Hi Rob,

Thanks for getting back to me, I have no idea how I missed this message.

I dug through the CA and KRA debug logs and don't see any PKCS7 output
anywhere.

I've been running certmonger in debug mode connected to the foreground and
haven't really gotten anywhere there either.

I did determine that the spot where things are failing is at
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065 but I haven't
been able to figure out how to print what is being received from the server.

Running the 'scep-submit' command by hand with -C works as expected (of
course Dogtag doesn't respond with server capabilities so it downgrades
itself into instanity but that doesn't seem to be the issue). I also
checked to see that the certmonger configuration is correct in the
~/.config/certmonger space and the entire certificate chain appears to be
present as expected.

Thanks,

Trevor

On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden <rcrit...@redhat.com>
wrote:

> Trevor Vaughan via FreeIPA-users wrote:
> > Hi All,
> >
> > I have a setup where I have a root CA and a sub CA and the sub CA is set
> > up with a KRA and SCEP enabled.
> >
> > I've fired up certmonger and added the SCEP CA.
> >
> > When I attempt to request a certificate, the enrollment completes
> > successfully per the Dogtag side of the equation but the response from
> > the server cannot be decrypted by the client and I get the following
> > error in the certmonger debug log:
> >
> > 2018-01-29 23:56:43 [5396] Child output:
> > "Error: failed to verify signature on server
> > response.
> > "
> > 2018-01-29 23:56:43 [5396] Error: failed to verify signature on server
> > response.
> >
> > The following commands were used for server addition and certificate
> > registration.
> >
> > getcert add-scep-ca -c Site_CA -u
> > https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
> > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> -R
> > /etc/pki/site-pki.pem
> >
> > getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
> > /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
> >
> > Looking at the certmonger code, it looks like it is completely skipping
> > all of the case statements and simply dropping down to the 'goto:'
> > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
> > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
> >
> > I've tried recompiling certmonger with some debug statements but I
> > haven't managed to suss out what's going on. If someone could tell me
> > how to print the actual response from the server, it would be
> appreciated.
> >
> > It certainly feels like the SCEP support has taken a back seat to the
> > CMC features but the CMC features just aren't ready to replace SCEP at
> > this time and, of course, can't support a lot of hardware requirements.
>
> A couple of things to try:
>
> - look in the dogtag debug log (/var/log/pki-tomcat/somewhere). It may
> have the raw PKCS#7 data to poke at
> - stop the certmonger service and start it in a terminal with certmonger
> -d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. Again,
> you may be able to get some data out of it.
>
> I haven't tried SCEP with a subCA. It could be there is some
> disagreement about who is actually signing the response.
>
> rob
>



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to