test.org:8443/ca/ee/ca
<https://dogtag.test.org:8443/ca/ee/ca> -A
https://dogtag.test.org:8443/ca/agent/ca
<https://dogtag.test.org:8443/ca/agent/ca> -T caAgentServerCert -i
/tmp/test/ca.crt -c /tmp/test/cert.pem -k /tmp/test/key.pem*

I get this:















*Request ID '20150404113812':        status: CA_REJECTED        ca-error:
Server at "https://dogtag.test.org:8443/ca/ee/ca/profileSubmit
<https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>" replied: Invalid
Credential.        stuck: yes        key pair storage:
type=FILE,location='/etc/ssl/get2cert.key'        certificate:
type=FILE,location='/etc/ssl/get2cert.crt'        CA: DogtagAuto
issuer:        subject:        expires: unknown        pre-save
command:        post-save command:        track: yes        auto-renew: yes*
however, when I use curl like this:

*curl
"https://dogtag.test.org:8443/ca/ee/ca/profileSubmit?profileId=caAgentServerCert&cert_request_type=pkcs10&cert_request=-----BEGINTE+REQUEST-----%0AMIIFBjCCAu4CAQAwgYUxGzAZBgNVBAoTElRhcmdldCBDb3Jwb3JhdGlvbjEdMBsG%0AA1UECxMUcjUwOSBJbnRlcm1lZGlhdGUgQ0ExFDASBgNVBAcTC01pbm5lYXBvbGlz%0AMRIwEAYDVQQIEwlNaW5uZXNvdGExCzAJBgNVBAYTAlVTMRAwDgYDVQQDEwdyNTA5%0AIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAodOjRhEbG3mKbZPN%0As7dtJgBHBvGksFBvnVXyK2DuY5%2FE7RayxvroQRG42gs5oiEkT4QaCBJlXfsv6NCp%0AiB7btiO9EGlSGcfofAE1ek0plHlh0wtdVJQLMGqbgeaIF8KjV%2FKVBvOtWFjHLLb3%0A92910oUvUxwNffRSDMaOqyAZHdio8r5xUy8zk6dHmpTAdUPSFcmpLaquohCn2cF7%0AAIS0DQ%2Bi0LDSyN1zhbiOTmgT3RiHL%2F5ajZ83VJf3A08FFxGrNCjWdgokBtG4q0FC%0ADCZscy4TJf7BdhVoYBfAwv2G%2FhYiwu7HLwTScGcuIpkMenObO11rtCHrfasb2uLc%0AC2LAxyQ6ML%2FRE8MGzoNXmRLNYx3RdwTPhF73CnmsLt%2BJCgHC7PbRLSk8b6rS9Q7t%0AX8K2Zyx9caU9YDik0ot7bNH1NKFPJUQlAKJ1UAN%2FOjjgDLSsftlc1aPti0d%2Fi70o%0AlGDTj77Zw4T7vdX1h6F8cZTb3u2SmdO00QHZjxn8wsX9QEB7uCuJIg6a9Ui2XlSZ%0A%2BIEtHUEOGq4AEM24bkToaE1qSTXPjGHI41%2BbuOaPDEisganiupnHAhxptqakbpau%0AXY4%2FXEbPFYCAWZd5%2BBcA7KjbOD2l3v6J2ihmB6fOWSp5o08eOmPVy3dB7pfJwx%2F6%0AnHkLKDyeCwV54R5LabuiPjsimVcCAwEAAaA7MDkGCSqGSIb3DQEJDjEsMCowCQYD%0AVR0TBAIwADAdBgNVHQ4EFgQUYW7uTfOlF%2FmwpgUnTr1mapcS2CQwDQYJKoZIhvcN%0AAQELBQADggIBAJVTFpOE1UMuYxAMdaishs7SSnwFuGi55DI6sHe1nIEenlHe4AgE%0AsoQcfCcHv8RvFmE4BHtYEHyDgNc7mraCNmf1j3lPb3nqe33PiEIA6PdB6hjYNB45%0AvklV3N%2FIsHauVg%2FlAm6pCc7oaCJPqLgBc4eSPJd8xef64DuFVUxLSB1LQ3oTpw2T%0AC4Ydg0GCY7t7gZYWaaf5FIY41dtuXAkud5sxpUWwTgRH%2FO%2BrQNP5x8Uy2SKl2QXv%0AQJMzeRLfHdZyFY2utW9BChdmPD%2B%2FLJNwhr924RgzGty%2FrGK7SIAtj%2FRS6gadB2bV%0Ax6Ii9migA7PWDVi9XYzcGiGt1U5jbRsbGh%2Bie8N5MxIW672XqdPz9ocAFu7gfAws%0AnG7%2BcPOiTiEfivOHQ7HpDcSnD9DW2QHc92UzB3tl6vQQ7oQgI1YMtF30D7lOyL8C%0AQ8TcA5fQsVasMhaW78FSaIzJtEWjeQpyg8XCjNtB4Cz4txNaig6YdNer6kFoYiPh%0A5UNVH%2BmeFjJn1fhKq8Imyy6MwHHaZTDsU8I3uUGo6xyIPgKMkLrFsDSo8BumLUGJ%0A56hxNQGixzsO%2B1lIahjBr79Aevzb48l6woMeQBYfLNLKTm290BKXsVgrif19XQ3E%0AZgehMupo%2FZyXjY%2BX4YadNEb8kN5d2cvKCsnjO9urHfAiBPnZtZlYZl1Y%0A-----END+CERTIFICATE+REQUEST-----%0A&xml=true
