it depends on the depth of the cert chain if the verification fails or not.

fails: RootCA-> SubCA-> end-entity
works: RootCA-> SubCA-> SubSubCA->end-entity
works: RootCA-> SubCA-> SubCA-> SubSubCA-> SubSubSubCA->end-entity

when looking into the CA file, in cases where it works I see an extra entry  

ca_encryption_cert_pool=-----BEGIN CERTIFICATE-----
 MIIDHjCCAgagAwIBAgIIePjDfE7m7rMwDQYJKoZIhvcNAQEFBQAwGTEXMBUGA1UE
 ....
 EmkPKOf2v44U2E8ghQYKu8p4peuBqpInwOpsMj+x6zrlDw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIEQDCCAiigAwIBAgIIAWN7R90xPZYwDQYJKoZIhvcNAQELBQAwQjELMAkGA1UE
 BhMCREUxHDAaBgNVBAoME0tCIElULVNlcnZpY2VzIEdtYkgxFTATBgNVBAMMDGlD
 T00gUm9vdCBDQTAeFw0xNjA2MDkxNDI2MTFaFw0yNjA2MDkxNDI2MTFaMBkxFzAV
 BgNVBAMMDmlDT00gS3VuZGUxIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
....
-----END CERTIFICATE-----

This entry is missing when the verification fails !

I got a valid cert in all test cases using jSCEP client and also in all 
certmonger test cases the server did generate and send the right cert.

I suspect a bug in certmonger (scep-submit). Maybe related to handling the 
certificate chain.

Peter


-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Monday, August 22, 2016 4:09 PM
To: Marx, Peter; freeipa-devel@redhat.com
Subject: Re: [Freeipa-devel] certmonger "failed to verify signature on server 
response" after receiving valid certificate

Marx, Peter wrote:
> I'm testing with certmonger 0.78.6 (patched for the GETCACertChain 
> bug) against two EJBCA servers. For verification I a use a second SCEP 
> client called jSCEP.
>
> I started certmonger in debug mode with
>   "/usr/libexec/certmonger/certmonger-session -n -d 15"
>
> The CA file in /root/.config/certmonger/cas  looks like this:
>
> id=Test_Sweden
>
> ca_aka=SCEP (certmonger 0.78.6)
>
> ca_is_default=0
>
> ca_type=EXTERNAL
>
> ca_external_helper=/usr/libexec/certmonger/scep-submit -u 
> http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxrates
> t/pkiclient.exe
> -i "mx_kd3"
>
> ca_capabilities=POSTPKIOperation,Renewal,SHA-1
>
> scep_ca_identifier=iCOM Kunde1 Schweden
>
> ca_encryption_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----

It looks to me that certmonger can't verify the signature of the returned 
PKCS#7 data. I'd double check the value of ca_encryption_issuer_cert.

