3:02 p.m.
Hi -
My team is adding ACME 2.0 client support to the Open Liberty application
server and wanted to test against Dogtag PKI's ACME server. My intention is
to containerize the ACME server and drive it through the same functional
tests we run against other ACME CA servers (i.e. - Pebble and Boulder for
instance) to verify compatibility.
The first error I hit was an issue with using JSS 4.7 and I understand that
will be fixed by PR https://github.com/dogtagpki/jss/pull/532 .
2020-05-04 22:15:53 [http-nio-8080-exec-5] SEVERE: Unable to validate
HTTP-01 challenge: Unable to get SunJSSE provider for TLS:
SSLContextImpl is not initialized
java.lang.RuntimeException: Unable to get SunJSSE provider for TLS:
SSLContextImpl is not initialized
at
org.mozilla.jss.provider.javax.net.JSSContextSpi.engineGetSocketFactory
(JSSContextSpi.java:118)
at javax.net.ssl.SSLContext.getSocketFactory
(SSLContext.java:294)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.<init>
(SSLConnectionSocketFactory.java:292)
at org.apache.http.impl.client.HttpClientBuilder.build
(HttpClientBuilder.java:978)
at org.apache.http.impl.client.HttpClients.createDefault
(HttpClients.java:56)
at org.dogtagpki.acme.validator.HTTP01Validator.getResponse
(HTTP01Validator.java:112)
at
org.dogtagpki.acme.validator.HTTP01Validator.validateChallenge
(HTTP01Validator.java:63)
at org.dogtagpki.acme.server.ACMEChallengeService.handlePOST
(ACMEChallengeService.java:99)
...
To move past this error, I was advised to move down to JSS 4.6.2. Upon
doing so, I made it past the initial error but now hit the following error:
2020-05-05 18:36:08 [http-nio-8080-exec-7] SEVERE: Servlet.service()
for servlet [Resteasy] in context with path [/acme] threw exception
org.jboss.resteasy.spi.UnhandledException:
org.apache.commons.lang.NotImplementedException: Code is not
implemented
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException
(ExceptionHandler.java:78)
at org.jboss.resteasy.core.ExceptionHandler.handleException
(ExceptionHandler.java:222)
...
Caused by: org.apache.commons.lang.NotImplementedException: Code is
not implemented
at org.dogtagpki.acme.issuer.ACMEIssuer.generateCertificate
(ACMEIssuer.java:61)
at org.dogtagpki.acme.issuer.ACMEIssuer.issueCertificate
(ACMEIssuer.java:73)
at
org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST
(ACMEFinalizeOrderService.java:79)
...
I can see in the ACME server's trace that it does indeed authorize my
ownership of the domain and then try to issue the certificate. Examining
the AcmeIssuer class shows that this class has several methods that are not
implemented.
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/...
Is this expected or is it possible I have a misconfiguration? I assume I am
testing too early and need to wait until the implementation is further
along, but I wanted to test early enough that if there were issues I could
detect them earlier rather than later.
If it matters, I am testing the with the image from @pki/master on a Fedora
30 docker container.
Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/
507-513-6234 jlvanhil(a)us.ibm.com
6:49 p.m.
----- Original Message -----
Hi Jesse,
Thanks for your interest on Dogtag PKI and particularly the ACME responder.
Please note that the ACME responder itself is not a CA; it requires another
CA to issue the certificates. Currently the only supported CA is Dogtag PKI
CA which is connected through PKIIssuer:
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/...
The ACMEIssuer is just a base class. It's possible to support other CAs
by extending ACMEIssuer. If you would like to add support for another issuer
upstream feel free to submit a pull request. We have a prototype for OpenSSL
that we might add later.
The issue with JSS is correct, and we're still working to fix it.
The unimplemented ACMEIssuer issue seems to be caused by a missing CA. Please
follow these docs to install 389 DS, then install Dogtag PKI CA:
https://www.dogtagpki.org/wiki/Installing_DS
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing...
