Re: [Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate

Rob Crittenden Mon, 22 Aug 2016 07:10:22 -0700

Marx, Peter wrote:

Im testing with certmonger 0.78.6 (patched for the GETCACertChain bug)
against two EJBCA servers. For verification I a use a second SCEP client
called jSCEP.


I started certmonger in debug mode with
  /usr/libexec/certmonger/certmonger-session -n -d 15

The CA file in /root/.config/certmonger/cas  looks like this:

id=Test_Sweden

ca_aka=SCEP (certmonger 0.78.6)

ca_is_default=0

ca_type=EXTERNAL

ca_external_helper=/usr/libexec/certmonger/scep-submit -u
http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe
-i "mx_kd3"

ca_capabilities=POSTPKIOperation,Renewal,SHA-1

scep_ca_identifier=iCOM Kunde1 Schweden

ca_encryption_cert=-----BEGIN CERTIFICATE-----

<bla>

-----END CERTIFICATE-----

ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----

<bla>

-----END CERTIFICATE-----

It looks to me that certmonger can't verify the signature of thereturned PKCS#7 data. I'd double check the value ofca_encryption_issuer_cert.

rob


Issuing the request

getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky201 -p
/tmp/pwd.txt -n husky201 -L abcd -N CN='husky201' s

gives this log:

2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
0x7fbe6b0c02e0.

2016-08-22 10:31:13 [22931] message
0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request

2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 135

2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 136

2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
0x7fbe6b0c02e0:0x7fbe6b0aa690.

2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for
0x7fbe6b0c02e0:0x7fbe6b0aa690.

2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
0x7fbe6b0c02e0.

2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->135->73

2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->136->74

2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called
/org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.

2016-08-22 10:31:13 [23135] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:31:13 [23135] Not attempting to set NSS FIPS mode.

2016-08-22 10:31:13 [23135] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:31:13 [23135] Found token 'NSS Certificate DB'.

2016-08-22 10:31:13 [23135] Located the key 'husky201'.

2016-08-22 10:31:13 [23135] Converted private key 'husky201' to public key.

2016-08-22 10:31:13 [23135] Key is an RSA key.

2016-08-22 10:31:13 [23135] Key size is 2048.

2016-08-22 10:31:13 [23136] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:31:13 [23136] Not attempting to set NSS FIPS mode.

2016-08-22 10:31:13 [23136] Found token 'NSS Generic Crypto Services'.

2016-08-22 10:31:13 [23136] Cert storage slot still needs user PIN to be
set.

2016-08-22 10:31:13 [23136] Found token 'NSS Certificate DB'.

2016-08-22 10:31:13 [23136] Error locating certificate.

2016-08-22 10:31:13 [22931] Request7('husky201') starts in state
'NEWLY_ADDED'

2016-08-22 10:31:13 [22931] Request7('husky201') taking writing lock

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEWLY_ADDED_START_READING_KEYINFO'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Started Request7('husky201').

2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
0x7fbe6b0c02e0:0x7fbe6b09b4e0.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEWLY_ADDED_READING_KEYINFO'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
from 11.

2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for
0x7fbe6b0c02e0:0x7fbe6b09b4e0.

2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
0x7fbe6b0c02e0.

2016-08-22 10:31:13 [22931] message
0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname

2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 140

2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 141

2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
0x7fbe6b0c02e0:0x7fbe6b0ae0a0.

2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for
0x7fbe6b0c02e0:0x7fbe6b0ae0a0.

2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for
0x7fbe6b0c02e0.

2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->140->75

2016-08-22 10:31:13 [22931] message 0x7fbe6b0c02e0(method_return)->141->76

2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called
/org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname.

2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for
0x7fbe6b0c02e0:0x7fbe6b09b4e0.

2016-08-22 10:31:13 [23137] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:31:13 [23137] Not attempting to set NSS FIPS mode.

2016-08-22 10:31:13 [23137] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:31:13 [23137] Found token 'NSS Certificate DB'.

2016-08-22 10:31:13 [23137] Located the key 'husky201'.