rob

>
> Issuing the request
>
> "getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky201 
> -p /tmp/pwd.txt -n husky201 -L abcd -N CN='husky201' -s"
>
> gives this log:
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message
> 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedoraho
> sted/certmonger:org.fedorahosted.certmonger.add_request
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 135
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 
> 136
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b0aa690.
>
> 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b0aa690.
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message 
> 0x7fbe6b0c02e0(method_return)->135->73
>
> 2016-08-22 10:31:13 [22931] message 
> 0x7fbe6b0c02e0(method_return)->136->74
>
> 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called 
> /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
>
> 2016-08-22 10:31:13 [23135] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23135] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23135] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:31:13 [23135] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23135] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23135] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [23135] Key is an RSA key.
>
> 2016-08-22 10:31:13 [23135] Key size is 2048.
>
> 2016-08-22 10:31:13 [23136] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23136] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23136] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:31:13 [23136] Cert storage slot still needs user PIN to 
> be set.
>
> 2016-08-22 10:31:13 [23136] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23136] Error locating certificate.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') starts in state 
> 'NEWLY_ADDED'
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') taking writing lock
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEWLY_ADDED_START_READING_KEYINFO'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Started Request7('husky201').
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEWLY_ADDED_READING_KEYINFO'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on 
> traffic from 11.
>
> 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message
> 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedoraho
> sted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.
> get_nickname
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 140
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 
> 141
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b0ae0a0.
>
> 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b0ae0a0.
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message 
> 0x7fbe6b0c02e0(method_return)->140->75
>
> 2016-08-22 10:31:13 [22931] message 
> 0x7fbe6b0c02e0(method_return)->141->76
>
> 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called 
> /org/fedorahosted/certmonger/requests/Request7:org.fedorahosted.certmonger.request.get_nickname.
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b09b4e0.
>
> 2016-08-22 10:31:13 [23137] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23137] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23137] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:31:13 [23137] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23137] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23137] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [23137] Key is an RSA key.
>
> 2016-08-22 10:31:13 [23137] Key size is 2048.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEWLY_ADDED_START_READING_CERT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEWLY_ADDED_READING_CERT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on 
> traffic from 11.
>
> 2016-08-22 10:31:13 [23138] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23138] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23138] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:31:13 [23138] Cert storage slot still needs user PIN to 
> be set.
>
> 2016-08-22 10:31:13 [23138] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23138] Error locating certificate.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEWLY_ADDED_DECIDING'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') releasing writing 
> lock
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') has no certificate, 
> will attempt enrollment using already-present key
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'NEED_CSR'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'GENERATING_CSR'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on 
> traffic from 11.
>
