subject:"Re\: \[Freeipa\-users\] slight problem when integrating certmonger with dogtag on fedora 21"

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-12 Thread Dmitri Pal


On 02/12/2015 03:46 AM, marcin kowalski wrote:

> What is your reasoning for setting up your own CA configuration? Why not
just use either ipa-getcert or getcert -c IPA?

I am not yet familiar with the entire setup enough to give a good 
answer. I assume that requires full freeIPA setup, which i don't 
really need.


I just wanted a simplistic dogtag ca instance + certmonger setup for 
watching certs on various machines and checking if the requests get 
filled in correctly, and then expanding on it once i get more familiar 
with other workings of it.  And i got stuck on certmonger.


I do not think certmonger is currently supported with pure Dogtag 
without the IPA. There are some parts of it present but it might not 
work end to end.
IN case of IPA certmonger uses kerberos to authenticate to server and 
fetch the certs. Without IPA you have to deal with the pure cert base 
setup which we have not had a priority complete.




2015-02-11 19:14 GMT+01:00 Rob Crittenden >:


marcin kowalski wrote:
> |Edit: i acceditanlly forgot to send copy to the list, so
resubmitting.
>
>
> I tried this command :
>
> getcert request -c dogtag-ipa -f /etc/pki/testcert -k
/etc/pki/testkey
> -N "cn=mywebserver"
>
> i've setup the 'dogtag-ipa' ca in certmonger like so :
>
> id=dogtag-ipa
> ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
> ca_is_default=0
> ca_type=EXTERNAL
>
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> -E https://fedora.box.net:8443/ca/ee/ca -A
> https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET
 
> admin" -d /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v
>
>
> Since i haven't fully figured out how to setup authentication for
> certmonger yet, i've temporarily reused one from the dogtag's pki
> instance. Hopefully it's not a fatal mistake on my end.

What is your reasoning for setting up your own CA configuration?
Why not
just use either ipa-getcert or getcert -c IPA?

rob

>
> From the certmonger logs i get :
>
> lut 11 09:52:19 fedora.box.net 

> dogtag-ipa-renew-agent-submit[2887]: GET
>

https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ!
 K%2B%0A6O7

LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
> lut 11 09:52:19 fedora.box.net 

> dogtag-ipa-renew-agent-submit[2887]:  encoding="UTF-8"
> standalone="no"?>2Request
Deferred
> - {0} 49
>
>
> And the request #49 is placed in Dogtag's CA Agent services, and
can be
> acknowledged/rejected correctly. It's just that certmonger is
stuck and
> doesn't notice the successful delivery.
>
> Machine is in isolated network, so there is probably no issue
wrt using
> box.net   as test domain.|
>
> 2015-02-10 18:40 GMT+01:00 Dmitri Pal mailto:d...@redhat.com>
> >>:
>
> On 02/10/2015 12:35 PM, marcin kowalski wrote:
>> Hi all, i'm getting dogtag figured out slowly, and i
noticed one
>> odd thing.
>>
>> I've setup certmonger to request an arbitrary certificate
through
>> dogtag, and while the request seems to go into the dogtag
system,
>> certmonger acts as if communication with the CA failed. The
>> certificate is considered in need of user attention because the
>> process got stuck.
>>
>> Request ID ‘20150210125814’:
>> status: NEED_GUIDANCE
>> stuck: yes
>> key pair storage: type=FILE,location=’/etc/pki/testkey’
>

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-12 Thread marcin kowalski

> What is your reasoning for setting up your own CA configuration? Why not
just use either ipa-getcert or getcert -c IPA?

I am not yet familiar with the entire setup enough to give a good answer. I
assume that requires full freeIPA setup, which i don't really need.

I just wanted a simplistic dogtag ca instance + certmonger setup for
watching certs on various machines and checking if the requests get filled
in correctly, and then expanding on it once i get more familiar with other
workings of it.  And i got stuck on certmonger.

