On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote: > After doing what you recommended, the CSR have changed in the debug log : > > Certificate Request: > Data: > Version: 0 (0x0) > Subject: O=ipa_domain, CN=ipa_server > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:b8:d6:d3:51:c0:4c:ce:2a:c1:1b:b7:60:a3:6a: > 04:ec:6d:75:94:c4:b9:b5:4a:40:3a:be:d5:12:d8: > 77:af:a2:8e:a4:5a:47:cf:3b:4d:7a:8a:13:2b:1a: > 93:c0:f3:a5:ae:25:44:86:56:72:d9:73:9e:e3:22: > 0e:7c:66:64:87:f7:b1:06:2f:c5:ca:7d:b6:3f:9e: > 67:9e:b3:5b:72:56:bd:12:e6:65:65:8b:b3:5a:5d: > 53:94:a2:d7:be:53:97:59:9d:c4:2e:1a:79:b5:c2: > d1:ac:85:90:04:0b:1b:c6:27:fb:82:46:88:c1:31: > 38:83:1d:a8:83:bc:a3:a9:fa:3e:de:91:e0:84:d6: > 00:cb:e1:80:38:61:55:4c:60:6b:d7:55:7c:5d:88: > f6:c2:bf:42:57:3b:82:30:2b:29:b9:84:93:90:60: > c6:1a:f4:3a:45:fa:04:69:60:c0:86:33:02:4d:69: > 04:07:e0:37:36:b2:2f:ae:6d:28:5a:86:90:65:30: > b3:9b:5f:e4:8d:f2:d1:dd:1b:6a:02:23:fb:07:7e: > 0d:e0:f0:64:1a:34:8c:2d:f5:db:63:22:82:6f:e4: > 53:72:c1:dc:9a:e9:37:4c:f0:3b:39:d4:31:d6:b9: > 62:c4:93:2d:30:47:f4:4a:2f:76:fc:08:f4:82:28: > 1b:fb > Exponent: 65537 (0x10001) > Attributes: > a0:00 > Signature Algorithm: sha256WithRSAEncryption > 10:ef:cf:ff:6c:63:72:61:c3:b5:5e:8e:b0:20:f0:63:13:43: > bb:3b:63:c8:4e:6f:34:63:33:cc:47:af:8a:dc:2d:13:2a:58: > 87:7c:d7:5e:e9:b3:e7:f4:47:b7:7b:eb:77:0b:7c:0e:58:20: > dd:62:a8:a0:8b:31:1e:54:f0:dd:3f:44:4a:e7:a2:a6:64:85: > 9f:10:0e:06:75:33:94:82:f3:8f:89:66:e1:7f:65:21:85:b8: > 69:6d:e7:35:a5:a7:08:1d:51:55:48:13:b8:e3:2d:6f:99:c1: > ce:1e:81:e3:fb:93:3a:f0:86:0d:43:96:31:93:fb:87:fb:53: > 46:02:e1:dd:05:55:85:72:35:fa:72:6d:c6:35:d4:6d:9e:be: > db:ee:e6:8c:7b:b1:5a:cd:4d:cc:8e:3e:10:4e:a7:d3:61:36: > ae:86:59:df:51:a3:0f:38:79:b8:e0:bd:eb:25:44:a4:43:b0: > 93:7f:1e:43:aa:d5:30:d3:e3:a0:bd:ee:08:b7:88:9a:cd:a0: > 8c:ac:2a:8f:71:ec:64:70:72:91:f8:d2:e8:55:5b:22:1f:2e: > 60:6c:a4:be:ee:42:09:a6:71:25:ec:37:43:a1:e6:15:63:8f: > 05:97:61:1d:8e:25:5d:76:df:8b:66:7f:85:27:8b:93:98:a9: > 3e:cc:cb:d8 > > There is no more this weird "friendlyName :unable to print > attribute" thing, but the NoSuchTokenException is still in the debug log > of pki-ca > > Thank you for you answer though, we've still made some progress in > identifying that I messed the CA used for this certificate !
Hmm, so what you've got there looks pretty normal for a renewal request. Just to rule out a problem with the request's signature or the encoding of the subject name in the request (the latter is a bug in versions of certmonger before 0.72), can you check the version of the certmonger package and show us the base64-encoded form of the signing request? I'm just about grasping at straws here, but the NoSuchTokenException exception appears to be coming from the jss library, and is thrown when it can't find the software module that is used for accessing the server's keys. Can you verify that your /etc/pki-ca/CS.cfg file contains these lines? jss.configDir=/var/lib/pki-ca/alias/ jss.enable=true jss.secmodName=secmod.db Is there a ca.requestVerify.token value set in /etc/pki-ca/CS.cfg? I don't have one. The Dogtag logic looks like it would try to use one set there rather than the default, but letting it use the default looks like the intended way of doing things. Which version of the jss and tomcatjss packages are installed? I'm using jss-4.2.6-24.el6 and tomcatjss-2.1.0-3.el6 here. If none of this turns up anything, then I'm going to have to defer to the Dogtag team, too. Nalin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