2016-08-22 10:31:13 [23137] Converted private key 'husky201' to public key.

2016-08-22 10:31:13 [23137] Key is an RSA key.

2016-08-22 10:31:13 [23137] Key size is 2048.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEWLY_ADDED_START_READING_CERT'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEWLY_ADDED_READING_CERT'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
from 11.

2016-08-22 10:31:13 [23138] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:31:13 [23138] Not attempting to set NSS FIPS mode.

2016-08-22 10:31:13 [23138] Found token 'NSS Generic Crypto Services'.

2016-08-22 10:31:13 [23138] Cert storage slot still needs user PIN to be
set.

2016-08-22 10:31:13 [23138] Found token 'NSS Certificate DB'.

2016-08-22 10:31:13 [23138] Error locating certificate.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEWLY_ADDED_DECIDING'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') releasing writing lock

2016-08-22 10:31:13 [22931] Request7('husky201') has no certificate,
will attempt enrollment using already-present key

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEED_CSR'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'GENERATING_CSR'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
from 11.

2016-08-22 10:31:13 [23139] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:31:13 [23139] Not attempting to set NSS FIPS mode.

2016-08-22 10:31:13 [23139] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:31:13 [23139] Found token 'NSS Certificate DB'.

2016-08-22 10:31:13 [23139] Located the key 'husky201'.

2016-08-22 10:31:13 [23139] Converted private key 'husky201' to public key.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'HAVE_CSR'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEED_TO_SUBMIT'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
from 15.

2016-08-22 10:31:13 [22931] Certificate submission attempt complete.

2016-08-22 10:31:13 [22931] Child status = 16.

2016-08-22 10:31:13 [22931] Child output:

"Error reading request, expected PKCS7 data.

"

2016-08-22 10:31:13 [22931] Error reading request, expected PKCS7 data.

2016-08-22 10:31:13 [22931] Certificate not (yet?) issued.

2016-08-22 10:31:13 [22931] Request7('husky201') goes to a CA over SCEP,
need to generate SCEP data.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEED_SCEP_DATA'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'GENERATING_SCEP_DATA'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
from 11.

2016-08-22 10:31:13 [23141] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.

2016-08-22 10:31:13 [23141] Generating dummy key.

2016-08-22 10:31:13 [23141] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.

2016-08-22 10:31:13 [23141] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:31:13 [23141] Found token 'NSS Certificate DB'.

2016-08-22 10:31:13 [23141] Located the key 'husky201'.

2016-08-22 10:31:13 [23141] Converted private key 'husky201' to public key.

2016-08-22 10:31:13 [23141] Server does not support DES3, using DES.

2016-08-22 10:31:13 [23141] Server does not support better digests,
using MD5.

2016-08-22 10:31:13 [23141] Generating PKCSREQ pkiMessage.

2016-08-22 10:31:13 [23141] Setting transaction ID
"46763632748922674693649122043315271915873922247404248201497767686509312971065".

2016-08-22 10:31:13 [23141] Setting message type "19".

2016-08-22 10:31:13 [23141] Setting sender nonce.

2016-08-22 10:31:13 [23141] Signed data.

2016-08-22 10:31:13 [23141] Generating GetCertInitial pkiMessage.

2016-08-22 10:31:13 [23141] Setting transaction ID
"46763632748922674693649122043315271915873922247404248201497767686509312971065".

2016-08-22 10:31:13 [23141] Setting message type "20".

2016-08-22 10:31:13 [23141] Setting sender nonce.

2016-08-22 10:31:13 [23141] Signed data.

2016-08-22 10:31:13 [23141] Signing using old key.

2016-08-22 10:31:13 [23141] Re-signing PKCSREQ message with old key.

2016-08-22 10:31:13 [23141] Re-signing GetCertInitial message with old key.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'HAVE_SCEP_DATA'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state
'NEED_TO_SUBMIT'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.

2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'

2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on traffic
from 15.

2016-08-22 10:31:15 [22931] Certificate submission attempt complete.

2016-08-22 10:31:15 [22931] Child status = 3.