2015-02-11 19:14 GMT+01:00 Rob Crittenden :

> marcin kowalski wrote:
> > |Edit: i acceditanlly forgot to send copy to the list, so resubmitting.
> >
> >
> > I tried this command :
> >
> > getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey
> > -N "cn=mywebserver"
> >
> > i've setup the 'dogtag-ipa' ca in certmonger like so :
> >
> > id=dogtag-ipa
> > ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
> > ca_is_default=0
> > ca_type=EXTERNAL
> > ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> > -E https://fedora.box.net:8443/ca/ee/ca -A
> > https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET 
> > admin" -d /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v
> >
> >
> > Since i haven't fully figured out how to setup authentication for
> > certmonger yet, i've temporarily reused one from the dogtag's pki
> > instance. Hopefully it's not a fatal mistake on my end.
>
> What is your reasoning for setting up your own CA configuration? Why not
> just use either ipa-getcert or getcert -c IPA?
>
> rob
>
> >
> > From the certmonger logs i get :
> >
> > lut 11 09:52:19 fedora.box.net 
> > dogtag-ipa-renew-agent-submit[2887]: GET
> >
> https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ
> !
>  K%2B%0A6O7
>
> LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
> > lut 11 09:52:19 fedora.box.net 
> > dogtag-ipa-renew-agent-submit[2887]:  > encoding="UTF-8"
> > standalone="no"?>2Request Deferred
> > - {0}  49
> >
> >
> > And the request #49 is placed in Dogtag's CA Agent services, and can be
> > acknowledged/rejected correctly. It's just that certmonger is stuck and
> > doesn't notice the successful delivery.
> >
> > Machine is in isolated network, so there is probably no issue wrt using
> > box.net  as test domain.|
> >
> > 2015-02-10 18:40 GMT+01:00 Dmitri Pal  > >:
> >
> > On 02/10/2015 12:35 PM, marcin kowalski wrote:
> >> Hi all, i'm getting dogtag figured out slowly, and i noticed one
> >> odd thing.
> >>
> >> I've setup certmonger to request an arbitrary certificate through
> >> dogtag, and while the request seems to go into the dogtag system,
> >> certmonger acts as if communication with the CA failed. The
> >> certificate is considered in need of user attention because the
> >> process got stuck.
> >>
> >> Request ID ‘20150210125814’:
> >> status: NEED_GUIDANCE
> >> stuck: yes
> >> key pair storage: type=FILE,location=’/etc/pki/testkey’
> >> certificate: type=FILE,location=’/etc/pki/testcert’
> >> CA: dogtag-ipa
> >> issuer:
> >> subject:
> >> expires: unknown
> >> pre-save command:
> >> post-save command:
> >> track: yes
> >> auto-renew: yes
> >>
> >>
> >> [root@fedora pki]# systemctl status -l certmonger
> >> (….)
> >> lut 10 13:57:04 fedora.box.net 
> >> certmonger[7845]: Request for certificate to be stored in file
> >> “/etc/pki/testcert” rejected by CA.
> >>
> >>
> >> The request is present in dogtag and is valid, can be
> >> accepted/rejected, etc. Even though certmonger never notices that.
> >> I wonder if there is some obvious mistake in my setup, or perhaps
> >> there is

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread Rob Crittenden

marcin kowalski wrote:
> |Edit: i acceditanlly forgot to send copy to the list, so resubmitting.
> 
> 
> I tried this command :
> 
> getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey
> -N "cn=mywebserver"
> 
> i've setup the 'dogtag-ipa' ca in certmonger like so :
> 
> id=dogtag-ipa
> ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
> ca_is_default=0
> ca_type=EXTERNAL
> ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> -E https://fedora.box.net:8443/ca/ee/ca -A
> https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET 
> admin" -d /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v
> 
> 
> Since i haven't fully figured out how to setup authentication for
> certmonger yet, i've temporarily reused one from the dogtag's pki
> instance. Hopefully it's not a fatal mistake on my end.

What is your reasoning for setting up your own CA configuration? Why not
just use either ipa-getcert or getcert -c IPA?

