[Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit
Steve Neuharth
steve at sylvation.com
Fri Apr 10 12:44:16 UTC 2015
sure... let me get you a trace. Are there any specific flags I should set
in strace?
Also... when I request a cert using caServerCert and approve it in DogTag,
the certmonger request sits in CA_WORKING status for a while. How long can
I expect it to stay that way?
I've always been impatient and done a *getcert refresh *on the request to
force a download but is there a configurable poll interval or anything? I
didn't see anything obvious in the docs.
--steve
On Wed, Apr 8, 2015 at 4:35 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Wed, Apr 08, 2015 at 09:35:31AM -0500, Steve Neuharth wrote:
> > yes, I have indeed set SELinux to permissive to eliminate any potential
> > security collisions.
> >
> > If I configure my 'DogtagAuto' CA in /var/lib/certmonger/cas without the
> '-T
> > caAgentServerCert', the certmonger daemon dies as soon as I request a
> > certificate using that CA. Other than that, it looks like I'm using the
> > same flags as you.
>
> Well, it shouldn't be dying at least. If you can get a coredump or a
> backtrace out of it, that'll help track it down. I'm not really sure
> how the use (or not) of the -T flag with the helper could be affecting
> that, though, as when I tried obtaining a certificate using it and the
> caServerCert profile, it succeeded.
>
> I got an authentication error attempting to specify the
> caAgentServerCert profile, which makes some sense since the helper
> submits the request using using the end-entity services interface and
> only uses the agent creds when it goes back to approve it using the
> agent services interface.
>
> > when I run dogtag-submit this way manually (without the template), I see
> > that it reutrns: results = "<?xml version="1.0" encoding="UTF-8"
> > standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred -
> > {0}</Error><RequestId> 70</RequestId></XMLResponse>"
> > 0
> > state=approve&requestId=70
> >
> > I find it strange that this response would crash certmonger. Also,
> wouldn't
> > I need to specify a template if I need to automatically sign the cert and
> > get the cert immediately?
>
> The helper hard-codes a default of "caServerCert" if the flag isn't
> used, and that looks like a pretty normal delay-and-state-cookie output
> value to me, so a backtrace would be really helpful in diagnosing what's
> happening when you try it.
>
> HTH,
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150410/e0cb0786/attachment.htm>
More information about the Pki-users
mailing list