2016-08-22 10:31:15 [22931] Child output:

"Error: failed to verify signature on server response.

"

2016-08-22 10:31:15 [22931] Error: failed to verify signature on server
response.

2016-08-22 10:31:15 [22931] Certificate not (yet?) issued.

2016-08-22 10:31:15 [22931] Request7('husky201') moved to state
'CA_UNREACHABLE'

2016-08-22 10:31:15 [22931] Will revisit Request7('husky201') in 604800
seconds.

I recorded the client server communication and can clearly see that the
server transmitted the certificate.

When using jSCEP client I can successfully download certificates from
that server with  e.g.

$ openssl req -key test.key -new -days 30 -out test.pemreq -outform PEM
# end entity set to mx_pre2

$ java -jar target/jscepcli-1.0-SNAPSHOT-exe.jar --ca-identifier mx_kd3
--challenge abcd --csr-file test.pemreq --dn "CN=mx_pre2" --key-file
test.key \

--url
http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxratest/pkiclient.exe

With certmonger I can successfully get a cert using another CA with an
internal EJBCA server and this request:

getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky100 -p
/tmp/pwd.txt -n husky100 -L abcd -N CN='husky100' s

id=KBCA

ca_aka=SCEP (certmonger 0.78.6)

ca_is_default=0

ca_type=EXTERNAL

ca_external_helper=/usr/libexec/certmonger/scep-submit -u
http://mucs70202.corp.knorr-bremse.com:8080/ejbca/publicweb/apply/scep/pkiclient.exe
-i "iCOM%20Kunde1%20Dev%20SubCA"

ca_capabilities=POSTPKIOperation,Renewal,SHA-1

scep_ca_identifier=KBCA

ca_encryption_cert=-----BEGIN CERTIFICATE-----

<bla>

-----END CERTIFICATE-----

ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----

<bla>

-----END CERTIFICATE-----

*ca_encryption_cert_pool*=-----BEGIN CERTIFICATE-----

<bla>

-----END CERTIFICATE-----

2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called
/org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.

2016-08-22 10:05:24 [22280] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:24 [22280] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:24 [22280] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:05:24 [22280] Found token 'NSS Certificate DB'.

2016-08-22 10:05:24 [22280] Error locating a key.

2016-08-22 10:05:24 [22281] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:24 [22281] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:24 [22281] Found token 'NSS Generic Crypto Services'.

2016-08-22 10:05:24 [22281] Cert storage slot still needs user PIN to be
set.

2016-08-22 10:05:24 [22281] Found token 'NSS Certificate DB'.

2016-08-22 10:05:24 [22281] Error locating certificate.

2016-08-22 10:05:24 [21621] Request2('husky100') starts in state
'NEWLY_ADDED'

2016-08-22 10:05:24 [21621] Request2('husky100') taking writing lock

2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
'NEWLY_ADDED_START_READING_KEYINFO'

2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:24 [21621] Started Request2('husky100').

2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for
0x7fdf7bf25630:0x7fdf7bf33720.

2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
'NEWLY_ADDED_READING_KEYINFO'

2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for
0x7fdf7bf25630:0x7fdf7bf33720.

2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for
0x7fdf7bf25630.

2016-08-22 10:05:24 [21621] message
0x7fdf7bf25630(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.get_nickname

2016-08-22 10:05:24 [21621] Pending GetConnectionUnixUser serial 1227

2016-08-22 10:05:24 [21621] Pending GetConnectionUnixProcessID serial 1228

2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for
0x7fdf7bf25630:0x7fdf7bf2bc00.

2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for
0x7fdf7bf25630:0x7fdf7bf2bc00.

2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for
0x7fdf7bf25630.

2016-08-22 10:05:24 [21621] message 0x7fdf7bf25630(method_return)->1227->819

2016-08-22 10:05:24 [21621] message 0x7fdf7bf25630(method_return)->1228->820

2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called
/org/fedorahosted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.get_nickname.

2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for
0x7fdf7bf25630:0x7fdf7bf33720.