rob

> 
> From the certmonger logs i get :
> 
> lut 11 09:52:19 fedora.box.net 
> dogtag-ipa-renew-agent-submit[2887]: GET
> https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ!
 K%2B%0A6O7
LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
> lut 11 09:52:19 fedora.box.net 
> dogtag-ipa-renew-agent-submit[2887]:  encoding="UTF-8"
> standalone="no"?>2Request Deferred
> - {0}  49
> 
> 
> And the request #49 is placed in Dogtag's CA Agent services, and can be
> acknowledged/rejected correctly. It's just that certmonger is stuck and
> doesn't notice the successful delivery.
> 
> Machine is in isolated network, so there is probably no issue wrt using
> box.net  as test domain.|
> 
> 2015-02-10 18:40 GMT+01:00 Dmitri Pal  >:
> 
> On 02/10/2015 12:35 PM, marcin kowalski wrote:
>> Hi all, i'm getting dogtag figured out slowly, and i noticed one
>> odd thing.
>>
>> I've setup certmonger to request an arbitrary certificate through
>> dogtag, and while the request seems to go into the dogtag system,
>> certmonger acts as if communication with the CA failed. The
>> certificate is considered in need of user attention because the
>> process got stuck.
>>
>> Request ID 20150210125814:
>> status: NEED_GUIDANCE
>> stuck: yes
>> key pair storage: type=FILE,location=/etc/pki/testkey
>> certificate: type=FILE,location=/etc/pki/testcert
>> CA: dogtag-ipa
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>>
>> [root@fedora pki]# systemctl status -l certmonger
>> (.)
>> lut 10 13:57:04 fedora.box.net 
>> certmonger[7845]: Request for certificate to be stored in file
>> /etc/pki/testcert rejected by CA.
>>
>>
>> The request is present in dogtag and is valid, can be
>> accepted/rejected, etc. Even though certmonger never notices that.
>> I wonder if there is some obvious mistake in my setup, or perhaps
>> there is  known bug in interaction of both components on F21 (i'm
>> using only standard repositories).
>>
>> When i post the query from certmonger's agent defined in ca
>> definition through curl, i get no errors.
>>
>> What would be the best way to debug this issue?
>>
>>
> Can you post your certmonger get-cert command?
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.c

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread Nalin Dahyabhai

On Wed, Feb 11, 2015 at 10:04:42AM +0100, marcin kowalski wrote:
> I forgot to add - usually removing the "-v" bit in ca external helper
> definition produces the aforementioned 'rejected by CA' message, instead of
> verbose output.

Ah.  Yes, the verbose output goes to stdout, where it confuses the main
daemon (it's expecting a very specific format from stdout), rather than
stderr, which probably would have been a better idea.

> > Since i haven't fully figured out how to setup authentication for
> > certmonger yet, i've temporarily reused one from the dogtag's pki instance.
> > Hopefully it's not a fatal mistake on my end.

The agent authentication is set up using a combination of the -d, -n,
and optionally the -P or -p flags.  If you leave off all options,
dogtag-ipa-renew-agent-submit more or less assumes:
 -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt

I tried this on my own box, and Dogtag threw a curve ball by putting a
blank line in before the -END CERTIFICATE- line at the end of
the issued certificate.  It's something we can work around, but it's not
something the current version knows that it needs to do.

HTH,

Nalin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread marcin kowalski

I forgot to add - usually removing the "-v" bit in ca external helper
definition produces the aforementioned 'rejected by CA' message, instead of
verbose output.

2015-02-11 10:00 GMT+01:00 marcin kowalski :

> Edit: i acceditanlly forgot to send copy to the list, so resubmitting.
>
>
> I tried this command :
>
> getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N
> "cn=mywebserver"
>
> i've setup the 'dogtag-ipa' ca in certmonger like so :
>
> id=dogtag-ipa
> ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
> ca_is_default=0
> ca_type=EXTERNAL
> ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> -E https://fedora.box.net:8443/ca/ee/ca -A
> https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET admin" -d
> /var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v
>
>
> Since i haven't fully figured out how to setup authentication for
> certmonger yet, i've temporarily reused one from the dogtag's pki instance.
> Hopefully it's not a fatal mistake on my end.
>
> From the certmonger logs i get :
>
> lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET
> https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
> lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]:  version="1.0" encoding="UTF-8"
> standalone="no"?>2Request Deferred -
> {0}  49
>
>
> And the request #49 is placed in Dogtag's CA Agent services, and can be
> acknowledged/rejected correctly. It's just that certmonger is stuck and
> doesn't notice the successful delivery.
>
> Machine is in isolated network, so there is probably no issue wrt using
> box.net as test domain.
>
> 2015-02-10 18:40 GMT+01:00 Dmitri Pal :
>
>>  On 02/10/2015 12:35 PM, marcin kowalski wrote:
>>
>> Hi all, i'm getting dogtag figured out slowly, and i noticed one odd
>> thing.
>>
>> I've setup certmonger to request an arbitrary certificate through dogtag,
>> and while the request seems to go into the dogtag system, certmonger acts
>> as if communication with the CA failed. The certificate is considered in
>> need of user attention because the process got stuck.
>>
>> Request ID ‘20150210125814’:
>> status: NEED_GUIDANCE
>> stuck: yes
>> key pair storage: type=FILE,location=’/etc/pki/testkey’
>> certificate: type=FILE,location=’/etc/pki/testcert’
>> CA: dogtag-ipa
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>>
>>  [root@fedora pki]# systemctl status -l certmonger
>> (….)
>> lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate
>> to be stored in file “/etc/pki/testcert” rejected by CA.
>>
>> The request is present in dogtag and is valid, can be accepted/rejected,
>> etc. Even though certmonger never notices that. I wonder if there is some
>> obvious mistake in my setup, or perhaps there is  known bug in interaction
>> of both components on F21 (i'm using only standard repositories).
>>
>> When i post the query from certmonger's agent defined in ca definition
>> through curl, i get no errors.
>>
>> What would be the best way to debug this issue?
>>
>>
>>  Can you post your certmonger get-cert command?
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-11 Thread marcin kowalski