> 2016-08-22 10:31:13 [23139] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23139] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23139] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:31:13 [23139] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23139] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23139] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'HAVE_CSR'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on 
> traffic from 15.
>
> 2016-08-22 10:31:13 [22931] Certificate submission attempt complete.
>
> 2016-08-22 10:31:13 [22931] Child status = 16.
>
> 2016-08-22 10:31:13 [22931] Child output:
>
> "Error reading request, expected PKCS7 data.
>
> "
>
> 2016-08-22 10:31:13 [22931] Error reading request, expected PKCS7 data.
>
> 2016-08-22 10:31:13 [22931] Certificate not (yet?) issued.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') goes to a CA over 
> SCEP, need to generate SCEP data.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEED_SCEP_DATA'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'GENERATING_SCEP_DATA'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on 
> traffic from 11.
>
> 2016-08-22 10:31:13 [23141] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23141] Generating dummy key.
>
> 2016-08-22 10:31:13 [23141] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23141] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23141] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:31:13 [23141] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23141] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23141] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [23141] Server does not support DES3, using DES.
>
> 2016-08-22 10:31:13 [23141] Server does not support better digests, 
> using MD5.
>
> 2016-08-22 10:31:13 [23141] Generating PKCSREQ pkiMessage.
>
> 2016-08-22 10:31:13 [23141] Setting transaction ID 
> "46763632748922674693649122043315271915873922247404248201497767686509312971065".
>
> 2016-08-22 10:31:13 [23141] Setting message type "19".
>
> 2016-08-22 10:31:13 [23141] Setting sender nonce.
>
> 2016-08-22 10:31:13 [23141] Signed data.
>
> 2016-08-22 10:31:13 [23141] Generating GetCertInitial pkiMessage.
>
> 2016-08-22 10:31:13 [23141] Setting transaction ID 
> "46763632748922674693649122043315271915873922247404248201497767686509312971065".
>
> 2016-08-22 10:31:13 [23141] Setting message type "20".
>
> 2016-08-22 10:31:13 [23141] Setting sender nonce.
>
> 2016-08-22 10:31:13 [23141] Signed data.
>
> 2016-08-22 10:31:13 [23141] Signing using old key.
>
> 2016-08-22 10:31:13 [23141] Re-signing PKCSREQ message with old key.
>
> 2016-08-22 10:31:13 [23141] Re-signing GetCertInitial message with old key.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'HAVE_SCEP_DATA'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 'SUBMITTING'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') on 
> traffic from 15.
>
> 2016-08-22 10:31:15 [22931] Certificate submission attempt complete.
>
> 2016-08-22 10:31:15 [22931] Child status = 3.
>
> 2016-08-22 10:31:15 [22931] Child output:
>
> "Error: failed to verify signature on server response.
>
> "
>
> 2016-08-22 10:31:15 [22931] Error: failed to verify signature on 
> server response.
>
> 2016-08-22 10:31:15 [22931] Certificate not (yet?) issued.
>
> 2016-08-22 10:31:15 [22931] Request7('husky201') moved to state 
> 'CA_UNREACHABLE'
>
> 2016-08-22 10:31:15 [22931] Will revisit Request7('husky201') in 
> 604800 seconds.
>
> I recorded the client server communication and can clearly see that 
> the server transmitted the certificate.
>
> When using jSCEP client I can successfully download certificates from 
> that server with  e.g.
>
> $ openssl req -key test.key -new -days 30 -out test.pemreq -outform 
> PEM # end entity set to mx_pre2
>
> $ java -jar target/jscepcli-1.0-SNAPSHOT-exe.jar --ca-identifier 
> mx_kd3 --challenge abcd --csr-file test.pemreq --dn "CN=mx_pre2" 
> --key-file test.key \
>
> --url
> http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxrates
> t/pkiclient.exe
>
> With certmonger I can successfully get a cert using another CA with an 
> internal EJBCA server and this request:
>
> "getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky100 
> -p /tmp/pwd.txt -n husky100 -L abcd -N CN='husky100' -s"
>
> id=KBCA
>
> ca_aka=SCEP (certmonger 0.78.6)
>
> ca_is_default=0
>
> ca_type=EXTERNAL
>
> ca_external_helper=/usr/libexec/certmonger/scep-submit -u 
> http://mucs70202.corp.knorr-bremse.com:8080/ejbca/publicweb/apply/scep
> /pkiclient.exe
> -i "iCOM%20Kunde1%20Dev%20SubCA"
>
> ca_capabilities=POSTPKIOperation,Renewal,SHA-1
>
> scep_ca_identifier=KBCA
>
> ca_encryption_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> ca_encryption_issuer_cert=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> *ca_encryption_cert_pool*=-----BEGIN CERTIFICATE-----
>
> <bla>
>
> -----END CERTIFICATE-----
>
> 2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called 
> /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
>