<https://dogtag.test.org:8443/ca/ee/ca/profileSubmit?profileId=caAgentServerCert&cert_request_type=pkcs10&cert_request=-----BEGINTE+REQUEST-----%0AMIIFBjCCAu4CAQAwgYUxGzAZBgNVBAoTElRhcmdldCBDb3Jwb3JhdGlvbjEdMBsG%0AA1UECxMUcjUwOSBJbnRlcm1lZGlhdGUgQ0ExFDASBgNVBAcTC01pbm5lYXBvbGlz%0AMRIwEAYDVQQIEwlNaW5uZXNvdGExCzAJBgNVBAYTAlVTMRAwDgYDVQQDEwdyNTA5%0AIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAodOjRhEbG3mKbZPN%0As7dtJgBHBvGksFBvnVXyK2DuY5%2FE7RayxvroQRG42gs5oiEkT4QaCBJlXfsv6NCp%0AiB7btiO9EGlSGcfofAE1ek0plHlh0wtdVJQLMGqbgeaIF8KjV%2FKVBvOtWFjHLLb3%0A92910oUvUxwNffRSDMaOqyAZHdio8r5xUy8zk6dHmpTAdUPSFcmpLaquohCn2cF7%0AAIS0DQ%2Bi0LDSyN1zhbiOTmgT3RiHL%2F5ajZ83VJf3A08FFxGrNCjWdgokBtG4q0FC%0ADCZscy4TJf7BdhVoYBfAwv2G%2FhYiwu7HLwTScGcuIpkMenObO11rtCHrfasb2uLc%0AC2LAxyQ6ML%2FRE8MGzoNXmRLNYx3RdwTPhF73CnmsLt%2BJCgHC7PbRLSk8b6rS9Q7t%0AX8K2Zyx9caU9YDik0ot7bNH1NKFPJUQlAKJ1UAN%2FOjjgDLSsftlc1aPti0d%2Fi70o%0AlGDTj77Zw4T7vdX1h6F8cZTb3u2SmdO00QHZjxn8wsX9QEB7uCuJIg6a9Ui2XlSZ%0A%2BIEtHUEOGq4AEM24bkToaE1qSTXPjGHI41%2BbuOaPDEisganiupnHAhxptqakbpau%0AXY4%2FXEbPFYCAWZd5%2BBcA7KjbOD2l3v6J2ihmB6fOWSp5o08eOmPVy3dB7pfJwx%2F6%0AnHkLKDyeCwV54R5LabuiPjsimVcCAwEAAaA7MDkGCSqGSIb3DQEJDjEsMCowCQYD%0AVR0TBAIwADAdBgNVHQ4EFgQUYW7uTfOlF%2FmwpgUnTr1mapcS2CQwDQYJKoZIhvcN%0AAQELBQADggIBAJVTFpOE1UMuYxAMdaishs7SSnwFuGi55DI6sHe1nIEenlHe4AgE%0AsoQcfCcHv8RvFmE4BHtYEHyDgNc7mraCNmf1j3lPb3nqe33PiEIA6PdB6hjYNB45%0AvklV3N%2FIsHauVg%2FlAm6pCc7oaCJPqLgBc4eSPJd8xef64DuFVUxLSB1LQ3oTpw2T%0AC4Ydg0GCY7t7gZYWaaf5FIY41dtuXAkud5sxpUWwTgRH%2FO%2BrQNP5x8Uy2SKl2QXv%0AQJMzeRLfHdZyFY2utW9BChdmPD%2B%2FLJNwhr924RgzGty%2FrGK7SIAtj%2FRS6gadB2bV%0Ax6Ii9migA7PWDVi9XYzcGiGt1U5jbRsbGh%2Bie8N5MxIW672XqdPz9ocAFu7gfAws%0AnG7%2BcPOiTiEfivOHQ7HpDcSnD9DW2QHc92UzB3tl6vQQ7oQgI1YMtF30D7lOyL8C%0AQ8TcA5fQsVasMhaW78FSaIzJtEWjeQpyg8XCjNtB4Cz4txNaig6YdNer6kFoYiPh%0A5UNVH%2BmeFjJn1fhKq8Imyy6MwHHaZTDsU8I3uUGo6xyIPgKMkLrFsDSo8BumLUGJ%0A56hxNQGixzsO%2B1lIahjBr79Aevzb48l6woMeQBYfLNLKTm290BKXsVgrif19XQ3E%0AZgehMupo%2FZyXjY%2BX4YadNEb8kN5d2cvKCsnjO9urHfAiBPnZtZlYZl1Y%0A-----END+CERTIFICATE+REQUEST-----%0A&xml=true>"
--pass password --cacert /tmp/test/ca.crt --key /tmp/test/key.pem --cert
/tmp/test/client.pem*

