[Freeipa-users] Re: How to get certificate containing full chain

[Rob Crittenden via FreeIPA-users]

Leusmann, Philipp via FreeIPA-users wrote:
> Rob,
> 
>> What command? The command should be a script or simple command. No pipes
>> or redirects.
> 
> I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 
> 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘
> I also tried calling a bash-script instead of the -C argument. Doesn’t help

I created /usr/local/catcerts.sh with:

#!/bin/bash
#
# concatenate a server cert and the chain into a single file

cert=$1
chain=$2
target=$3

cat $cert $chain > $target

Then got a cert:

# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C
"/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt
/etc/pki/tls/certs/whole.pem"

And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.

rob

> 
>>
>>> I cannot find a way how to find out the reason.
>>> Are there any prerequisites for the commands? I understand certmonger 
>>> offers debug options. But I have no idea how and where certmonger is 
>>> started. I also do not understand possible argument values for the DEBUG.
>>>
>>> Any help is appreciated.
>>
>> For the daemon itself you can control output in
>> /etc/sysconfig/certmonger by setting OPTS=-d<int>. 2 or 3 should do it.
> 
> Even with -d5 I see a lot of debugging output but no hint whatsoever on 
> trying to invoke the post-save command.
> 
> — snip —
> 
> […]
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Request4('artifactory2') moved to state 'NEWLY_ADDED_START_READING_CERT'
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will 
> revisit Request4('artifactory2') now.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Request4('artifactory2') moved to state 'NEWLY_ADDED_READING_CERT'
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will 
> revisit Request4('artifactory2') on traffic from 11.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Dequeuing FD 7 for Read for 0x5569f1232870:0x5569f12373b0.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Handling D-Bus traffic (Read) on FD 7 for 0x5569f1232870.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> message 0x5569f1232870(method_return)->87->55
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> message 0x5569f1232870(method_return)->88->56
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] User 
> ID 0 PID 9887 called 
> /org/fedorahosted/certmonger/requests/Request4:org.fedorahosted.certmonger.request.get_nickname.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Queuing FD 7 for Read for 0x5569f1232870:0x5569f1248610.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Read 
> value "0" from "/proc/sys/crypto/fips_enabled".
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Not 
> attempting to set NSS FIPS mode.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Request4('artifactory2') moved to state 'NEWLY_ADDED_DECIDING'
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will 
> revisit Request4('artifactory2') now.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Request4('artifactory2') releasing writing lock
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Request4('artifactory2') has a certificate, monitoring it
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] 
> Request4('artifactory2') moved to state 'MONITORING'
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will 
> revisit Request4('artifactory2') now.
> May  8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will 
> revisit Request4('artifactory2') in 86400 seconds.
> 
> — snip —
> 
>> The helpers have their own debugging but it's tricky. Your best bet is
>> to shut down certmonger and modify the CA that is issuing the cert (in
>> /var/log/certmonger/cas/*). Add -v (or several) to the end of the submit
>> helper to get more output, then restart certmonger.
> 
> Doesn’t add anything to the logging output seen.
> 
> Any further ideas?
> 
> Regards,
> Philipp
> 
> 
> -----------------------------
> CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef.
> Geschäftsführer/Managing Director: Dirk Lieder
> Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
> -----------------------------
> 
> Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
> 
> Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen 
> und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail 
> irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter 
> pre...@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter 
> Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und 
> sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien 
> verboten sind. Vielen Dank.
> 
> This e-mail and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. If 
> you have received this e-mail in error please notify pre...@conet.de and 
> delete this e-mail including attachments from your system. Please note that 
> any unauthorized review, copying, disclosing or other use whatsoever are 
> prohibited. Thank you.
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org