> 2016-08-22 10:05:24 [22280] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:24 [22280] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:24 [22280] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:05:24 [22280] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:24 [22280] Error locating a key.
>
> 2016-08-22 10:05:24 [22281] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:24 [22281] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:24 [22281] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:05:24 [22281] Cert storage slot still needs user PIN to 
> be set.
>
> 2016-08-22 10:05:24 [22281] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:24 [22281] Error locating certificate.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') starts in state 
> 'NEWLY_ADDED'
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') taking writing lock
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 
> 'NEWLY_ADDED_START_READING_KEYINFO'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:24 [21621] Started Request2('husky100').
>
> 2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for 
> 0x7fdf7bf25630:0x7fdf7bf33720.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 
> 'NEWLY_ADDED_READING_KEYINFO'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for 
> 0x7fdf7bf25630:0x7fdf7bf33720.
>
> 2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fdf7bf25630.
>
> 2016-08-22 10:05:24 [21621] message
> 0x7fdf7bf25630(method_call)->org.fedorahosted.certmonger:/org/fedoraho
> sted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.
> get_nickname
>
> 2016-08-22 10:05:24 [21621] Pending GetConnectionUnixUser serial 1227
>
> 2016-08-22 10:05:24 [21621] Pending GetConnectionUnixProcessID serial 
> 1228
>
> 2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for 
> 0x7fdf7bf25630:0x7fdf7bf2bc00.
>
> 2016-08-22 10:05:24 [21621] Dequeuing FD 8 for Read for 
> 0x7fdf7bf25630:0x7fdf7bf2bc00.
>
> 2016-08-22 10:05:24 [21621] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fdf7bf25630.
>
> 2016-08-22 10:05:24 [21621] message 
> 0x7fdf7bf25630(method_return)->1227->819
>
> 2016-08-22 10:05:24 [21621] message 
> 0x7fdf7bf25630(method_return)->1228->820
>
> 2016-08-22 10:05:24 [21621] User ID 0 PID 22278 called 
> /org/fedorahosted/certmonger/requests/Request2:org.fedorahosted.certmonger.request.get_nickname.
>
> 2016-08-22 10:05:24 [21621] Queuing FD 8 for Read for 
> 0x7fdf7bf25630:0x7fdf7bf33720.
>
> 2016-08-22 10:05:24 [22282] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:24 [22282] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:24 [22282] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:05:24 [22282] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:24 [22282] Error locating a key.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 
> 'NEWLY_ADDED_START_READING_CERT'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:24 [21621] Request2('husky100') moved to state 
> 'NEWLY_ADDED_READING_CERT'
>
> 2016-08-22 10:05:24 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:25 [22283] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22283] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22283] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:05:25 [22283] Cert storage slot still needs user PIN to 
> be set.
>
> 2016-08-22 10:05:25 [22283] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22283] Error locating certificate.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'NEWLY_ADDED_DECIDING'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing 
> lock
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') has no key or 
> certificate, will generate keys and attempt enrollment
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'NEED_KEY_PAIR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') taking writing lock
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'GENERATING_KEY_PAIR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:25 [22284] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22284] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22284] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22284] Generating key pair.
>
> 2016-08-22 10:05:25 [22284] Nickname "husky100" appears to be unused.
>
> 2016-08-22 10:05:25 [22284] Set nickname "husky100" on private key.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') releasing writing 
> lock
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'HAVE_KEY_PAIR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'NEED_KEYINFO'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'READING_KEYINFO'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:25 [22285] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22285] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22285] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:05:25 [22285] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22285] Located the key 'husky100'.
>
> 2016-08-22 10:05:25 [22285] Converted private key 'husky100' to public key.
