On Fri, Nov 09, 2018 at 07:42:36AM +0100, Natxo Asenjo via FreeIPA-users wrote: > On Thu, Nov 8, 2018 at 11:32 PM Fraser Tweedale <[email protected]> wrote: > > > > > Naxto, could you please provide Dogtag debug log from > > /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in > > the journal at the time of this error, please give detail of that > > too (`journalctl -u pki-tomcatd@pki-tomcat`). > > > > > aha, I see an error now in the debug log: > > [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: > createRequests: begins > [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: Start parsePKCS10(): > -----BEGIN CERTIFICATE REQUEST----- > MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF > AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV > 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57 > Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD > h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF > lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K > hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN > AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G > iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5 > b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg > 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q > KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4 > lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0= > -----END CERTIFICATE REQUEST----- > > [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: > parsePKCS10: signature verification enabled > [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: > parsePKCS10 setting thread token > [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: > Unable to parse PKCS #10 request: java.security.SignatureException: PKCS10: > PKCS10: Request Subject: CN=user50: Invalid PKCS #10 signature > java.security.SignatureException: PKCS10: PKCS10: Request Subject: > CN=user50: Invalid PKCS #10 signature > > the journalctl output: > Nov 08 22:37:13 kdc1.unix.asenjo.nl server[10677]: PKCS10: PKCS10: Request > Subject: CN=user50: sig.verify() failed > Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Creating session > 23596D3C3AFFCDE19F5B386C288E8290 > Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Principal: > GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager > Agents,)] > Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Destroying session > 5E49B1956B6902F7DFD52236F5A1A783 > Hi Naxto,
The CSR's signature is indeed invalid. Were you able to solve the issue in the meantime? I'll have a look to see how we could produce better feedback in this scenario, although it is quite rare to encounter a CSR with bad signature. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