I get a valid response.



*<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>0</Status><Requests><Request><Id>57</Id><SubjectDN>CN=r509
CA,C=US,ST=Minnesota,L=Minneapolis,OU=r509 Intermediate CA,O=Test
Corporation</SubjectDN><serialno>2e</serialno><b64>MIIE0DCCA7igAwIBAgIBLjANBgkqhkiG9w0BAQsFADBEMSEwHwYDVQQKDBh0ZXN0Lm9yZyBTZWN1cml0eSBEb21haW*

*cert data........*

*LP15bCE6K5hABEUfrmZiLJvjBQjFx67Bs0vBaDDb1lqJ8pyjzFHhXtDx5g+/YOzzKqoRdN</b64></Request></Requests></XMLResponse>*

I'm using a cert and key extracted from the caadmin pkcs12 credentials. Can
you confirm this behavior in your test environment?

Thanks SO MUCH for your help,
--steve


On Tue, Apr 7, 2015 at 12:56 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:

> On Tue, Apr 07, 2015 at 12:18:24PM -0500, Steve Neuharth wrote:
> > yes, the certificate in the request file has a newline after the
> > certificate data:
> >
> > cert=-----BEGIN CERTIFICATE-----
> >  MIIDajCCAlKgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBEMSEwHwYDVQQKDBh0ZXN0
> > ...cert data...
> >  lRCw27w7Yw/JUMqJYoE=
> >                                                     <---- extra newline
> >  -----END CERTIFICATE-----
> >
> >
> > Looks like that's the problem. When I make a similar request using cURL,
> I
> > don't get the '\n' in the xml so it must be an error in parsing the xml
> > response inside dogtag-submit. I've also tried the v77.1-1 rpm from
> rawhide
> > and I get the same behavior.
>
> Hmm, I'm testing with 0.77.1 and pki-ca-9.0.3-38.el6_6 (you're on Fedora
> IIRC, so it's not exactly the same, but I don't have an F21 box handy
> ATM), and the data's getting cleaned before it's saved there.
>
> Did you start with an older version and update after dogtag-submit had
> finished its work?  The newer daemon wouldn't have been in a position to
> clean up the data it got from the helper in that case.
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150407/8651eff5/attachment.htm>

More information about the Pki-users mailing list