I forgot to add - usually removing the "-v" bit in ca external helper definition produces the aforementioned 'rejected by CA' message, instead of verbose output.
2015-02-11 10:00 GMT+01:00 marcin kowalski <yoshi...@gmail.com>: > Edit: i acceditanlly forgot to send copy to the list, so resubmitting. > > > I tried this command : > > getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N > "cn=mywebserver" > > i've setup the 'dogtag-ipa' ca in certmonger like so : > > id=dogtag-ipa > ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) > ca_is_default=0 > ca_type=EXTERNAL > ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > -E https://fedora.box.net:8443/ca/ee/ca -A > https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET admin" -d > /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v > > > Since i haven't fully figured out how to setup authentication for > certmonger yet, i've temporarily reused one from the dogtag's pki instance. > Hopefully it's not a fatal mistake on my end. > > From the certmonger logs i get : > > lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET > https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true > lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: <?xml > version="1.0" encoding="UTF-8" > standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred - > {0}</Error><RequestId> 49</RequestId></XMLResponse> > > > And the request #49 is placed in Dogtag's CA Agent services, and can be > acknowledged/rejected correctly. It's just that certmonger is stuck and > doesn't notice the successful delivery. > > Machine is in isolated network, so there is probably no issue wrt using > box.net as test domain. > > 2015-02-10 18:40 GMT+01:00 Dmitri Pal <d...@redhat.com>: > >> On 02/10/2015 12:35 PM, marcin kowalski wrote: >> >> Hi all, i'm getting dogtag figured out slowly, and i noticed one odd >> thing. >> >> I've setup certmonger to request an arbitrary certificate through dogtag, >> and while the request seems to go into the dogtag system, certmonger acts >> as if communication with the CA failed. The certificate is considered in >> need of user attention because the process got stuck. >> >> Request ID ‘20150210125814’: >> status: NEED_GUIDANCE >> stuck: yes >> key pair storage: type=FILE,location=’/etc/pki/testkey’ >> certificate: type=FILE,location=’/etc/pki/testcert’ >> CA: dogtag-ipa >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> >> [root@fedora pki]# systemctl status -l certmonger >> (….) >> lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate >> to be stored in file “/etc/pki/testcert” rejected by CA. >> >> The request is present in dogtag and is valid, can be accepted/rejected, >> etc. Even though certmonger never notices that. I wonder if there is some >> obvious mistake in my setup, or perhaps there is known bug in interaction >> of both components on F21 (i'm using only standard repositories). >> >> When i post the query from certmonger's agent defined in ca definition >> through curl, i get no errors. >> >> What would be the best way to debug this issue? >> >> >> Can you post your certmonger get-cert command? >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