Then follow these docs to install and verify ACME:
https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing...
https://github.com/dogtagpki/pki/blob/master/docs/user/Using_ACME_Respond...
Officially we do not support containerization yet, but it's possible to run
ACME, CA, and DS in containers under some scenarios.
If you run Fedora 30 as a local Docker container, you can execute commands in
the container to install ACME, CA, and DS like regular Fedora applications.
However, if you want to run each of them as a single process in separate
Docker containers, it is possible with some code changes and tricks:
https://www.dogtagpki.org/wiki/PKI_ACME_Container
https://www.dogtagpki.org/wiki/PKI_CA_Container
https://www.dogtagpki.org/wiki/DS_Container
Similarly, here are the docs for OpenShift deployment:
https://www.dogtagpki.org/wiki/PKI_ACME_OpenShift
https://www.dogtagpki.org/wiki/PKI_CA_OpenShift
https://www.dogtagpki.org/wiki/DS_OpenShift
Please note that the wiki is used for development, so the content might be
outdated. The official docs are on GitHub.
The ACME responder is easier to containerize. We might be able to officially
support its containerization soon. However, the CA might be more difficult
due to its dependency on systemd and other issues. The DS seems to require at
least some code changes.
If you want to test ACME containerization, you probably can install ACME
in container with CA and DS running on the host machine. If you just want
to test ACME compatibility without containerization, it might be best to
install ACME, CA, and DS on regular machine for now.
Hope this helps. Let me know if you have any question.
--
Endi S. Dewata
10:42 p.m.
----- Original Message -----
Hi Jesse,
I was just wondering if you managed to test against the ACME server.
FYI, we're working on adding an embedded CA into the ACME server so
it can be containerized more easily without dependency on a separate
CA. Hopefully we will have something usable by the end of the month.
--
Endi S. Dewata
8:35 a.m.
Hi Endi -
Unfortunately, customer issues have kept me from pursuing this further. I
or one of my team still intends on doing so. I will be sure to let you know
when I have tested.
Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/
507-513-6234 jlvanhil(a)us.ibm.com
From: Endi Sukma Dewata <edewata(a)redhat.com To: Jesse
L Van hill <jlvanhil(a)us.ibm.com Cc: pki-devel(a)redhat.com
Date: 06/01/2020 10:42 PM
Subject: [EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing
certificate
----- Original Message -----
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
> Then follow these docs to install and verify ACME:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
> Officially we do not support containerization yet, but
it's possible to
run
> ACME, CA, and DS in containers under some scenarios.
> If you run Fedora 30 as a local Docker container, you can
execute
commands in
> However, if you want to run each of them as a single
process in separate
> Docker containers, it is possible with some code changes and tricks:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
> Similarly, here are the docs for OpenShift deployment:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
> Please note that the wiki is used for development, so the
content might
be
> outdated. The official docs are on GitHub.
> The ACME responder is easier to containerize. We might be
able to
officially
> If you want to test ACME containerization, you probably
can install ACME
> in container with CA and DS running on the host machine. If you just want
> to test ACME compatibility without containerization, it might be best to
> install ACME, CA, and DS on regular machine for now.
> Hope this helps. Let me know if you have any question.
> --
> Endi S. Dewata
Hi Jesse,
I was just wondering if you managed to test against the ACME server.
FYI, we're working on adding an embedded CA into the ACME server so
it can be containerized more easily without dependency on a separate
CA. Hopefully we will have something usable by the end of the month.
--
Endi S. Dewata
> Hi -
> My team is adding ACME 2.0 client support to the Open
Liberty
application
> server and wanted to test against Dogtag PKI's ACME server.
My
intention is
> to containerize the ACME server and drive it through the same
functional
> tests we run against other ACME CA servers (i.e. - Pebble and
Boulder
for
> instance) to verify compatibility.
> The first error I hit was an issue with using JSS 4.7 and
I understand
that
> will be fixed by PR
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
.