Edit: i acceditanlly forgot to send copy to the list, so resubmitting.


I tried this command :

getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N
"cn=mywebserver"

i've setup the 'dogtag-ipa' ca in certmonger like so :

id=dogtag-ipa
ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E
https://fedora.box.net:8443/ca/ee/ca -A
https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET admin" -d
/var/lib/pki/pki-tomcat/alias/  -i /etc/ipa/ca.crt -v


Since i haven't fully figured out how to setup authentication for
certmonger yet, i've temporarily reused one from the dogtag's pki instance.
Hopefully it's not a fatal mistake on my end.

>From the certmonger logs i get :

lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET
https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0A&xml=true
lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: 2Request Deferred -
{0}  49


And the request #49 is placed in Dogtag's CA Agent services, and can be
acknowledged/rejected correctly. It's just that certmonger is stuck and
doesn't notice the successful delivery.

Machine is in isolated network, so there is probably no issue wrt using
box.net as test domain.

2015-02-10 18:40 GMT+01:00 Dmitri Pal :

>  On 02/10/2015 12:35 PM, marcin kowalski wrote:
>
> Hi all, i'm getting dogtag figured out slowly, and i noticed one odd
> thing.
>
> I've setup certmonger to request an arbitrary certificate through dogtag,
> and while the request seems to go into the dogtag system, certmonger acts
> as if communication with the CA failed. The certificate is considered in
> need of user attention because the process got stuck.
>
> Request ID ‘20150210125814’:
> status: NEED_GUIDANCE
> stuck: yes
> key pair storage: type=FILE,location=’/etc/pki/testkey’
> certificate: type=FILE,location=’/etc/pki/testcert’
> CA: dogtag-ipa
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
>  [root@fedora pki]# systemctl status -l certmonger
> (….)
> lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate
> to be stored in file “/etc/pki/testcert” rejected by CA.
>
> The request is present in dogtag and is valid, can be accepted/rejected,
> etc. Even though certmonger never notices that. I wonder if there is some
> obvious mistake in my setup, or perhaps there is  known bug in interaction
> of both components on F21 (i'm using only standard repositories).
>
> When i post the query from certmonger's agent defined in ca definition
> through curl, i get no errors.
>
> What would be the best way to debug this issue?
>
>
>  Can you post your certmonger get-cert command?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

2015-02-10 Thread Dmitri Pal


On 02/10/2015 12:35 PM, marcin kowalski wrote:
Hi all, i'm getting dogtag figured out slowly, and i noticed one odd 
thing.


I've setup certmonger to request an arbitrary certificate through 
dogtag, and while the request seems to go into the dogtag system, 
certmonger acts as if communication with the CA failed. The 
certificate is considered in need of user attention because the 
process got stuck.


Request ID '20150210125814':
status: NEED_GUIDANCE
stuck: yes
key pair storage: type=FILE,location='/etc/pki/testkey'
certificate: type=FILE,location='/etc/pki/testcert'
CA: dogtag-ipa
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes


[root@fedora pki]# systemctl status -l certmonger
()
lut 10 13:57:04 fedora.box.net  
certmonger[7845]: Request for certificate to be stored in file 
"/etc/pki/testcert" rejected by CA.



The request is present in dogtag and is valid, can be 
accepted/rejected, etc. Even though certmonger never notices that. I 
wonder if there is some obvious mistake in my setup, or perhaps there 
is  known bug in interaction of both components on F21 (i'm using only 
standard repositories).


When i post the query from certmonger's agent defined in ca definition 
through curl, i get no errors.


What would be the best way to debug this issue?



Can you post your certmonger get-cert command?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21

7 matches

Site Navigation

Mail list logo

Footer information