On Wed, Feb 11, 2015 at 10:04:42AM +0100, marcin kowalski wrote:
> I forgot to add - usually removing the "-v" bit in ca external helper
> definition produces the aforementioned 'rejected by CA' message, instead of
> verbose output.

Ah.  Yes, the verbose output goes to stdout, where it confuses the main
daemon (it's expecting a very specific format from stdout), rather than
stderr, which probably would have been a better idea.

> > Since i haven't fully figured out how to setup authentication for
> > certmonger yet, i've temporarily reused one from the dogtag's pki instance.
> > Hopefully it's not a fatal mistake on my end.

The agent authentication is set up using a combination of the -d, -n,
and optionally the -P or -p flags.  If you leave off all options,
dogtag-ipa-renew-agent-submit more or less assumes:
 -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt

I tried this on my own box, and Dogtag threw a curve ball by putting a
blank line in before the -----END CERTIFICATE----- line at the end of
the issued certificate.  It's something we can work around, but it's not
something the current version knows that it needs to do.

HTH,

Nalin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to