Re: [Freeipa-users] first time web UI access?
I had issues on fedora with main screen crashing in various way. Going into specific subsystem directly works. There was no such problem when building package on debian and running it there, though. 2015-08-17 19:04 GMT+02:00 Janelle janellenicol...@gmail.com: Hi, Apparently no one has ever seen this? :-( ~J On 8/14/15 6:37 AM, Janelle wrote: I am curious if anyone else ever sees a problem with first time IPA WEB UI access and the full screen not loading. It requires a reload sometimes once or twice to get it to load properly. Has anyone seen this before? thank you Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] certmonger + dogtag, bad parsing of returned certificate
Hi, all. I am trying to integrate certmonger with dogtag instance, and so far i've stumbled on one odd problem. Hopefully this is the right list. I've generated some random cert with getcert request, it has communicated with dogtag, and i approved it there. However, when certmonger retrieves it, it cannot save it to disk ( NEED_TO_NOTIFY_ISSUED_SAVE_FAILED ) Upon inspection of certmonger's request file (in /var/lib/certmonger/requests ), it turns out that there is an extra empty line before end certificate marker line. There is no such line when looking at the cert in dogtag web interface. Is there some method/hook i could use to post process such request files to fix them up? Currently i have to stop certmonger, remove the unnecessary blank line and restart it. Then it manages to save the cert to disk and starts tracking it correctly. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate
Thanks for the tip, I am using whatever is in current fedora, which is 0.76 or similar version. I'll give an updated version a shot. I had similar results with ubuntu's 0.75.x 2015-05-19 16:30 GMT+02:00 Nalin Dahyabhai na...@redhat.com: On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski wrote: Hi, all. I am trying to integrate certmonger with dogtag instance, and so far i've stumbled on one odd problem. Hopefully this is the right list. I've generated some random cert with getcert request, it has communicated with dogtag, and i approved it there. However, when certmonger retrieves it, it cannot save it to disk ( NEED_TO_NOTIFY_ISSUED_SAVE_FAILED ) Upon inspection of certmonger's request file (in /var/lib/certmonger/requests ), it turns out that there is an extra empty line before end certificate marker line. There is no such line when looking at the cert in dogtag web interface. Is there some method/hook i could use to post process such request files to fix them up? There's no hook for doing that with the data files themselves, because they're meant to be internal details of the implementation, but the data coming back from the enrollment helper, which is what's malformed to begin with, can be corrected at the point when the helper is run. Essentially, you'd replace the configured call to dogtag-submit with a script or other program that checked $CERTMONGER_OPERATION for the values SUBMIT and POLL, ran the dogtag-submit helper, filtered its output to fix this mistake, and returned the helper's exit status to keep things in line with the daemon's expectations. Though, if you're running something older than 0.77, please give 0.77.4 (currently in testing for Fedora 20 and 21) or a development snapshot (from the ipa-devel repo) a try. The 0.77 release had a lot of its parsing reworked as part of adding support for SCEP reply formats, which I think fixed this. The development snapshots add more authentication options to the generic Dogtag helper which you may also want, depending on the enrollment profile you're using. HTH, Nalin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
What is your reasoning for setting up your own CA configuration? Why not just use either ipa-getcert or getcert -c IPA? I am not yet familiar with the entire setup enough to give a good answer. I assume that requires full freeIPA setup, which i don't really need. I just wanted a simplistic dogtag ca instance + certmonger setup for watching certs on various machines and checking if the requests get filled in correctly, and then expanding on it once i get more familiar with other workings of it. And i got stuck on certmonger. 2015-02-11 19:14 GMT+01:00 Rob Crittenden rcrit...@redhat.com: marcin kowalski wrote: |Edit: i acceditanlly forgot to send copy to the list, so resubmitting. I tried this command : getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N cn=mywebserver i've setup the 'dogtag-ipa' ca in certmonger like so : id=dogtag-ipa ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E https://fedora.box.net:8443/ca/ee/ca -A https://fedora.box.net:8443/ca/agent/ca/ -n CN=BOX.NET http://BOX.NET admin -d /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v Since i haven't fully figured out how to setup authentication for certmonger yet, i've temporarily reused one from the dogtag's pki instance. Hopefully it's not a fatal mistake on my end. What is your reasoning for setting up your own CA configuration? Why not just use either ipa-getcert or getcert -c IPA? rob From the certmonger logs i get : lut 11 09:52:19 fedora.box.net http://fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCertcert_request_type=pkcs10cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ ! K%2B%0A6O7 LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0Axml=true lut 11 09:52:19 fedora.box.net http://fedora.box.net dogtag-ipa-renew-agent-submit[2887]: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus2/StatusErrorRequest Deferred - {0}/ErrorRequestId 49/RequestId/XMLResponse And the request #49 is placed in Dogtag's CA Agent services, and can be acknowledged/rejected correctly. It's just that certmonger is stuck and doesn't notice the successful delivery. Machine is in isolated network, so there is probably no issue wrt using box.net http://box.net as test domain.| 2015-02-10 18:40 GMT+01:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 02/10/2015 12:35 PM, marcin kowalski wrote: Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID ‘20150210125814’: status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location=’/etc/pki/testkey’ certificate: type=FILE,location=’/etc/pki/testcert’ CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger (….) lut 10 13:57:04 fedora.box.net http://fedora.box.net certmonger[7845]: Request for certificate to be stored in file “/etc/pki/testcert” rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
