> What is your reasoning for setting up your own CA configuration? Why not just use either ipa-getcert or getcert -c IPA?
I am not yet familiar with the entire setup enough to give a good answer. I assume that requires full freeIPA setup, which i don't really need. I just wanted a simplistic dogtag ca instance + certmonger setup for watching certs on various machines and checking if the requests get filled in correctly, and then expanding on it once i get more familiar with other workings of it. And i got stuck on certmonger. 2015-02-11 19:14 GMT+01:00 Rob Crittenden <[email protected]>: > marcin kowalski wrote: > > |Edit: i acceditanlly forgot to send copy to the list, so resubmitting. > > > > > > I tried this command : > > > > getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey > > -N "cn=mywebserver" > > > > i've setup the 'dogtag-ipa' ca in certmonger like so : > > > > id=dogtag-ipa > > ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) > > ca_is_default=0 > > ca_type=EXTERNAL > > ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > > -E https://fedora.box.net:8443/ca/ee/ca -A > > https://fedora.box.net:8443/ca/agent/ca/ -n "CN=BOX.NET <http://BOX.NET> > > admin" -d /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v > > > > > > Since i haven't fully figured out how to setup authentication for > > certmonger yet, i've temporarily reused one from the dogtag's pki > > instance. Hopefully it's not a fatal mistake on my end. > > What is your reasoning for setting up your own CA configuration? Why not > just use either ipa-getcert or getcert -c IPA? > > rob > > > > > From the certmonger logs i get : > > > > lut 11 09:52:19 fedora.box.net <http://fedora.box.net> > > dogtag-ipa-renew-agent-submit[2887]: GET > > > https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCert&cert_request_type=pkcs10&cert_request=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQ > ! > K%2B%0A6O7 > > LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-----END+NEW+CERTIFICATE+REQUEST-----%0A&xml=true > > lut 11 09:52:19 fedora.box.net <http://fedora.box.net> > > dogtag-ipa-renew-agent-submit[2887]: <?xml version="1.0" > > encoding="UTF-8" > > standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred > > - {0}</Error><RequestId> 49</RequestId></XMLResponse> > > > > > > And the request #49 is placed in Dogtag's CA Agent services, and can be > > acknowledged/rejected correctly. It's just that certmonger is stuck and > > doesn't notice the successful delivery. > > > > Machine is in isolated network, so there is probably no issue wrt using > > box.net <http://box.net> as test domain.| > > > > 2015-02-10 18:40 GMT+01:00 Dmitri Pal <[email protected] > > <mailto:[email protected]>>: > > > > On 02/10/2015 12:35 PM, marcin kowalski wrote: > >> Hi all, i'm getting dogtag figured out slowly, and i noticed one > >> odd thing. > >> > >> I've setup certmonger to request an arbitrary certificate through > >> dogtag, and while the request seems to go into the dogtag system, > >> certmonger acts as if communication with the CA failed. The > >> certificate is considered in need of user attention because the > >> process got stuck. > >> > >> Request ID ‘20150210125814’: > >> status: NEED_GUIDANCE > >> stuck: yes > >> key pair storage: type=FILE,location=’/etc/pki/testkey’ > >> certificate: type=FILE,location=’/etc/pki/testcert’ > >> CA: dogtag-ipa > >> issuer: > >> subject: > >> expires: unknown > >> pre-save command: > >> post-save command: > >> track: yes > >> auto-renew: yes > >> > >> > >> [root@fedora pki]# systemctl status -l certmonger > >> (….) > >> lut 10 13:57:04 fedora.box.net <http://fedora.box.net> > >> certmonger[7845]: Request for certificate to be stored in file > >> “/etc/pki/testcert” rejected by CA. > >> > >> > >> The request is present in dogtag and is valid, can be > >> accepted/rejected, etc. Even though certmonger never notices that. > >> I wonder if there is some obvious mistake in my setup, or perhaps > >> there is known bug in interaction of both components on F21 (i'm > >> using only standard repositories). > >> > >> When i post the query from certmonger's agent defined in ca > >> definition through curl, i get no errors. > >> > >> What would be the best way to debug this issue? > >> > >> > > Can you post your certmonger get-cert command? > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