>
> 2016-08-22 10:05:25 [22285] Key is an RSA key.
>
> 2016-08-22 10:05:25 [22285] Key size is 2048.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'HAVE_KEYINFO'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'NEED_CSR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'GENERATING_CSR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:25 [22286] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22286] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22286] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:05:25 [22286] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22286] Located the key 'husky100'.
>
> 2016-08-22 10:05:25 [22286] Converted private key 'husky100' to public key.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'HAVE_CSR'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on 
> traffic from 15.
>
> 2016-08-22 10:05:25 [21621] Certificate submission attempt complete.
>
> 2016-08-22 10:05:25 [21621] Child status = 16.
>
> 2016-08-22 10:05:25 [21621] Child output:
>
> "Error reading request, expected PKCS7 data.
>
> "
>
> 2016-08-22 10:05:25 [21621] Error reading request, expected PKCS7 data.
>
> 2016-08-22 10:05:25 [21621] Certificate not (yet?) issued.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') goes to a CA over 
> SCEP, need to generate SCEP data.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'NEED_SCEP_DATA'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'GENERATING_SCEP_DATA'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:25 [22288] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22288] Generating dummy key.
>
> 2016-08-22 10:05:25 [22288] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:25 [22288] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:25 [22288] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:05:25 [22288] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:25 [22288] Located the key 'husky100'.
>
> 2016-08-22 10:05:25 [22288] Converted private key 'husky100' to public key.
>
> 2016-08-22 10:05:25 [22288] Server does not support DES3, using DES.
>
> 2016-08-22 10:05:25 [22288] Server does not support better digests, 
> using MD5.
>
> 2016-08-22 10:05:25 [22288] Generating PKCSREQ pkiMessage.
>
> 2016-08-22 10:05:25 [22288] Setting transaction ID 
> "89399340103492129363376569585892061602695437784280139265051808388486717974760".
>
> 2016-08-22 10:05:25 [22288] Setting message type "19".
>
> 2016-08-22 10:05:25 [22288] Setting sender nonce.
>
> 2016-08-22 10:05:25 [22288] Signed data.
>
> 2016-08-22 10:05:25 [22288] Generating GetCertInitial pkiMessage.
>
> 2016-08-22 10:05:25 [22288] Setting transaction ID 
> "89399340103492129363376569585892061602695437784280139265051808388486717974760".
>
> 2016-08-22 10:05:25 [22288] Setting message type "20".
>
> 2016-08-22 10:05:25 [22288] Setting sender nonce.
>
> 2016-08-22 10:05:25 [22288] Signed data.
>
> 2016-08-22 10:05:25 [22288] Signing using old key.
>
> 2016-08-22 10:05:25 [22288] Re-signing PKCSREQ message with old key.
>
> 2016-08-22 10:05:25 [22288] Re-signing GetCertInitial message with old key.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'HAVE_SCEP_DATA'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 
> 'NEED_TO_SUBMIT'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:25 [21621] Request2('husky100') moved to state 'SUBMITTING'
>
> 2016-08-22 10:05:25 [21621] Will revisit Request2('husky100') on 
> traffic from 15.
>
> 2016-08-22 10:05:26 [21621] Certificate submission attempt complete.
>
> 2016-08-22 10:05:26 [21621] Child status = 0.
>
> 2016-08-22 10:05:26 [21621] Child output:
>
> "-----BEGIN PKCS7-----
>
> MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1
>
> c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI
>
> hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc
>
> h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj
>
> jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p
>
> 39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc
>
> k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW
>
> xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D
>
> AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7
>
> vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4
>
> l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8
>
> vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5
>
> +bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL
>
> GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6
>
> TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr
>
> HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE
>
> +GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f
>
> SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg
>
> blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1
>
> GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd
>
> XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/
>
> x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L
>
> NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv
>
> EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF
>
> DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8
>
> YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4
>
> nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==
>
> -----END PKCS7-----
>
> "
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:26 [22292] Postprocessing output "-----BEGIN 
> PKCS7-----
>
> MIAGCSqGSIb3DQEHA6CAMIACAQAxggFUMIIBUAIBADA4MBMxETAPBgNVBAMTCGh1
>
> c2t5MTAwAiEAxaY7vcruKj5BOCTGw5wQBTpMC0GpLQ5rQJvfM6bjKOgwDQYJKoZI
>
> hvcNAQEBBQAEggEAF8VwCqiExnQyPQvdPV8vYFIvV0OGJ5AuyurIQQ0y3zeb6Jjc
>
> h4j6LilwV0BnUjdH9G2t4gGWUbbUVxciaXy0lgcZnO7C39ptc8tPfcfnD5gwRXdj
>
> jLjWTRa6IBhBvgZS6/tQ1uiWXygSnTVl9renZSBixKrnUSaRO5vHl4IsMWp4J8/p
>
> 39DY2zncvP/oq4bMKe5priZEjgbZkgFI9IuleQM80pzTHayWlChx2M5Cg5pDrBLc
>
> k0lZeVLQ6Vg5V3yRGSsXNrxkexYZkRFGQkZ/6gsLmj1nPPVGjhjbtoEGtQZGpXaW
>
> xD+nWyv2TUDge1OzIYj326scX3z3+YXcw2J23zCABgkqhkiG9w0BBwEwEQYFKw4D
>
> AgcECJgYnlIa2DxtoIAEggNgaTC2AhLM52T8guE2jr4YTK1UlcwDpN8yRJNRyuK7
>
> vtDjx5aPx3+qTRJAOdeulV3pYK+3dpmddJoePGFpW/MaKBgAOpZVi/gk6LxnfKG4
>
> l+gwPR7y3EyXXCyank553tceF08lPoPMfkRCe01le5EW2PKKH9y7JeqvVkxIjhI8
>
> vaYKmARCLAtC4fXexjnjMxFKISctLTIJqqDfCn6T7h2j61jIAB4wABmTKjh1fwp5
>
> +bR+enbCG33KY9taeDHvgAYl0XOi8IQ370dI57I72383RCcQdAa9qdMSnhquMyZL
>
> GS1zBnWrW9wMbMWkIRjR+1nGguS+6qBP4IekOuifoi/LHkSz/uOUuEi0cintRRy6
>
> TsQEimydfIRfGrpcpaPCksHYUp/QZOSsQz9xAb/u6xMJMYRxKEw8q80xSniZP+dr
>
> HwfRThoJuxZcr3bpnRuEt2fYd1MgASeNTuZyLV4UJgdAZKAid74S0oi20OTSJyJE
>
> +GScqV/loZ4kJByE7fk3ZzCEWjOBhbzFzkoJ0vCxnRsq2eiyiTmTQvl4CM24q84f
>
> SNvUT3UE2NryGV8DSVuyUb0HX97x8Ii0l+pcciylWWy0W5qBhVlo5ns8aDfP4xqg
>
> blXv13hVIZPRs2KYFinK1ptOf2dBdYI8AFRx4eq85HGTd4J9yy5qIPjMfTVCNJz1
>
> GLHFCIAQrClFehHvVrny0tO88B9/Xky9I6ReRPdz8kZ6GBCkTBS3I+4Km7uyo2Bd
>
> XE5XlBJhaVboApZIwLNaf24eqH/L9pG6O+BhzKQEFqDYmpIzWslIsBqtMPFWD5E/
>
> x/v8O2Pj0b+Tmkky+VYv8gdEkOy6LPX2J4YH86PljJDEoSqhmSeeVFuGCbaRa60L
>
> NevoUzoQ3qCl/Brob7nDrOWeE1uJBWcDBs/CeFUvB0mfniIp0iDUOiTpWVm7drwv
>
> EMObPE+5SijzwFnj5HIgSpmHZUjFR9JcRfuG6E3u7BrDl1wS6U5lfb7Oqro2T6PF
>
> DB1+bL7NzCqF1nOYEDELOSrMxvk8/JQMxkBdrNx592FunoMEz8oAPbK5Lvt8oqE8
>
> YcULZMb56Zp4S/L4P/8jV5KB9peXhxWhvU4qqXGeBBQSjggBxAURUZni5HaRrzv4
>
> nUIyUuaf0fv3QY3tIi9hKaH8AAAAAAAAAAAAAA==
>
> -----END PKCS7-----
>
> ".
>
> 2016-08-22 10:05:26 [22292] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:26 [22292] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:26 [22292] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:05:26 [22292] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding 
> routines:ASN1_CHECK_TLEN:wrong tag
>
> 2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding 
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>
> 2016-08-22 10:05:26 [22292] error:0D0680A8:asn1 encoding 
> routines:ASN1_CHECK_TLEN:wrong tag
>
> 2016-08-22 10:05:26 [22292] error:0D07803A:asn1 encoding 
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Error decrypting bulk key: SEC_ERROR_BAD_DATA.
>
> 2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.
>
> 2016-08-22 10:05:26 [22292] Succeeded in decrypting enveloped data.
>
> 2016-08-22 10:05:26 [21621] Certificate submission postprocessing complete.
>
> 2016-08-22 10:05:26 [21621] Child status = 0.
>
> 2016-08-22 10:05:26 [21621] Child output:
>
> "{"certificate":"-----BEGIN
> CERTIFICATE-----\nMIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE\nAwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw\nOTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO\nDykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl\nVkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz\nyP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj\nq4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb\n3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB\n/wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww\nCgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud\nDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA\nVijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY\nHG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2\nW6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2!
 UppEjwWAv4
r8QH8VWuz\n97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/\nexdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==\n-----END
> CERTIFICATE-----\n","key_checked":true}
>
> "
>
> 2016-08-22 10:05:26 [21621] Issued certificate is "-----BEGIN
> CERTIFICATE-----
>
> MIIDKjCCAhKgAwIBAgIIBVULrGtczBowDQYJKoZIhvcNAQEFBQAwIDEeMBwGA1UE
>
> AwwVaUNPTSBLdW5kZTEgRGV2IFN1YkNBMB4XDTE2MDgyMjA3NTUyNloXDTI2MDYw
>
> OTE0MjYxMVowEzERMA8GA1UEAwwIaHVza3kxMDAwggEiMA0GCSqGSIb3DQEBAQUA
>
> A4IBDwAwggEKAoIBAQCwj6TZXwh2TD1UJuEc/LhjgUF91BJ4OOpjt2uOyfTsGaFO
>
> Dykz0tEWyXRk7mkHQeqC/isVD0CYz6bhks2HwwqMAIc37eaz/uEIPQu4rz59gUMl
>
