[Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit

Nalin Dahyabhai nalin at redhat.com
Tue Apr 7 19:57:36 UTC 2015 

On Tue, Apr 07, 2015 at 02:37:12PM -0500, Steve Neuharth wrote:
> Yes, very observant. I noticed that as well. The difference was that
> client.pem had some bag information in it:
> 
> *Bag Attributes    friendlyName: PKI Administrator for test.org
> <http://test.org>    localKeyID: 4F E5 46 3D foo 64 1F
> E4subject=/O=test.org <http://test.org> Security
> Domain/emailAddress=caadmin at test.org/CN=PKI
> <http://caadmin@test.org/CN=PKI> Administratorissuer=/O=test.org
> <http://test.org> Security Domain/CN=CA Signing Certificate*
> while cert.pem does not. otherwise, they contain the same cert data.

Right, you mentioned that you'd pulled the key and certificate out of a
PKCS#12 bundle, so it makes sense that that'd show up there.

> I'm actually planning on using automatically approved certs eventually and
> so it is my desire to use either username/password or cert/key
> authentication to facilitate that. I just noticed that the dogtag-submit
> does not seem to use my cert/key pair when I specify them.
> 
> Does certificate authentication work for you in dogtag-submit?

It does, but I'd been using an NSS database (-d and -n flags) rather
than PEM-formatted keys and certificates.  And -i to point to a
PEM-format certificate, and the -p flag, so it looked like this:
  /usr/libexec/certmonger/dogtag-submit -E http://machete.bos.redhat.com:9180/ca/ee/ca -A https://machete.bos.redhat.com:9443/ca/agent/ca -d /etc/httpd/alias -n ipaCert -i /etc/ipa/ca.crt -p /etc/httpd/alias/pwdfile.txt

When I used "openssl pkcs12 -in /root/ca-agent.p12 -nodes -nokeys -out
/etc/pki/tls/certs/agent.cert" to extract the certificates, I had to
prune out everything but the agent certificate itself, and the agent key
itself, to avoid getting SSL connect errors, though that may only be
necessary with the older version of NSS's PEM module that my test system
has.  The working invocation I ended up with looks like this:
  /usr/libexec/certmonger/dogtag-submit -E http://machete.bos.redhat.com:9180/ca/ee/ca -A https://machete.bos.redhat.com:9443/ca/agent/ca -k /etc/pki/tls/private/agent.key -c /etc/pki/tls/certs/agent.cert -i /etc/ipa/ca.crt	  

I'm not sure if you're in SELinux enforcing mode, but if you are, the
daemon (and the helpers that it starts) may not be able to read the
files under /tmp/test unless they're labeled to allow it.

HTH,

Nalin

More information about the Pki-users mailing list