Re: [Pki-devel] Trouble enrolling with SSCEP

Hi Hayg, Good to hear. To answer your previous question, caRouterCert.cfg is the default sscep enrollment profile. You can see the authentication by default using flatfile: auth.instance_id=flatFileAuth Earlier, I misunderstood you for removing that and rendering a manual approval. Christina On 04/11/2016 05:14 AM, haygastourian(a)gmail.com wrote: Hi Christina, I got this to work with sscep. It seems the IP in my flatfile was wrong. I think the main issue is the lack of a clear error message. Thanks for your help, Hayg On Mon, Apr 11, 2016 at 10:54 AM, <haygastourian(a)gmail.com&gt; haygastourian(a)gmail.com <haygastourian(a)gmail.com&gt; wrote: > Hi Christina, > > Thank you for your help. > > I think using SCEP there is no enrollment profile that I touch? I thought > setting up the flatfile.txt with the relevant values and modifying the > config to enable SCEP was all that I needed to do. My intention was for it > to be *automatically* approved because of the IP/password being present > in flatfile.txt > > Does that help? Sorry if I'm misunderstanding your questions. > > Thanks, > Hayg > > On Fri, Apr 8, 2016 at 9:58 PM, Christina Fu < <cfu(a)redhat.com&gt; > cfu(a)redhat.com&gt; wrote: > >> Hi Hayg, >> >> I am running Fedora 22 so I'm not sure if there is any difference at all. >> >> I would like to understand your issue(s) better. >> When you said that your request failed because it was "getting >> deferred", does that mean you have it in the enrollment profile for manual >> approval? In other words, it was your intention to have the request >> manually approved by the CA agents? >> You realize that if you require manual agent approval, there is no >> option for sscep to "fetch" the already issued cert right? >> >> Or, did you not intend to have the request deferred and failed? In >> which case, you want to know why it failed? If so, do you have relevant >> debug log to give us some clue? >> >> Did I misunderstand your issue? >> >> Christina >> >> >> On 04/05/2016 02:57 AM, <haygastourian@gmail.com&gt;haygastourian(a)gmail.com >> wrote: >> >> Hello everyone, >> >> I've been trying to enroll with dogtag via SSCEP for the last few days >> to no avail and I've reached the end of my rope, so I'm reaching out for >> your help (which I very much would appreciate). >> >> I am running Ubuntu and my dogtag versions are: >> hayg@hayg:~$ dpkg -l | grep dogtag >> >>> ii dogtag-pki 10.2.6-1 >>> all Dogtag Public Key Infrastructure (PKI) Suite >>> ii dogtag-pki-console-theme 10.2.6-1 >>> all Certificate System - PKI Console User Interface >>> ii dogtag-pki-server-theme 10.2.6-1 >>> all Certificate System - PKI Server User Interface >> >> >> My SSCEP: >> [~/sscep]$ cat VERSION >> >> >>> 0.6.1 >> >> >> My flatfile.txt: >> hayg@hayg:~$ sudo cat /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt >> >>> #UID:172.16.24.238 >>> #PWD:1212 >>> UID:10.129.25.186 >>> PWD:secret >> >> (I restarted my pki-tomcatd service just in case, to make sure it took >> effect) >> >> On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r local.csr -k >> local.key -c astourian.crt -u ' >> <http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27> >> http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe' >> >> This fails because the request is getting deferred and I have fail on >> defer set to true, per the docs. >> >> The request actually shows up in 'List Certificates' when I go to the >> web UI, but when I try to approve it, I get: >> >>> The Certificate System has encountered an unrecoverable error. >>> Error Message: >>> >>> *java.lang.NullPointerException *Please contact your local >>> administrator for assistance. >> >> When I try to resume the enrollment by adding the -R flag to sscep it >> fails with the following error in the logs: >> >>> CRSEnrollment: No certificate has been found >> >> >> My CSR: >> [~/sscep]$ openssl req -in local.csr -noout -text >> >>> Certificate Request: >>> Data: >>> Version: 0 (0x0) >>> Subject: CN=10.129.25.186 >>> Subject Public Key Info: >>> Public Key Algorithm: rsaEncryption >>> Public-Key: (1024 bit) >>> Modulus: >>> 00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31: >>> 83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a: >>> f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb: >>> 6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef: >>> 1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1: >>> 75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93: >>> 5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49: >>> 4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6: >>> 19:93:02:84:40:09:40:44:b1 >>> Exponent: 65537 (0x10001) >>> Attributes: >>> challengePassword :secret >>> Requested Extensions: >>> X509v3 Subject Alternative Name: critical >>> IP Address:10.129.25.186 >>> Signature Algorithm: sha1WithRSAEncryption >>> 7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62: >>> 8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df: >>> 4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90: >>> 05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9: >>> 16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9: >>> af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50: >>> f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58: >>> ea:ae >> >> >> As you can see, the password is "secret" and the CN is the UID from >> flatfile.txt. >> >> I welcome you all to try enrolling with my server. I can then try >> approving and see if it works. >> >> Again, I very much appreciate all of your help. Please excuse my wall of >> text x_x >> >> Thanks, >> Hayg >> >> >> _______________________________________________ >> Pki-devel mailing listPki-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-devel >> >> >> >