On 5/12/2015 1:11 PM, Nalin Dahyabhai wrote:
On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote:
There is no more this weird "friendlyName :unable to print
attribute" thing, but the NoSuchTokenException is still in the debug log
Thank you for you answer though, we've still made some progress in
identifying that I messed the CA used for this certificate !
Hmm, so what you've got there looks pretty normal for a renewal request.
Just to rule out a problem with the request's signature or the encoding
of the subject name in the request (the latter is a bug in versions of
certmonger before 0.72), can you check the version of the certmonger
package and show us the base64-encoded form of the signing request?
I'm just about grasping at straws here, but the NoSuchTokenException
exception appears to be coming from the jss library, and is thrown when
it can't find the software module that is used for accessing the
server's keys. Can you verify that your /etc/pki-ca/CS.cfg file
contains these lines?
Is there a ca.requestVerify.token value set in /etc/pki-ca/CS.cfg? I
don't have one. The Dogtag logic looks like it would try to use one set
there rather than the default, but letting it use the default looks like
the intended way of doing things.
Which version of the jss and tomcatjss packages are installed? I'm
using jss-4.2.6-24.el6 and tomcatjss-2.1.0-3.el6 here.
If none of this turns up anything, then I'm going to have to defer to
the Dogtag team, too.
I think you're on to something. The "Invalid Request" message is
misleading. The actual error is NoSuchTokenException and it happens
before the PKCS10 request is parsed. So yes, we need to check the
Endi S. Dewata
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project