Hi Endi -
Unfortunately, customer issues have kept me from pursuing this further. I
or one of my team still intends on doing so. I will be sure to let you know
when I have tested.
Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/
507-513-6234 jlvanhil(a)us.ibm.com
From: Endi Sukma Dewata <edewata(a)redhat.com
To: Jesse
L Van hill <jlvanhil(a)us.ibm.com
Cc: pki-devel(a)redhat.com
Date: 06/01/2020 10:42 PM
Subject: [EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing
certificate
----- Original Message -----
> Hi -
> My team is adding ACME 2.0 client support to the Open
Liberty
application
> server and wanted to test against Dogtag PKI's ACME server.
My
intention is
> to containerize the ACME server and drive it through the same
functional
> tests we run against other ACME CA servers (i.e. - Pebble and
Boulder
for
> instance) to verify compatibility.
> The first error I hit was an issue with using JSS 4.7 and
I understand
that
> will be fixed by PR
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
.
> [snip]
> To move past this error, I was advised to move down to
JSS 4.6.2. Upon
> doing
> so, I made it past the initial error but now hit the following error:
> [snip]
> I can see in the ACME server's trace that it does
indeed authorize my
> ownership of the domain and then try to issue the certificate.
Examining
> the
> AcmeIssuer class shows that this class has several methods that are not
> implemented.
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
> Is this expected or is it possible I have a misconfiguration? I
assume
I am
> testing too early and need to wait until the implementation is
further
> along, but I wanted to test early enough that if there were issues I
could
> detect them earlier rather than later.
> If it matters, I am testing the with the image from
@pki/master on a
Fedora
> 30 docker container.
Hi Jesse,
Thanks for your interest on Dogtag PKI and particularly the ACME
responder.
Please note that the ACME responder itself is not a CA; it requires
another
CA to issue the certificates. Currently the only supported CA is
Dogtag
PKI
CA which is connected through PKIIssuer:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
The ACMEIssuer is just a base class. It's possible to support other CAs
by extending ACMEIssuer. If you would like to add support for another
issuer
upstream feel free to submit a pull request. We have a prototype for
OpenSSL
that we might add later.
The issue with JSS is correct, and we're still working to fix it.
The unimplemented ACMEIssuer issue seems to be caused by a missing CA.
Please
follow these docs to install 389 DS, then install Dogtag PKI CA:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
> Then follow these docs to install and verify ACME:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
> Officially we do not support containerization yet, but
it's possible to
run
> ACME, CA, and DS in containers under some scenarios.
> If you run Fedora 30 as a local Docker container, you can
execute
commands in
the container to install ACME, CA, and DS like regular Fedora
applications.
> However, if you want to run each of them as a single
process in separate
> Docker containers, it is possible with some code changes and tricks:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
> Similarly, here are the docs for OpenShift deployment:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
> Please note that the wiki is used for development, so the
content might
be
> outdated. The official docs are on GitHub.
> The ACME responder is easier to containerize. We might be
able to
officially
support its containerization soon. However, the CA might be more
difficult
due to its dependency on systemd and other issues. The DS seems to
require at
> least some code changes.
> If you want to test ACME containerization, you probably
can install ACME
> in container with CA and DS running on the host machine. If you just want
> to test ACME compatibility without containerization, it might be best to
> install ACME, CA, and DS on regular machine for now.
> Hope this helps. Let me know if you have any question.
> --
> Endi S. Dewata
Hi Jesse,
I was just wondering if you managed to test against the ACME server.
FYI, we're working on adding an embedded CA into the ACME server so
it can be containerized more easily without dependency on a separate
CA. Hopefully we will have something usable by the end of the month.
--
Endi S. Dewata