Re: [Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit
Yes, very observant. I noticed that as well. The difference was that
client.pem had some bag information in it:
*Bag Attributes friendlyName: PKI Administrator for test.org
<http://test.org> localKeyID: 4F E5 46 3D foo 64 1F
E4subject=/O=test.org <http://test.org> Security
Domain/emailAddress=caadmin(a)test.org/CN=PKI
<http://caadmin@test.org/CN=PKI> Administratorissuer=/O=test.org
<http://test.org> Security Domain/CN=CA Signing Certificate*
while cert.pem does not. otherwise, they contain the same cert data.
--password was just in there because it was in my command history, I have
since stripped the password off of the key (openssl --norsa) and curl does
work without the --password switch.
I'm actually planning on using automatically approved certs eventually and
so it is my desire to use either username/password or cert/key
authentication to facilitate that. I just noticed that the dogtag-submit
does not seem to use my cert/key pair when I specify them.
Does certificate authentication work for you in dogtag-submit?
On Tue, Apr 7, 2015 at 2:22 PM, Nalin Dahyabhai <nalin(a)redhat.com> wrote:
On Tue, Apr 07, 2015 at 01:58:24PM -0500, Steve Neuharth wrote:
> HA! yep, re-requesting the cert using version 0.77.1 solved this... I can
> request a cert and after a manual approval, I'm able to download and
> monitor the cert. THANK YOU!
>
> I'm also having another problem. When I try to use dogtag-submit like
this:
>
> */usr/libexec/certmonger/dogtag-submit -E
> https://dogtag.test.org:8443/ca/ee/ca
> <https://dogtag.test.org:8443/ca/ee/ca> -A
> https://dogtag.test.org:8443/ca/agent/ca
> <https://dogtag.test.org:8443/ca/agent/ca> -T caAgentServerCert -i
> /tmp/test/ca.crt -c /tmp/test/cert.pem -k /tmp/test/key.pem*
>
> I get this:
>
> *Request ID '20150404113812': status: CA_REJECTED ca-error:
> Server at "https://dogtag.test.org:8443/ca/ee/ca/profileSubmit
> <https://dogtag.test.org:8443/ca/ee/ca/profileSubmit>" replied: Invalid
> Credential. stuck: yes key pair storage:
> type=FILE,location='/etc/ssl/get2cert.key' certificate:
> type=FILE,location='/etc/ssl/get2cert.crt' CA: DogtagAuto
> issuer: subject: expires: unknown pre-save
> command: post-save command: track: yes auto-renew:
yes*
> however, when I use curl like this:
>
> *curl
> "
https://dogtag.test.org:8443/ca/ee/ca/profileSubmit?profileId=caAgentServ...
> --pass password --cacert /tmp/test/ca.crt --key /tmp/test/key.pem --cert
> /tmp/test/client.pem*
>
> I get a valid response.
Hmm, those two runs may not be using the same agent credentials.
Is there a difference between the cert.pem that's being passed to
dogtag-submit and the client.pem that's passed to curl?
If the private key (key.pem) is encrypted, and curl is being passed the
encryption password for it using its --pass option, dogtag-submit
probably needs a -P or -p option to provide it with the same value.
Alternately, if you're going to do manual approval at the server, you
can skip the -A, -c, and -k flags when you run dogtag-submit, and it'll
just poll periodically until the CA tells it that the request was either
approved or rejected.
HTH,
Nalin
Attachments:
- attachment.html (text/html — 8.6 KB)