2016-08-22 10:05:24 [22282] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:24 [22282] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:24 [22282] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:05:24 [22282] Found token 'NSS Certificate DB'.

2016-08-22 10:05:24 [22282] Error locating a key.

2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
'NEWLY_ADDED_START_READING_CERT'

2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:24 [21621] Request2('husky100') moved to state
'NEWLY_ADDED_READING_CERT'

2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:25 [22283] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:25 [22283] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:25 [22283] Found token 'NSS Generic Crypto Services'.

2016-08-22 10:05:25 [22283] Cert storage slot still needs user PIN to be
set.

2016-08-22 10:05:25 [22283] Found token 'NSS Certificate DB'.

2016-08-22 10:05:25 [22283] Error locating certificate.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'NEWLY_ADDED_DECIDING'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing lock

2016-08-22 10:05:25 [21621] Request2('husky100') has no key or
certificate, will generate keys and attempt enrollment

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'NEED_KEY_PAIR'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') taking writing lock

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'GENERATING_KEY_PAIR'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:25 [22284] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:25 [22284] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:25 [22284] Found token 'NSS Certificate DB'.

2016-08-22 10:05:25 [22284] Generating key pair.

2016-08-22 10:05:25 [22284] Nickname "husky100" appears to be unused.

2016-08-22 10:05:25 [22284] Set nickname "husky100" on private key.

2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing lock

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'HAVE_KEY_PAIR'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'NEED_KEYINFO'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'READING_KEYINFO'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:25 [22285] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:25 [22285] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:25 [22285] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:05:25 [22285] Found token 'NSS Certificate DB'.

2016-08-22 10:05:25 [22285] Located the key 'husky100'.

2016-08-22 10:05:25 [22285] Converted private key 'husky100' to public key.

2016-08-22 10:05:25 [22285] Key is an RSA key.

2016-08-22 10:05:25 [22285] Key size is 2048.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'HAVE_KEYINFO'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_CSR'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'GENERATING_CSR'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:25 [22286] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:25 [22286] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:25 [22286] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:05:25 [22286] Found token 'NSS Certificate DB'.

2016-08-22 10:05:25 [22286] Located the key 'husky100'.

2016-08-22 10:05:25 [22286] Converted private key 'husky100' to public key.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'HAVE_CSR'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'NEED_TO_SUBMIT'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
from 15.

2016-08-22 10:05:25 [21621] Certificate submission attempt complete.

2016-08-22 10:05:25 [21621] Child status = 16.

2016-08-22 10:05:25 [21621] Child output:

"Error reading request, expected PKCS7 data.

"

2016-08-22 10:05:25 [21621] Error reading request, expected PKCS7 data.

2016-08-22 10:05:25 [21621] Certificate not (yet?) issued.

2016-08-22 10:05:25 [21621] Request2('husky100') goes to a CA over SCEP,
need to generate SCEP data.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'NEED_SCEP_DATA'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'GENERATING_SCEP_DATA'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:25 [22288] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:25 [22288] Generating dummy key.

2016-08-22 10:05:25 [22288] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:25 [22288] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:05:25 [22288] Found token 'NSS Certificate DB'.

2016-08-22 10:05:25 [22288] Located the key 'husky100'.

2016-08-22 10:05:25 [22288] Converted private key 'husky100' to public key.

2016-08-22 10:05:25 [22288] Server does not support DES3, using DES.

2016-08-22 10:05:25 [22288] Server does not support better digests,
using MD5.

2016-08-22 10:05:25 [22288] Generating PKCSREQ pkiMessage.

2016-08-22 10:05:25 [22288] Setting transaction ID
"89399340103492129363376569585892061602695437784280139265051808388486717974760".

2016-08-22 10:05:25 [22288] Setting message type "19".

2016-08-22 10:05:25 [22288] Setting sender nonce.

2016-08-22 10:05:25 [22288] Signed data.

2016-08-22 10:05:25 [22288] Generating GetCertInitial pkiMessage.

