On Wed, Feb 11, 2015 at 10:04:42AM +0100, marcin kowalski wrote: > I forgot to add - usually removing the "-v" bit in ca external helper > definition produces the aforementioned 'rejected by CA' message, instead of > verbose output.
Ah. Yes, the verbose output goes to stdout, where it confuses the main daemon (it's expecting a very specific format from stdout), rather than stderr, which probably would have been a better idea. > > Since i haven't fully figured out how to setup authentication for > > certmonger yet, i've temporarily reused one from the dogtag's pki instance. > > Hopefully it's not a fatal mistake on my end. The agent authentication is set up using a combination of the -d, -n, and optionally the -P or -p flags. If you leave off all options, dogtag-ipa-renew-agent-submit more or less assumes: -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt I tried this on my own box, and Dogtag threw a curve ball by putting a blank line in before the -----END CERTIFICATE----- line at the end of the issued certificate. It's something we can work around, but it's not something the current version knows that it needs to do. HTH, Nalin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project