On Thu, Nov 08, 2018 at 05:16:53PM -0500, Rob Crittenden via FreeIPA-users 
wrote:
> Natxo Asenjo via FreeIPA-users wrote:
> > hi,
> > 
> > I am testing smartcard authentication with a yubikey neo like described
> > in
> > https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html
> > 
> > I successfully generated a key using the yubico-piv-tool, and with that
> > a csr.
> > 
> > yubico-piv-tool -a verify-pin -a request-certificate -s 9e -S "/CN=user50/"
> > Enter PIN:
> > Successfully verified PIN.
> > 
> > -----BEGIN CERTIFICATE REQUEST-----
> > MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF
> > AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV
> > 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57
> > Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD
> > h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF
> > lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K
> > hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN
> > AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G
> > iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5
> > b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg
> > 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q
> > KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4
> > lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0=
> > -----END CERTIFICATE REQUEST-----
> > Successfully generated a certificate request.
> > 
> > With this csr I try generating a certificate but it fails:
> > 
> > $ ipa cert-request user50.csr --principal user50 --raw
> > ipa: ERROR: Request failed with status 500: Non-2xx response from CA
> > REST API: 500. Invalid Request
> > 
> > In the pki logs I only see this error.
> > 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
> > /ca/rest/authorities/edb13864-3c75-4c7d-b5b8-dd4322789437/cert HTTP/1.1"
> > 200 920
> > 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET
> > /ca/rest/account/logout HTTP/1.1" 204 -
> > 192.168.5.10 - - [08/Nov/2018:22:37:13 +0100] "POST
> > /ca/rest/certrequests?issuer-id=edb13864-3c75-4c7d-b5b8-dd4322789437
> > HTTP/1.1" 500 123
> > 
> > Any ideas as to what is going wrong?
> 
> You need to specify a profile for it since it is a user certificate.
> 
> When I played with this over the summer I started with
> https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-subcas.html
> 
Nevertheless, the Dogtag CA should not be returning status 500.

Naxto, could you please provide Dogtag debug log from
/var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in
the journal at the time of this error, please give detail of that
too (`journalctl -u pki-tomcatd@pki-tomcat`).

Thanks,
Fraser
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to