On Wed, Feb 11, 2015 at 10:04:42AM +0100, marcin kowalski wrote:
> I forgot to add - usually removing the "-v" bit in ca external helper
> definition produces the aforementioned 'rejected by CA' message, instead of
> verbose output.

Ah.  Yes, the verbose output goes to stdout, where it confuses the main
daemon (it's expecting a very specific format from stdout), rather than
stderr, which probably would have been a better idea.

> > Since i haven't fully figured out how to setup authentication for
> > certmonger yet, i've temporarily reused one from the dogtag's pki instance.
> > Hopefully it's not a fatal mistake on my end.

The agent authentication is set up using a combination of the -d, -n,
and optionally the -P or -p flags.  If you leave off all options,
dogtag-ipa-renew-agent-submit more or less assumes:
 -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt

I tried this on my own box, and Dogtag threw a curve ball by putting a
blank line in before the -----END CERTIFICATE----- line at the end of
the issued certificate.  It's something we can work around, but it's not
something the current version knows that it needs to do.



Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to