> Vkh93YOtX2JlsQ0y0QPuwIGgb3Z1NX8MbhlE0GpLrb2vY8Y0TpBjwGpbagaMRPgz
>
> yP2v62jau9xn+72VTjOxNImJH/8V1UTDl1gt0lR2XH5dMeo+weVW8ZUvgDykhQDj
>
> q4V/trRW+556owhPv2ALBpuubp99d2rfPSdWnLg7JCtpIEIGq9KcEIfV1Bq/d4zb
>
> 3PVrb1xZIb2vCOYyijUr8OCpgMslTM1WiKdIw9GTAgMBAAGjdTBzMAwGA1UdEwEB
>
> /wQCMAAwHwYDVR0jBBgwFoAUp+pgIuSdJoXPRmZ6unXbKtfB2NowEwYDVR0lBAww
>
> CgYIKwYBBQUHAwIwHQYDVR0OBBYEFCKFlaNB18Tf7Njwy/8I1aDPge3DMA4GA1Ud
>
> DwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOCAQEAho5avfYElYPaUxr9diXxG4aA
>
> VijNIiGXa6FmOwmMmR2h2UUqn11doNbkR+Zv4FFjMqdlWQh4aMLhn6Z0+ahSx3NY
>
> HG0saJfV88loRb+zC03yOyPIjEmFo4d2Vc+CsXAQ49ElHVKjqqC3JaMrma/EfMQ2
>
> W6Sc8x55smgPXjPLf8VytHdjH/ZeCDFbBYqs8CS0JbjP2UppEjwWAv4r8QH8VWuz
>
> 97kxRpXFVTXb/gJUCxNqJRCU1aFTfO1L6x9BzfVKJX73nyAuQmZ+090PJIFCTTx/
>
> exdeoX0EBPeGmV7XjAO5GqGq+P6i3oeJ/Z8Kvug0XzlUSc55SMbc+z2B07GVIA==
>
> -----END CERTIFICATE-----
>
> ".
>
> 2016-08-22 10:05:26 [21621] Certificate issued (0 chain certificates, 
> 0 roots).
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'NEED_TO_SAVE_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') taking writing lock
>
> 2016-08-22 10:05:26 [21621] No hooks set for pre-save command.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'START_SAVING_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'SAVING_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:26 [22293] No duplicate nickname entries.
>
> 2016-08-22 10:05:26 [22293] No duplicate subject name entries.
>
> 2016-08-22 10:05:26 [22293] Imported certificate "husky100", got 
> nickname "husky100".
>
> 2016-08-22 10:05:26 [22293] Removed name from old key.
>
> 2016-08-22 10:05:26 [22293] Error shutting down NSS.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'SAVED_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'NEED_TO_SAVE_CA_CERTS'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'START_SAVING_CA_CERTS'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'SAVING_CA_CERTS'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'NEED_TO_READ_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'READING_CERT'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:26 [22295] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:26 [22295] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:05:26 [22295] Cert storage slot still needs user PIN to 
> be set.
>
> 2016-08-22 10:05:26 [22295] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:05:26 [22295] Located the certificate "husky100".
>
> 2016-08-22 10:05:26 [22295] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:05:26 [22295] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:05:26 [21621] No hooks set for post-save command.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'NEED_TO_NOTIFY_ISSUED_SAVED'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') now.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') releasing writing 
> lock
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 
> 'NOTIFYING_ISSUED_SAVED'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') on 
> traffic from 11.
>
> 2016-08-22 10:05:26 [22296] 0x1d Certificate named "husky100" in token 
> "NSS Certificate DB" in database "/tmp/nssdb" issued by CA and saved.
>
> 2016-08-22 10:05:26 [21621] Request2('husky100') moved to state 'MONITORING'
>
> 2016-08-22 10:05:26 [21621] Will revisit Request2('husky100') soon.
>
> 2016-08-22 10:05:31 [21621] Will revisit Request2('husky100') in 86400 
> seconds.
>
> Besides this "Error reading request, expected PKCS7 data" which always 
> shows up and "Error decrypting bulk key: SEC_ERROR_BAD_DATA" errors (?)
>   finally the cert is issued and stored into the nSS DB.
>
> Certificate:
>
>      Data:
>
>          Version: 3 (0x2)
>
>          Serial Number: 8344117917752670949 (0x73cc4309839ebae5)
>
>      Signature Algorithm: sha1WithRSAEncryption
>
>          Issuer: CN=mx_kd3
>
>          Validity
>
>              Not Before: Aug 19 16:03:29 2016 GMT
>
>              Not After : Aug  2 15:23:36 2017 GMT
>
>          Subject: CN=mx_pre2
>
>          Subject Public Key Info:
>
>              Public Key Algorithm: rsaEncryption
>
>                  Public-Key: (2048 bit)
>
>                  Modulus:
>
>                      00:89:01:fc:d4:a0:5c:df:8d:b6:f6:e3:49:8c:93:
>
> 77:7a:1e:26:34:4e:37:90:c3:6c:b0:e0:5d:a7:47:
>
>                     8e:81:8f:d8:04:d5:c0:03:26:1a:a5:49:c8:82:98:
>
>                      40:25:34:2e:43:c5:7d:cc:10:0e:b0:13:26:25:c0:
>
> 3d:87:15:fc:7f:90:6d:3d:2f:d6:ce:31:1f:af:38:
>
> 3f:8c:e9:fc:01:4c:a6:c5:3f:82:cb:c0:f8:8c:e7:
>
> 30:75:ba:68:b8:69:a6:6b:6c:04:a3:58:fb:b0:10:
>
>                      94:4b:a2:f6:bd:24:f7:75:97:c0:f2:4e:ee:d9:df:
>
> 7b:61:8b:46:a9:d4:46:96:05:31:e5:60:87:3e:8d:
>
>                      9b:8e:b2:f6:0f:03:1f:b7:49:1d:83:ec:9f:66:b1:
>
>                      f9:76:dd:dd:c5:b6:fa:52:5f:56:ce:2e:00:87:11:
>
> 90:6d:ba:c3:d7:fd:19:e0:64:c1:5d:0b:62:59:ad:
>
> 61:80:a7:76:d4:08:39:6b:2e:6f:05:68:c9:10:b4:
>
>                      9f:3e:b9:d0:63:9f:7d:e1:a7:74:4f:f8:f4:17:34:
>
>                      f5:bf:ab:c6:bf:b9:48:80:59:ec:00:41:de:8b:46:
>
>                      30:9d:8c:2b:d4:f3:2e:bd:39:e6:da:cd:d9:32:04:
>
> 55:04:29:26:66:0f:ac:ac:d2:bf:b1:19:56:62:0a:
>
>                      56:69
>
>                  Exponent: 65537 (0x10001)
>
>          X509v3 extensions:
>
>              X509v3 Subject Key Identifier:
>
>                  
> D7:06:53:64:27:62:69:3B:ED:79:B2:6A:D8:94:DD:EE:B6:9C:51:44
>
>              X509v3 Basic Constraints: critical
>
>                  CA:FALSE
>
>              X509v3 Authority Key Identifier:
>
>                  
> keyid:8C:DB:52:66:8F:60:01:FA:58:8D:82:06:01:25:9C:2C:7D:D0:A0:14
>
>              X509v3 Key Usage: critical
>
>                  Digital Signature, Key Encipherment
>
>              X509v3 Extended Key Usage:
>
>                  TLS Web Client Authentication
>
>      Signature Algorithm: sha1WithRSAEncryption
>
>           45:a1:0c:9b:7b:20:31:0a:90:53:21:b8:d5:e2:05:0f:29:10:
>
>           77:d6:3a:44:38:9d:4a:d0:19:30:99:b9:41:0e:b1:4b:0e:c2:
>
>           35:36:ce:98:5f:0a:54:88:3b:91:d1:fb:df:e5:6f:57:f9:04:
>
> 0d:51:bf:c5:50:c3:c6:4d:88:a0:73:31:99:63:85:69:81:66:
>
>           93:5c:c3:bf:3f:ef:50:cc:db:de:fe:95:43:64:f0:2c:66:c1:
>
>           f0:64:6f:8d:75:53:54:48:28:92:05:e1:21:a2:d6:fe:e3:1e:
>
> 5a:af:87:ba:45:06:39:47:5a:b8:df:1c:d8:cc:cf:6a:4a:ac:
>
> 08:92:7c:5b:08:9b:d5:0b:6d:49:33:c3:8f:a3:2c:50:4e:50:
>
>           ae:d3:61:27:09:8c:de:c3:04:91:e0:f9:0e:aa:63:49:84:5e:
>
>           cc:03:78:14:6e:cc:c3:5e:46:3b:56:6c:ae:20:7b:ce:51:8a:
>
> 78:eb:6b:4b:80:45:45:f3:3f:14:b6:d0:6a:99:d4:46:ad:d2:
>
> 0f:4d:99:4d:31:34:1f:4f:a3:19:92:45:8f:89:29:7e:4e:e7:
>
>           43:b2:15:4d:df:8a:66:70:c4:5d:b0:e3:d8:13:77:c2:51:98:
>
>           67:7d:b4:3c:95:71:54:05:06:1f:69:ae:fc:b1:00:b4:88:84:
>
>           da:e0:85:ae
>
> subject= /CN=mx_pre2
>
> issuer= /CN=mx_kd3
>
> -----BEGIN PUBLIC KEY-----
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiQH81KBc34229uNJjJN3
>
> eh4mNE43kMNssOBdp0eOgY/YBNXAAyYapUnIgphAJTQuQ8V9zBAOsBMmJcA9hxX8
>
> f5BtPS/WzjEfrzg/jOn8AUymxT+Cy8D4jOcwdbpouGmma2wEo1j7sBCUS6L2vST3
>
> dZfA8k7u2d97YYtGqdRGlgUx5WCHPo2bjrL2DwMft0kdg+yfZrH5dt3dxbb6Ul9W
>
> zi4AhxGQbbrD1/0Z4GTBXQtiWa1hgKd21Ag5ay5vBWjJELSfPrnQY5994ad0T/j0
>
> FzT1v6vGv7lIgFnsAEHei0YwnYwr1PMuvTnm2s3ZMgRVBCkmZg+srNK/sRlWYgpW
>
> aQIDAQAB
>
> -----END PUBLIC KEY-----
>
> SHA1 
> Fingerprint=C3:B6:32:E9:70:E8:0F:98:A5:77:8E:96:13:5B:F8:40:63:37:29:7
> E
>
> So the question is why certmonger fails to verify signature on server 
> response depending on which server I try.
>
> What is included in the checks ?  hostname of clients/servers?
>
> How can I debug this ?  I'm not an experienced C programmer and was 
> just able to apply that GetCACertchain fix in scep.c and build 
> certmonger with that.
>
> Peter
>
>
> automechanika         InnoTrans       IAA
> automechanika
> 13.09.-17.09.2016
> Messe Frankfurt
> Hall 3.0
> Stand G98 + E91       InnoTrans
> 20.09.-23.09.2016
> Messe Berlin
> Hall 1.2b
> Stand 104 + 210       IAA
> 22.09.-29.09.2016
> Messe Hannover
> Hall 17
> Stand A30 + D131
>
>
> Knorr-Bremse IT-Services GmbH
> Sitz: München
> Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald 
> Schneider Registergericht München, HR B 167 268
>
> This transmission is intended solely for the addressee and contains 
> confidential information.
> If you are not the intended recipient, please immediately inform the 
> sender and delete the message and any attachments from your system.
> Furthermore, please do not copy the message or disclose the contents 
> to anyone unless agreed otherwise. To the extent permitted by law we 
> shall in no way be liable for any damages, whatever their nature, 
> arising out of transmission failures, viruses, external influence, delays and 
> the like.
>
>


automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand G98 + E91
InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - Stand 104 + 210
IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - Stand A30 + D131

Knorr-Bremse IT-Services GmbH
Sitz: Muenchen
Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald 
Schneider
Registergericht Muenchen, HR B 167 268

This transmission is intended solely for the addressee and contains 
confidential information.
If you are not the intended recipient, please immediately inform the sender and 
delete the message and any attachments from your system. 
Furthermore, please do not copy the message or disclose the contents to anyone 
unless agreed otherwise. To the extent permitted by law we shall in no way be 
liable for any damages, whatever their nature, arising out of transmission 
failures, viruses, external influence, delays and the like.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to