Examining
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
> Is this expected or is it possible I have a misconfiguration? I
assume
I am
> testing too early and need to wait until the implementation is
further
> along, but I wanted to test early enough that if there were issues I
could
> detect them earlier rather than later.
> If it matters, I am testing the with the image from
@pki/master on a
Fedora
responder.
Please note that the ACME responder itself is not a CA; it requires
another
CA to issue the certificates. Currently the only supported CA is
Dogtag
PKI
CA which is connected through PKIIssuer:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki...
The ACMEIssuer is just a base class. It's possible to support other CAs
by extending ACMEIssuer. If you would like to add support for another
issuer
upstream feel free to submit a pull request. We have a prototype for
OpenSSL
Please
follow these docs to install 389 DS, then install Dogtag PKI CA:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wi...
the container to install ACME, CA, and DS like regular Fedora
applications.
support its containerization soon. However, the CA might be more
difficult
due to its dependency on systemd and other issues. The DS seems to
require at
> least some code changes.
3:12 p.m.
Hi Jesse,
I'd like to let you know that we have created a PKI ACME container that can
be
deployed much more easily on Podman or OpenShift:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Deplo...
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Deplo...
By default the container will generate a self-signed CA signing certificate
and use
an ephemeral database, but you can configure it with a permanent
certificate and
persistent database.
We've also set up a demo instance that you can try:
https://acme.demo.dogtagpki.org/acme/directory
Just let me know if you have any questions. Thanks!
--
Endi S. Dewata
On Tue, Jun 2, 2020 at 8:35 AM Jesse L Van hill <jlvanhil(a)us.ibm.com> wrote:
3:43 p.m.
Hi Endi -
Thanks for letting me know about this. We have testing on PKI on our list
of tasks as we finish up working on our ACME client. I will let you know
what we find when we test.
Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/
507-513-6234 jlvanhil(a)us.ibm.com
From: Endi Dewata <edewata(a)redhat.com>
To: Jesse L Van hill <jlvanhil(a)us.ibm.com>
Cc: pki-devel(a)redhat.com
Date: 06/29/2020 03:37 PM
Subject: [EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing
certificate
Hi Jesse,
I'd like to let you know that we have created a PKI ACME container that can
be
deployed much more easily on Podman or OpenShift:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Deplo...
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Deplo...
By default the container will generate a self-signed CA signing certificate
and use
an ephemeral database, but you can configure it with a permanent
certificate and
persistent database.
We've also set up a demo instance that you can try:
https://acme.demo.dogtagpki.org/acme/directory
Just let me know if you have any questions. Thanks!
--
Endi S. Dewata
On Tue, Jun 2, 2020 at 8:35 AM Jesse L Van hill <jlvanhil(a)us.ibm.com>
wrote:
Hi Endi -
Unfortunately, customer issues have kept me from pursuing this further. I
or one of my team still intends on doing so. I will be sure to let you
know when I have tested.
Jesse Van Hill
Websphere Identity Management Architect & Dev Lead
WebSphere Application Server & Open Liberty
https://openliberty.io/
507-513-6234 jlvanhil(a)us.ibm.com
Inactive hide details for Endi Sukma Dewata ---06/01/2020 10:42:43
PM-------- Original Message ----- > > Hi -Endi Sukma Dewata ---06/01/2020
10:42:43 PM-------- Original Message ----- > > Hi -
From: Endi Sukma Dewata <edewata(a)redhat.com>
To: Jesse L Van hill <jlvanhil(a)us.ibm.com>
Cc: pki-devel(a)redhat.com
Date: 06/01/2020 10:42 PM
Subject: [EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing
certificate
Hi Jesse,
I was just wondering if you managed to test against the ACME server.
FYI, we're working on adding an embedded CA into the ACME server so
it can be containerized more easily without dependency on a separate
CA. Hopefully we will have something usable by the end of the month.
--
Endi S. Dewata
1740
days inactive
1795
days old
5 comments
3 participants
participants (3)
-
Endi Dewata -
Endi Sukma Dewata
-
Jesse L Van hill