[Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit
Steve Neuharth
steve at sylvation.com
Wed Apr 8 14:35:31 UTC 2015
yes, I have indeed set SELinux to permissive to eliminate any potential
security collisions.
If I configure my 'DogtagAuto' CA in /var/lib/certmonger/cas without the '-T
caAgentServerCert', the certmonger daemon dies as soon as I request a
certificate using that CA. Other than that, it looks like I'm using the
same flags as you.
when I run dogtag-submit this way manually (without the template), I see
that it reutrns: results = "<?xml version="1.0" encoding="UTF-8"
standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred -
{0}</Error><RequestId> 70</RequestId></XMLResponse>"
0
state=approve&requestId=70
I find it strange that this response would crash certmonger. Also, wouldn't
I need to specify a template if I need to automatically sign the cert and
get the cert immediately?
On Tue, Apr 7, 2015 at 2:57 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Tue, Apr 07, 2015 at 02:37:12PM -0500, Steve Neuharth wrote:
> > Yes, very observant. I noticed that as well. The difference was that
> > client.pem had some bag information in it:
> >
> > *Bag Attributes friendlyName: PKI Administrator for test.org
> > <http://test.org> localKeyID: 4F E5 46 3D foo 64 1F
> > E4subject=/O=test.org <http://test.org> Security
> > Domain/emailAddress=caadmin at test.org/CN=PKI
> > <http://caadmin@test.org/CN=PKI> Administratorissuer=/O=test.org
> > <http://test.org> Security Domain/CN=CA Signing Certificate*
> > while cert.pem does not. otherwise, they contain the same cert data.
>
> Right, you mentioned that you'd pulled the key and certificate out of a
> PKCS#12 bundle, so it makes sense that that'd show up there.
>
> > I'm actually planning on using automatically approved certs eventually
> and
> > so it is my desire to use either username/password or cert/key
> > authentication to facilitate that. I just noticed that the dogtag-submit
> > does not seem to use my cert/key pair when I specify them.
> >
> > Does certificate authentication work for you in dogtag-submit?
>
> It does, but I'd been using an NSS database (-d and -n flags) rather
> than PEM-formatted keys and certificates. And -i to point to a
> PEM-format certificate, and the -p flag, so it looked like this:
> /usr/libexec/certmonger/dogtag-submit -E
> http://machete.bos.redhat.com:9180/ca/ee/ca -A
> https://machete.bos.redhat.com:9443/ca/agent/ca -d /etc/httpd/alias -n
> ipaCert -i /etc/ipa/ca.crt -p /etc/httpd/alias/pwdfile.txt
>
> When I used "openssl pkcs12 -in /root/ca-agent.p12 -nodes -nokeys -out
> /etc/pki/tls/certs/agent.cert" to extract the certificates, I had to
> prune out everything but the agent certificate itself, and the agent key
> itself, to avoid getting SSL connect errors, though that may only be
> necessary with the older version of NSS's PEM module that my test system
> has. The working invocation I ended up with looks like this:
> /usr/libexec/certmonger/dogtag-submit -E
> http://machete.bos.redhat.com:9180/ca/ee/ca -A
> https://machete.bos.redhat.com:9443/ca/agent/ca -k
> /etc/pki/tls/private/agent.key -c /etc/pki/tls/certs/agent.cert -i
> /etc/ipa/ca.crt
>
> I'm not sure if you're in SELinux enforcing mode, but if you are, the
> daemon (and the helpers that it starts) may not be able to read the
> files under /tmp/test unless they're labeled to allow it.
>
> HTH,
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150408/76bf1188/attachment.htm>
More information about the Pki-users
mailing list