2016-08-22 10:05:25 [22288] Setting transaction ID
"89399340103492129363376569585892061602695437784280139265051808388486717974760".

2016-08-22 10:05:25 [22288] Setting message type "20".

2016-08-22 10:05:25 [22288] Setting sender nonce.

2016-08-22 10:05:25 [22288] Signed data.

2016-08-22 10:05:25 [22288] Signing using old key.

2016-08-22 10:05:25 [22288] Re-signing PKCSREQ message with old key.

2016-08-22 10:05:25 [22288] Re-signing GetCertInitial message with old key.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'HAVE_SCEP_DATA'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state
'NEED_TO_SUBMIT'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'

2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on traffic
from 15.

2016-08-22 10:05:26 [21621] Certificate submission attempt complete.

2016-08-22 10:05:26 [21621] Child status = 0.

2016-08-22 10:05:26 [21621] Child output:

"-----BEGIN PKCS7-----

MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1

c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI

hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc

h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj

jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p

39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc

k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW

xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D

AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7

vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4

l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8

vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5

+bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL

GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6

TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr

HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE

+GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f

SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg

blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1

GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd

XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/

x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L

NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv

EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF

DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8

YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4

nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==

-----END PKCS7-----

"

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:26 [22292] Postprocessing output "-----BEGIN PKCS7-----

MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1

c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI

hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc

h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj

jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p

39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc

k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW

xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D

AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7

vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4

l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8

vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5

+bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL

GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6

TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr

HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE

+GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f

SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg

blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1

GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd

XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/

x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L

NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv

EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF

DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8

YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4

nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==

-----END PKCS7-----

".

2016-08-22 10:05:26 [22292] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:26 [22292] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:26 [22292] Skipping NSS internal slot (NSS Generic
Crypto Services).

2016-08-22 10:05:26 [22292] Found token 'NSS Certificate DB'.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag

2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error

2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag

2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.

2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.

2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.

2016-08-22 10:05:26 [21621] Certificate submission postprocessing complete.

2016-08-22 10:05:26 [21621] Child status = 0.

2016-08-22 10:05:26 [21621] Child output:

"{"certificate":"-----BEGIN
CERTIFICATE-----\nMIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE\nAwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw\nOTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO\nDykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl\nVkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz\nyP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj\nq4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb\n3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB\n/wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww\nCgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud\nDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA\nVijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY\nHG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2\nW6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2!

UppEjwWAv4
r8QH8VWuz\n97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/\nexdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==\n-----END

CERTIFICATE-----\n","key_checked":true}

"

2016-08-22 10:05:26 [21621] Issued certificate is "-----BEGIN
CERTIFICATE-----

MIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE

AwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw

OTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA

A4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO

Dykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl

Vkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz

yP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj

q4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb

3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB

/wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww

CgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud

DwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA

VijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY

HG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2

W6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2UppEjwWAv4r8QH8VWuz

97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/

exdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==

-----END CERTIFICATE-----

".

2016-08-22 10:05:26 [21621] Certificate issued (0 chain certificates, 0
roots).

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'NEED_TO_SAVE_CERT'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:26 [21621] Request2('husky100') taking writing lock

2016-08-22 10:05:26 [21621] No hooks set for pre-save command.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'START_SAVING_CERT'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'SAVING_CERT'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:26 [22293] No duplicate nickname entries.

2016-08-22 10:05:26 [22293] No duplicate subject name entries.

2016-08-22 10:05:26 [22293] Imported certificate "husky100", got
nickname "husky100".

2016-08-22 10:05:26 [22293] Removed name from old key.

2016-08-22 10:05:26 [22293] Error shutting down NSS.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'SAVED_CERT'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'NEED_TO_SAVE_CA_CERTS'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'START_SAVING_CA_CERTS'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'SAVING_CA_CERTS'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'NEED_TO_READ_CERT'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'READING_CERT'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:26 [22295] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:26 [22295] Found token 'NSS Generic Crypto Services'.

2016-08-22 10:05:26 [22295] Cert storage slot still needs user PIN to be
set.

