Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

2015-05-19 Thread Martin Kosek
On 05/19/2015 12:34 PM, marcin kowalski wrote:
 Hi, all. I am trying to integrate certmonger with dogtag instance, and so
 far i've stumbled on one odd problem. Hopefully this is the right list.
 
 
 I've generated some random cert with getcert request, it has communicated
 with dogtag, and i approved it there.
 
 However, when certmonger retrieves it, it cannot save it to disk (
 NEED_TO_NOTIFY_ISSUED_SAVE_FAILED )
 
 Upon inspection of certmonger's request file (in
 /var/lib/certmonger/requests ), it turns out that there is an extra empty
 line before end certificate marker line.  There is no such line when
 looking at the cert in dogtag web interface.
 
 Is there some method/hook i could use to post process such request files to
 fix them up?
 
 Currently i have to stop certmonger, remove the unnecessary blank line and
 restart it. Then it manages to save the cert to disk and starts tracking it
 correctly.

CCing Nalin here. What is the your environment and versions of the
FreeIPA/Dogtag packages you are using?

Seeing your description, it looks you are following some own way - Certmonger
for FreeIPA clients do not need any confirmation on Dogtag side, it is approved
automatically. It looks like you are using Dogtag UI directly and not the
FreeIPA integration.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

2015-05-19 Thread marcin kowalski
Thanks for the tip, I am using whatever is in current fedora, which is 0.76
or similar version. I'll give an updated version a shot.

I had similar results with ubuntu's 0.75.x

2015-05-19 16:30 GMT+02:00 Nalin Dahyabhai na...@redhat.com:

 On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski wrote:
  Hi, all. I am trying to integrate certmonger with dogtag instance, and so
  far i've stumbled on one odd problem. Hopefully this is the right list.
 
  I've generated some random cert with getcert request, it has communicated
  with dogtag, and i approved it there.
 
  However, when certmonger retrieves it, it cannot save it to disk (
  NEED_TO_NOTIFY_ISSUED_SAVE_FAILED )
 
  Upon inspection of certmonger's request file (in
  /var/lib/certmonger/requests ), it turns out that there is an extra empty
  line before end certificate marker line.  There is no such line when
  looking at the cert in dogtag web interface.
 
  Is there some method/hook i could use to post process such request files
 to
  fix them up?

 There's no hook for doing that with the data files themselves, because
 they're meant to be internal details of the implementation, but the data
 coming back from the enrollment helper, which is what's malformed to
 begin with, can be corrected at the point when the helper is run.

 Essentially, you'd replace the configured call to dogtag-submit with a
 script or other program that checked $CERTMONGER_OPERATION for the
 values SUBMIT and POLL, ran the dogtag-submit helper, filtered its
 output to fix this mistake, and returned the helper's exit status to
 keep things in line with the daemon's expectations.

 Though, if you're running something older than 0.77, please give 0.77.4
 (currently in testing for Fedora 20 and 21) or a development snapshot
 (from the ipa-devel repo) a try.  The 0.77 release had a lot of its
 parsing reworked as part of adding support for SCEP reply formats, which
 I think fixed this.  The development snapshots add more authentication
 options to the generic Dogtag helper which you may also want, depending
 on the enrollment profile you're using.

 HTH,

 Nalin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

2015-05-19 Thread Nalin Dahyabhai
On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski wrote:
 Hi, all. I am trying to integrate certmonger with dogtag instance, and so
 far i've stumbled on one odd problem. Hopefully this is the right list.
 
 I've generated some random cert with getcert request, it has communicated
 with dogtag, and i approved it there.
 
 However, when certmonger retrieves it, it cannot save it to disk (
 NEED_TO_NOTIFY_ISSUED_SAVE_FAILED )
 
 Upon inspection of certmonger's request file (in
 /var/lib/certmonger/requests ), it turns out that there is an extra empty
 line before end certificate marker line.  There is no such line when
 looking at the cert in dogtag web interface.
 
 Is there some method/hook i could use to post process such request files to
 fix them up?

There's no hook for doing that with the data files themselves, because
they're meant to be internal details of the implementation, but the data
coming back from the enrollment helper, which is what's malformed to
begin with, can be corrected at the point when the helper is run.

Essentially, you'd replace the configured call to dogtag-submit with a
script or other program that checked $CERTMONGER_OPERATION for the
values SUBMIT and POLL, ran the dogtag-submit helper, filtered its
output to fix this mistake, and returned the helper's exit status to
keep things in line with the daemon's expectations.

Though, if you're running something older than 0.77, please give 0.77.4
(currently in testing for Fedora 20 and 21) or a development snapshot
(from the ipa-devel repo) a try.  The 0.77 release had a lot of its
parsing reworked as part of adding support for SCEP reply formats, which
I think fixed this.  The development snapshots add more authentication
options to the generic Dogtag helper which you may also want, depending
on the enrollment profile you're using.

HTH,

Nalin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project