Re: [Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit

On Tue, Apr 07, 2015 at 02:37:12PM -0500, Steve Neuharth wrote: Right, you mentioned that you'd pulled the key and certificate out of a PKCS#12 bundle, so it makes sense that that'd show up there. It does, but I'd been using an NSS database (-d and -n flags) rather than PEM-formatted keys and certificates. And -i to point to a PEM-format certificate, and the -p flag, so it looked like this: /usr/libexec/certmonger/dogtag-submit -E http://machete.bos.redhat.com:9180/ca/ee/ca -A https://machete.bos.redhat.com:9443/ca/agent/ca -d /etc/httpd/alias -n ipaCert -i /etc/ipa/ca.crt -p /etc/httpd/alias/pwdfile.txt When I used "openssl pkcs12 -in /root/ca-agent.p12 -nodes -nokeys -out /etc/pki/tls/certs/agent.cert" to extract the certificates, I had to prune out everything but the agent certificate itself, and the agent key itself, to avoid getting SSL connect errors, though that may only be necessary with the older version of NSS's PEM module that my test system has. The working invocation I ended up with looks like this: /usr/libexec/certmonger/dogtag-submit -E http://machete.bos.redhat.com:9180/ca/ee/ca -A https://machete.bos.redhat.com:9443/ca/agent/ca -k /etc/pki/tls/private/agent.key -c /etc/pki/tls/certs/agent.cert -i /etc/ipa/ca.crt I'm not sure if you're in SELinux enforcing mode, but if you are, the daemon (and the helpers that it starts) may not be able to read the files under /tmp/test unless they're labeled to allow it. HTH, Nalin