Hi Endi -

Unfortunately, customer issues have kept me from pursuing this further. I or one of my team still intends on doing so. I will be sure to let you know when I have tested.

Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/

507-513-6234 jlvanhil@us.ibm.com

Inactive hide details for Endi Sukma Dewata ---06/01/2020 10:42:43 PM-------- Original Message ----- > > Hi -Endi Sukma Dewata ---06/01/2020 10:42:43 PM-------- Original Message ----- > > Hi -

From: Endi Sukma Dewata <edewata@redhat.com>
To: Jesse L Van hill <jlvanhil@us.ibm.com>
Cc: pki-devel@redhat.com
Date: 06/01/2020 10:42 PM
Subject: [EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing certificate





----- Original Message -----
> > Hi -
> >
> > My team is adding ACME 2.0 client support to the Open Liberty application
> > server and wanted to test against Dogtag PKI's ACME server. My intention is
> > to containerize the ACME server and drive it through the same functional
> > tests we run against other ACME CA servers (i.e. - Pebble and Boulder for
> > instance) to verify compatibility.
> >
> > The first error I hit was an issue with using JSS 4.7 and I understand that
> > will be fixed by PR
https://github.com/dogtagpki/jss/pull/532  .
> >
> > [snip]
> >
> > To move past this error, I was advised to move down to JSS 4.6.2. Upon
> > doing
> > so, I made it past the initial error but now hit the following error:
> >
> > [snip]
> >
> > I can see in the ACME server's trace that it does indeed authorize my
> > ownership of the domain and then try to issue the certificate. Examining
> > the
> > AcmeIssuer class shows that this class has several methods that are not
> > implemented.
> >
> >
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61 
> > Is this expected or is it possible I have a misconfiguration? I assume I am
> > testing too early and need to wait until the implementation is further
> > along, but I wanted to test early enough that if there were issues I could
> > detect them earlier rather than later.
> >
> > If it matters, I am testing the with the image from @pki/master on a Fedora
> > 30 docker container.
>
> Hi Jesse,
>
> Thanks for your interest on Dogtag PKI and particularly the ACME responder.
> Please note that the ACME responder itself is not a CA; it requires another
> CA to issue the certificates. Currently the only supported CA is Dogtag PKI
> CA which is connected through PKIIssuer:
>
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java 
>
> The ACMEIssuer is just a base class. It's possible to support other CAs
> by extending ACMEIssuer. If you would like to add support for another issuer
> upstream feel free to submit a pull request. We have a prototype for OpenSSL
> that we might add later.
>
> The issue with JSS is correct, and we're still working to fix it.
>
> The unimplemented ACMEIssuer issue seems to be caused by a missing CA. Please
> follow these docs to install 389 DS, then install Dogtag PKI CA:
>
https://www.dogtagpki.org/wiki/Installing_DS 
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_CA.md 
>
> Then follow these docs to install and verify ACME:
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_ACME_Responder.md 
>
https://github.com/dogtagpki/pki/blob/master/docs/user/Using_ACME_Responder.md 
>
> Officially we do not support containerization yet, but it's possible to run
> ACME, CA, and DS in containers under some scenarios.
>
> If you run Fedora 30 as a local Docker container, you can execute commands in
> the container to install ACME, CA, and DS like regular Fedora applications.
>
> However, if you want to run each of them as a single process in separate
> Docker containers, it is possible with some code changes and tricks:
>
https://www.dogtagpki.org/wiki/PKI_ACME_Container 
>
https://www.dogtagpki.org/wiki/PKI_CA_Container 
>
https://www.dogtagpki.org/wiki/DS_Container 
>
> Similarly, here are the docs for OpenShift deployment:
>
https://www.dogtagpki.org/wiki/PKI_ACME_OpenShift 
>
https://www.dogtagpki.org/wiki/PKI_CA_OpenShift 
>
https://www.dogtagpki.org/wiki/DS_OpenShift 
>
> Please note that the wiki is used for development, so the content might be
> outdated. The official docs are on GitHub.
>
> The ACME responder is easier to containerize. We might be able to officially
> support its containerization soon. However, the CA might be more difficult
> due to its dependency on systemd and other issues. The DS seems to require at
> least some code changes.
>
> If you want to test ACME containerization, you probably can install ACME
> in container with CA and DS running on the host machine. If you just want
> to test ACME compatibility without containerization, it might be best to
> install ACME, CA, and DS on regular machine for now.
>
> Hope this helps. Let me know if you have any question.
>
> --
> Endi S. Dewata

Hi Jesse,

I was just wondering if you managed to test against the ACME server.
FYI, we're working on adding an embedded CA into the ACME server so
it can be containerized more easily without dependency on a separate
CA. Hopefully we will have something usable by the end of the month.

--
Endi S. Dewata