Leusmann, Philipp via FreeIPA-users wrote: > Rob, > >> What command? The command should be a script or simple command. No pipes >> or redirects. > > I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C > 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘ > I also tried calling a bash-script instead of the -C argument. Doesn’t help
I created /usr/local/catcerts.sh with: #!/bin/bash # # concatenate a server cert and the chain into a single file cert=$1 chain=$2 target=$3 cat $cert $chain > $target Then got a cert: # getcert request -f /etc/pki/tls/certs/test.pem [other options] -C "/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem" And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain. rob > >> >>> I cannot find a way how to find out the reason. >>> Are there any prerequisites for the commands? I understand certmonger >>> offers debug options. But I have no idea how and where certmonger is >>> started. I also do not understand possible argument values for the DEBUG. >>> >>> Any help is appreciated. >> >> For the daemon itself you can control output in >> /etc/sysconfig/certmonger by setting OPTS=-d<int>. 2 or 3 should do it. > > Even with -d5 I see a lot of debugging output but no hint whatsoever on > trying to invoke the post-save command. > > — snip — > > […] > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Request4('artifactory2') moved to state 'NEWLY_ADDED_START_READING_CERT' > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will > revisit Request4('artifactory2') now. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Request4('artifactory2') moved to state 'NEWLY_ADDED_READING_CERT' > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will > revisit Request4('artifactory2') on traffic from 11. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Dequeuing FD 7 for Read for 0x5569f1232870:0x5569f12373b0. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Handling D-Bus traffic (Read) on FD 7 for 0x5569f1232870. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > message 0x5569f1232870(method_return)->87->55 > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > message 0x5569f1232870(method_return)->88->56 > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] User > ID 0 PID 9887 called > /org/fedorahosted/certmonger/requests/Request4:org.fedorahosted.certmonger.request.get_nickname. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Queuing FD 7 for Read for 0x5569f1232870:0x5569f1248610. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Read > value "0" from "/proc/sys/crypto/fips_enabled". > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Not > attempting to set NSS FIPS mode. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Request4('artifactory2') moved to state 'NEWLY_ADDED_DECIDING' > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will > revisit Request4('artifactory2') now. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Request4('artifactory2') releasing writing lock > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Request4('artifactory2') has a certificate, monitoring it > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] > Request4('artifactory2') moved to state 'MONITORING' > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will > revisit Request4('artifactory2') now. > May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will > revisit Request4('artifactory2') in 86400 seconds. > > — snip — > >> The helpers have their own debugging but it's tricky. Your best bet is >> to shut down certmonger and modify the CA that is issuing the cert (in >> /var/log/certmonger/cas/*). Add -v (or several) to the end of the submit >> helper to get more output, then restart certmonger. > > Doesn’t add anything to the logging output seen. > > Any further ideas? > > Regards, > Philipp > > > ----------------------------- > CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. > Geschäftsführer/Managing Director: Dirk Lieder > Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) > ----------------------------- > > Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz > > Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen > und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail > irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter > pre...@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter > Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und > sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien > verboten sind. Vielen Dank. > > This e-mail and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you have received this e-mail in error please notify pre...@conet.de and > delete this e-mail including attachments from your system. Please note that > any unauthorized review, copying, disclosing or other use whatsoever are > prohibited. Thank you. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org