Re: [Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit

On Wed, Apr 08, 2015 at 09:35:31AM -0500, Steve Neuharth wrote: > yes, I have indeed set SELinux to permissive to eliminate any potential > security collisions. > > If I configure my 'DogtagAuto' CA in /var/lib/certmonger/cas without the '-T > caAgentServerCert', the certmonger daemon dies as soon as I request a > certificate using that CA. Other than that, it looks like I'm using the > same flags as you. Well, it shouldn't be dying at least. If you can get a coredump or a backtrace out of it, that'll help track it down. I'm not really sure how the use (or not) of the -T flag with the helper could be affecting that, though, as when I tried obtaining a certificate using it and the caServerCert profile, it succeeded. I got an authentication error attempting to specify the caAgentServerCert profile, which makes some sense since the helper submits the request using using the end-entity services interface and only uses the agent creds when it goes back to approve it using the agent services interface. > when I run dogtag-submit this way manually (without the template), I see > that it reutrns: results = "<?xml version="1.0" encoding="UTF-8" > standalone="no"?><XMLResponse><Status>2</Status><Error>Request Deferred - > {0}</Error><RequestId> 70</RequestId></XMLResponse>" > 0 > state=approve&requestId=70 > > I find it strange that this response would crash certmonger. Also, wouldn't > I need to specify a template if I need to automatically sign the cert and > get the cert immediately? The helper hard-codes a default of "caServerCert" if the flag isn't used, and that looks like a pretty normal delay-and-state-cookie output value to me, so a backtrace would be really helpful in diagnosing what's happening when you try it. HTH, Nalin