2016-08-22 10:05:26 [22295] Found token 'NSS Certificate DB'.

2016-08-22 10:05:26 [22295] Located the certificate "husky100".

2016-08-22 10:05:26 [22295] Read value "0" from
"/proc/sys/crypto/fips_enabled".

2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.

2016-08-22 10:05:26 [21621] No hooks set for post-save command.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'NEED_TO_NOTIFY_ISSUED_SAVED'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.

2016-08-22 10:05:26 [21621] Request2('husky100') releasing writing lock

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state
'NOTIFYING_ISSUED_SAVED'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on traffic
from 11.

2016-08-22 10:05:26 [22296] 0x1d Certificate named "husky100" in token
"NSS Certificate DB" in database "/tmp/nssdb" issued by CA and saved.

2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'MONITORING'

2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') soon.

2016-08-22 10:05:31 [21621] Will revisit Request2('husky100') in 86400
seconds.

Besides this "Error reading request, expected PKCS7 data which always
shows up and Error decrypting bulk key: SEC_ERROR_BAD_DATA errors (?)
  finally the cert is issued and stored into the nSS DB.

Certificate:

     Data:

         Version: 3 (0x2)

         Serial Number: 8344117917752670949 (0x73cc4309839ebae5)

     Signature Algorithm: sha1WithRSAEncryption

         Issuer: CN=mx_kd3

         Validity

             Not Before: Aug 19 16:03:29 2016 GMT

             Not After : Aug  2 15:23:36 2017 GMT

         Subject: CN=mx_pre2

         Subject Public Key Info:

             Public Key Algorithm: rsaEncryption

                 Public-Key: (2048 bit)

                 Modulus:

                     00:89:01:fc:d4:a0:5c:df:8d:b6:f6:e3:49:8c:93:

77:7a:1e:26:34:4e:37:90:c3:6c:b0:e0:5d:a7:47:

                    8e:81:8f:d8:04:d5:c0:03:26:1a:a5:49:c8:82:98:

                     40:25:34:2e:43:c5:7d:cc:10:0e:b0:13:26:25:c0:

3d:87:15:fc:7f:90:6d:3d:2f:d6:ce:31:1f:af:38:

3f:8c:e9:fc:01:4c:a6:c5:3f:82:cb:c0:f8:8c:e7:

30:75:ba:68:b8:69:a6:6b:6c:04:a3:58:fb:b0:10:

                     94:4b:a2:f6:bd:24:f7:75:97:c0:f2:4e:ee:d9:df:

7b:61:8b:46:a9:d4:46:96:05:31:e5:60:87:3e:8d:

                     9b:8e:b2:f6:0f:03:1f:b7:49:1d:83:ec:9f:66:b1:

                     f9:76:dd:dd:c5:b6:fa:52:5f:56:ce:2e:00:87:11:

90:6d:ba:c3:d7:fd:19:e0:64:c1:5d:0b:62:59:ad:

61:80:a7:76:d4:08:39:6b:2e:6f:05:68:c9:10:b4:

                     9f:3e:b9:d0:63:9f:7d:e1:a7:74:4f:f8:f4:17:34:

                     f5:bf:ab:c6:bf:b9:48:80:59:ec:00:41:de:8b:46:

                     30:9d:8c:2b:d4:f3:2e:bd:39:e6:da:cd:d9:32:04:

55:04:29:26:66:0f:ac:ac:d2:bf:b1:19:56:62:0a:

                     56:69

                 Exponent: 65537 (0x10001)

         X509v3 extensions:

             X509v3 Subject Key Identifier:

                 D7:06:53:64:27:62:69:3B:ED:79:B2:6A:D8:94:DD:EE:B6:9C:51:44

             X509v3 Basic Constraints: critical

                 CA:FALSE

             X509v3 Authority Key Identifier:

                 
keyid:8C:DB:52:66:8F:60:01:FA:58:8D:82:06:01:25:9C:2C:7D:D0:A0:14

             X509v3 Key Usage: critical

                 Digital Signature, Key Encipherment

             X509v3 Extended Key Usage:

                 TLS Web Client Authentication

     Signature Algorithm: sha1WithRSAEncryption

          45:a1:0c:9b:7b:20:31:0a:90:53:21:b8:d5:e2:05:0f:29:10:

          77:d6:3a:44:38:9d:4a:d0:19:30:99:b9:41:0e:b1:4b:0e:c2:

          35:36:ce:98:5f:0a:54:88:3b:91:d1:fb:df:e5:6f:57:f9:04:

0d:51:bf:c5:50:c3:c6:4d:88:a0:73:31:99:63:85:69:81:66:

          93:5c:c3:bf:3f:ef:50:cc:db:de:fe:95:43:64:f0:2c:66:c1:

          f0:64:6f:8d:75:53:54:48:28:92:05:e1:21:a2:d6:fe:e3:1e:

5a:af:87:ba:45:06:39:47:5a:b8:df:1c:d8:cc:cf:6a:4a:ac:

08:92:7c:5b:08:9b:d5:0b:6d:49:33:c3:8f:a3:2c:50:4e:50:

          ae:d3:61:27:09:8c:de:c3:04:91:e0:f9:0e:aa:63:49:84:5e:

          cc:03:78:14:6e:cc:c3:5e:46:3b:56:6c:ae:20:7b:ce:51:8a:

78:eb:6b:4b:80:45:45:f3:3f:14:b6:d0:6a:99:d4:46:ad:d2:

0f:4d:99:4d:31:34:1f:4f:a3:19:92:45:8f:89:29:7e:4e:e7:

          43:b2:15:4d:df:8a:66:70:c4:5d:b0:e3:d8:13:77:c2:51:98:

          67:7d:b4:3c:95:71:54:05:06:1f:69:ae:fc:b1:00:b4:88:84:

          da:e0:85:ae

subject= /CN=mx_pre2

issuer= /CN=mx_kd3

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiQH81KBc34229uNJjJN3

eh4mNE43kMNssOBdp0eOgY/YBNXAAyYapUnIgphAJTQuQ8V9zBAOsBMmJcA9hxX8

f5BtPS/WzjEfrzg/jOn8AUymxT+Cy8D4jOcwdbpouGmma2wEo1j7sBCUS6L2vST3

dZfA8k7u2d97YYtGqdRGlgUx5WCHPo2bjrL2DwMft0kdg+yfZrH5dt3dxbb6Ul9W

zi4AhxGQbbrD1/0Z4GTBXQtiWa1hgKd21Ag5ay5vBWjJELSfPrnQY5994ad0T/j0

FzT1v6vGv7lIgFnsAEHei0YwnYwr1PMuvTnm2s3ZMgRVBCkmZg+srNK/sRlWYgpW

aQIDAQAB

-----END PUBLIC KEY-----

SHA1 Fingerprint=C3:B6:32:E9:70:E8:0F:98:A5:77:8E:96:13:5B:F8:40:63:37:29:7E

So the question is why certmonger fails to verify signature on server
response depending on which server I try.

What is included in the checks ?  hostname of clients/servers?

How can I debug this ?  Im not an experienced C programmer and was just
able to apply that GetCACertchain fix in scep.c and build certmonger
with that.

Peter


automechanika   InnoTrans       IAA
automechanika
13.09.-17.09.2016
Messe Frankfurt
Hall 3.0
Stand G98 + E91         InnoTrans
20.09.-23.09.2016
Messe Berlin
Hall 1.2b
Stand 104 + 210         IAA
22.09.-29.09.2016
Messe Hannover
Hall 17
Stand A30 + D131


Knorr-Bremse IT-Services GmbH
Sitz: München
Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald
Schneider
Registergericht München, HR B 167 268

This transmission is intended solely for the addressee and contains
confidential information.
If you are not the intended recipient, please immediately inform the
sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to
anyone unless agreed otherwise. To the extent permitted by law we shall
in no way be liable for any damages, whatever their nature, arising out
of transmission failures, viruses, external influence, delays and the like.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate

Reply via email to