Re: [Pki-users] SCEP Enrollment fails with Certificate not found .

What's your scep config values, specifically: ca.scep.nickname ca.scep.tokenname Christina On 09/29/2014 04:55 AM, Elliott William C OSS sIT wrote: > > Hello, > > We are currently trying to get a new RHEL6/Dogtag 9 with Safenet HSMs > setup for SCEP enrollment. But, no matter whether we try the older > HSMs( LunaSA 4) or the newer (LunaSA 5) we cannot complete a > successful SCEP request. The following exception occurs in the debug log: > > [29/Sep/2014:13:41:17][http-9180-1]: operation=PKIOperation > > [29/Sep/2014:13:41:17][http-9180-1]: > message=MIIHDQYJKoZIhvcNAQcCoIIG/jCCBvoCAQExDjAMBggqhkiG9w0CBQUAMIIDZQYJ > > KoZIhvcNAQcBoIIDVgSCA1IwggNOBgkqhkiG9w0BBwOgggM/MIIDOwIBADGCAW4w > > ggFqAgEAMFIwTTEVMBMGA1UEChMMRWJMYW4gRG9tYWluMRQwEgYDVQQLEwtwa2kt > > dGVzdGNhMTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5AgEBMA0GCSqG > > SIb3DQEBAQUABIIBADJhcbvaLYwGrTA6W1G+xB2BuHKJKnQ9DL+KsGWGuVh94CaH > > 7QAs2fbWcswpD6yhRDTirMS9gXBkdIdEZtGWvMKcZYpLbAxtoE/2V3oa9D5fdwjP > > RaLAt5rh6afS/pPbpdCkTYvHZZu7Y1//UDSP7Jkli/oBVE/vYEkteTgFlOgPhNJs > > HN/xVJAHJniIzJMc48YojxT8angpN045K+lAFldwsq5RpwS2szH7jaQeGsn5bx+r > > SQrEcPYz4noj9GnlzrOAnpvLK8XanJUj6KF4w8Am/adJhTRZrwAc6PVr88BO367g > > rjHcNApluo0m4+5DxvC8x7ri4N3wusfRN/oBpkMwggHCBgkqhkiG9w0BBwEwEQYF > > Kw4DAgcECGugmAolmOqhgIIBoIaPJ2m6nhY6DsUUBHGGqZRqVvlXimRX++u6UtWM > > X0r2jjmCfzpKuijFApiYAdrQzewMjk5AvLE0Pu6cH8mL7Sq973d8zG1vdqAQWZbW > > m8C6VRrpD9vw1Yd+q9Ma9UWSqIK0BicuqQk9jWRZVNWmVQT/q3Ht/+7s4rS7iiNu > > udSV9MAMAeZsR/AQh1f2DDMCtu2CKsRsQi+qL3gGO2YYQpmbTVBwIPj0O9X664qc > > AEqcFFUcGYlb5ES9RMmXtYWJb6rkrAQdWs8MPaaUuVON+t26mim9RazteY5dQ4rT > > l7UFujI+pIdc8JXflJ/SaJDb7USl1Y89OMS+j6Uxi1qimhzjedLmhpS27wKH1x61 > > JfEPqypjsz/AdKYiYH1IOXT3wVq52cpxOMlMpLEOl2eK3QCmvQMef1e9cmnku3fz > > cglipc6hT90ca/ugJWlXI84zlppEvKAJ3zqOtmJAf2TYcU++Cyg4Ai/Bi0Szon5z > > gOsL1Qpo8YdrmzHL4KbfAHGE7T/QCGA/CszbANL7aTMh4SNC6/A6ZIwoPDmTePNB > > dB0IoIIByzCCAccwggEwoAMCAQICIDRDNENCNUVFOUZGRkVCRkQzMUY5M0QwREJG > > NTZGMUY3MA0GCSqGSIb3DQEBBAUAMBoxGDAWBgNVBAMTDzAxMC4wMDAuMDAwLjAy > > MTAeFw0xNDA5MjkxMTQxMTdaFw0xNDEwMDUxMzQxMTdaMBoxGDAWBgNVBAMTDzAx > > MC4wMDAuMDAwLjAyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4vzJ7zuF > > gzXYtHQEDehMN+WniECBX9q6cV7ixr/F/Qn7ItbIiUrRfwMk+2orzSVRANE0dpBM > > rqohSq6USOoXwLp/YkITA5RNiQn5LRyebfWgul0IIgioq6L6EI88PG+elBbN2dip > > 9sjbedJlgIB+zxJ506f0Qf23nYJScdaJ/x8CAwEAATANBgkqhkiG9w0BAQQFAAOB > > gQCWENzZzQD6Dj88f33Y8aVY8DQoZjl/sIRHtPjJOKgINJrIt1bU2mlwQ2IrYtrN > > L2lv4UOpD9JsprK6FZb0XMMxZotCpXDHZevstDIq745srkHvZK15USjNY2QDvhOp > > e8YRESZf64jH7dAkiiFgJU7k6NZRNrIb5l8BuVd1K6sh4jGCAaswggGnAgEBMD4w > > GjEYMBYGA1UEAxMPMDEwLjAwMC4wMDAuMDIxAiA0QzRDQjVFRTlGRkZFQkZEMzFG > > OTNEMERCRjU2RjFGNzAMBggqhkiG9w0CBQUAoIHBMBIGCmCGSAGG+EUBCQIxBBMC > > MTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQw > > OTI5MTE0MTE3WjAfBgkqhkiG9w0BCQQxEgQQRAdYc3/0mIu36+n+4HjzcTAgBgpg > > hkgBhvhFAQkFMRIEEFgpmRCbIFZei2tsCn8+fx8wMAYKYIZIAYb4RQEJBzEiEyA0 > > QzRDQjVFRTlGRkZFQkZEMzFGOTNEMERCRjU2RjFGNzANBgkqhkiG9w0BAQEFAASB > > gDXExABpVsRfVAK8yB3C2N1v89zLSygNgejlh6UtB2Dq8gXW1Qmb+d03PZQzmFbH > > eaJKV9+5pIsKchOedlsaAks2ZSHw9Pj8is9mIRYM5pADo1BoEcsszshV2G5DKDwm > > /oBmEEz/Lwysh4v4GyZwcQad/xYjCODUt83k3s18LWS+ > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > token name: osstest' > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > mNickname: '*osstest:osstest*:caSigningCert cert-pki-testca1' > > [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > > at java.lang.Thread.run(Thread.java:701) > > [29/Sep/2014:13:41:17][http-9180-1]: ServletException > javax.servlet.ServletException: Failed to process message in CEP > servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 > > What stands out is the line with mNickname. After restarting the > service, with the first request, the HSM token name appears to be > listed twice in the *mNickname* string. Interestingly, with each new > request, the number of token names increases by one in the string. > i.e. with the 2^nd attempt, the same exception occurs but the token > name appears three times: > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > token name: osstest' > > [29/Sep/2014:13:41:17][http-9180-1]: CRSEnrollment: CryptoContext: > mNickname: '*osstest:osstest:osstest*:caSigningCert cert-pki-testca1' > > [29/Sep/2014:13:41:17][http-9180-1]: handlePKIMessage exception > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext$CryptoContextException: > Certificate not found: osstest:caSigningCert cert-pki-testca1 > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment$CryptoContext.<init>(CRSEnrollment.java:2026) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:803) > > at > com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:297) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > > at java.lang.Thread.run(Thread.java:701) > > [29/Sep/2014:13:41:17][http-9180-1]: ServletException > javax.servlet.ServletException: Failed to process message in CEP > servlet: Certificate not found: osstest:caSigningCert cert-pki-testca1 > > As mentioned, the exception occurs with both versions 4 and 5 of > LunaSA. (We currently have RHEL5 systems with Dogtag 1.3 operating > with SCEP enrollment.) With local tokens, (no HSMs) the error does > not occur. > > Any Ideas, how we can track this down? We definitely need to get this > running. > > Best regards! > > William Elliott > > s IT Solutions > > Open System Services > > s IT Solutions AT Spardat GmbH > > A-1110 Wien, Geiselbergstraße 21 - 25 > > Phone: +43 (0)5 0100 - 39376 > > Fax: +43 (0)5 0100 9 - 39376 > > Mobile: +43 (0)5 0100 6 - 39376 > > _mailto:william.elliott at s-itsolutions.at > <mailto:william.elliott%20at%20s-itsolutions.at>_ > > www.s-itsolutions.com <http://www.s-itsolutions.com/> > > Head Office: Vienna Commercial Register No.: 152289f Commercial Court > of Vienna > > This message and any attached files are confidential and intended > solely for the addressee(s). Any publication, transmission or other > use of the information by a person or entity other than the intended > addressee is prohibited. If you receive this in error please contact > the sender and delete the material. The sender does not accept > liability for any errors or omissions as a result of the transmission. > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users