Edit: i acceditanlly forgot to send copy to the list, so resubmitting. I tried this command : getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N cn=mywebserver i've setup the 'dogtag-ipa' ca in certmonger like so : id=dogtag-ipa ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E https://fedora.box.net:8443/ca/ee/ca -A https://fedora.box.net:8443/ca/agent/ca/ -n CN=BOX.NET admin -d /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v Since i haven't fully figured out how to setup authentication for certmonger yet, i've temporarily reused one from the dogtag's pki instance. Hopefully it's not a fatal mistake on my end. From the certmonger logs i get : lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCertcert_request_type=pkcs10cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0Axml=true lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus2/StatusErrorRequest Deferred - {0}/ErrorRequestId 49/RequestId/XMLResponse And the request #49 is placed in Dogtag's CA Agent services, and can be acknowledged/rejected correctly. It's just that certmonger is stuck and doesn't notice the successful delivery. Machine is in isolated network, so there is probably no issue wrt using box.net as test domain. 2015-02-10 18:40 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/10/2015 12:35 PM, marcin kowalski wrote: Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID ‘20150210125814’: status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location=’/etc/pki/testkey’ certificate: type=FILE,location=’/etc/pki/testcert’ CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger (….) lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate to be stored in file “/etc/pki/testcert” rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i post the query from certmonger's agent defined in ca definition through curl, i get no errors. What would be the best way to debug this issue? Can you post your certmonger get-cert command? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
I forgot to add - usually removing the -v bit in ca external helper definition produces the aforementioned 'rejected by CA' message, instead of verbose output. 2015-02-11 10:00 GMT+01:00 marcin kowalski yoshi...@gmail.com: Edit: i acceditanlly forgot to send copy to the list, so resubmitting. I tried this command : getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N cn=mywebserver i've setup the 'dogtag-ipa' ca in certmonger like so : id=dogtag-ipa ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E https://fedora.box.net:8443/ca/ee/ca -A https://fedora.box.net:8443/ca/agent/ca/ -n CN=BOX.NET admin -d /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v Since i haven't fully figured out how to setup authentication for certmonger yet, i've temporarily reused one from the dogtag's pki instance. Hopefully it's not a fatal mistake on my end. From the certmonger logs i get : lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCertcert_request_type=pkcs10cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0Axml=true lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus2/StatusErrorRequest Deferred - {0}/ErrorRequestId 49/RequestId/XMLResponse And the request #49 is placed in Dogtag's CA Agent services, and can be acknowledged/rejected correctly. It's just that certmonger is stuck and doesn't notice the successful delivery. Machine is in isolated network, so there is probably no issue wrt using box.net as test domain. 2015-02-10 18:40 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/10/2015 12:35 PM, marcin kowalski wrote: Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID ‘20150210125814’: status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location=’/etc/pki/testkey’ certificate: type=FILE,location=’/etc/pki/testcert’ CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger (….) lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate to be stored in file “/etc/pki/testcert” rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i post the query from certmonger's agent defined in ca definition through curl, i get no errors. What would be the best way to debug this issue? Can you post your certmonger get-cert command? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID ‘20150210125814’: status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location=’/etc/pki/testkey’ certificate: type=FILE,location=’/etc/pki/testcert’ CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger (….) lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate to be stored in file “/etc/pki/testcert” rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i post the query from certmonger's agent defined in ca definition through curl, i get no errors. What would be the best way to debug this issue? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project