4:58 p.m.
After using the DogTag WEB Agent client once (based upon "preop.pin"
value) the WEB Agent fail to continue to operate with error message=
"Invalid Credential" .
The "/var/lib/<instance>/logs/system" file reports an "User not
found"
error.
NOTE: During the CA configuration setup the following Alert is displayed
when the administrator certificate is installed:
"This certificate can't be verified and will not be imported. The
certificate issuer might be unknown or untrusted, the certificate might
have expired or been revoked, or the certificate might not have been
approved."
Suggestions on what to try next will be appreciated?
Ebbe Hansen @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
6:19 p.m.
Ebbe:
Thanks for trying out Dogtag. A few tips to help out below.
During the wizard when you saw the message "This certificate can’t be
verified and will not be imported. The certificate issuer might be
unknown or untrusted, the certificate might have expired or been
revoked, or the certificate might not have been approved.", you most
probably had your agent certificate imported OK. We have a bug for this
that we are working on. This message shows up despite an actual
successful import.
The "preop.pin" you speak of is used in the case that one has not yet
completed the installation wizard.
Here are few things you can try:
1. If you have already finished the wizard, you should be able to simply
proceed to the agent interface URL without any pin, provided you have
successfully imported the Admin cert. Simply go to
"https://host.example.com:9443" and see if you can proceed using the
agent interface.
2. If the nasty error message from above scared you off of actually
finishing the configuration wizard, go back and do so. This is done with
the URL that gets printed when the instance is installed. It looks
something like:
http://host.example.com:9080/ca/admin/console/config/login?<preop.pin>
3. If everything is too confused, you can start the process over by
using our "pkiremove" tool which removes an existing instance. Try
something like, as root:
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
The "pki-ca" at the end is the name of the instance you are trying to
remove. The very first instance that is installed when you install the
RPM is in fact "pki-ca".
From here you can try again by doing the following as root:
rpm -ev pki-ca
yum install pki-ca
This will reinstall your RPM for the CA and create a brand new instance.
Note: Make sure you have used "pkiremove" to remove all instances you
may have created before trying this.
4. If the above is too confusing, we can hash it out on the "#dogtag-pi"
IRC channel.
thanks,
jack
Ebbe Hansen wrote:
After using the DogTag WEB Agent client once (based upon “preop.pin”
value) the WEB Agent fail to continue to operate with error message=
“Invalid Credential” .
The “/var/lib/<instance>/logs/system” file reports an “User not found”
error.
NOTE: During the CA configuration setup the following Alert is
displayed when the administrator certificate is installed:
“This certificate can’t be verified and will not be imported. The
certificate issuer might be unknown or untrusted, the certificate
might have expired or been revoked, or the certificate might not have
been approved.”
Suggestions on what to try next will be appreciated?
Ebbe Hansen @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or
exempt from disclosure under applicable law. These materials are
intended only for the use of the intended recipient. If you are not
the intended recipient of this electronic message, you are hereby
notified that any use of this message is strictly prohibited. Delivery
of this message to any person other than the intended recipient shall
not constitute any waiver of any privilege. If you have received this
message in error, please delete this message from your system and
notify the sender immediately. Thank you."
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
6:33 p.m.
Thanks for the advice -- so far I have created three CA instances using
different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all
three and start all over!
With respect to directory server instance(s) - should I also remove
them?
If yes -- what command(s) should I use?
Ebbe
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Friday, April 25, 2008 4:20 PM
To: Ebbe Hansen; pki-users(a)redhat.com
Subject: Re: [Pki-users] Invalid Credential / User not found
Ebbe:
Thanks for trying out Dogtag. A few tips to help out below.
During the wizard when you saw the message "This certificate can't be
verified and will not be imported. The certificate issuer might be
unknown or untrusted, the certificate might have expired or been
revoked, or the certificate might not have been approved.", you most
probably had your agent certificate imported OK. We have a bug for this
that we are working on. This message shows up despite an actual
successful import.
The "preop.pin" you speak of is used in the case that one has not yet
completed the installation wizard.
Here are few things you can try:
1. If you have already finished the wizard, you should be able to simply
proceed to the agent interface URL without any pin, provided you have
successfully imported the Admin cert. Simply go to
"https://host.example.com:9443" and see if you can proceed using the
agent interface.
2. If the nasty error message from above scared you off of actually
finishing the configuration wizard, go back and do so. This is done with
the URL that gets printed when the instance is installed. It looks
something like:
http://host.example.com:9080/ca/admin/console/config/login?<preop.pin>
3. If everything is too confused, you can start the process over by
using our "pkiremove" tool which removes an existing instance. Try
something like, as root:
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
The "pki-ca" at the end is the name of the instance you are trying to
remove. The very first instance that is installed when you install the
RPM is in fact "pki-ca".
From here you can try again by doing the following as root:
rpm -ev pki-ca
yum install pki-ca
This will reinstall your RPM for the CA and create a brand new instance.
Note: Make sure you have used "pkiremove" to remove all instances you
may have created before trying this.
4. If the above is too confusing, we can hash it out on the "#dogtag-pi"
IRC channel.
thanks,
jack
Ebbe Hansen wrote:
After using the DogTag WEB Agent client once (based upon "preop.pin"
value) the WEB Agent fail to continue to operate with error message=
"Invalid Credential" .
The "/var/lib/<instance>/logs/system" file reports an "User not
found"
error.
NOTE: During the CA configuration setup the following Alert is
displayed when the administrator certificate is installed:
"This certificate can't be verified and will not be imported. The
certificate issuer might be unknown or untrusted, the certificate
might have expired or been revoked, or the certificate might not have
been approved."
Suggestions on what to try next will be appreciated?
Ebbe Hansen @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or
exempt from disclosure under applicable law. These materials are
intended only for the use of the intended recipient. If you are not
the intended recipient of this electronic message, you are hereby
notified that any use of this message is strictly prohibited. Delivery
of this message to any person other than the intended recipient shall
not constitute any waiver of any privilege. If you have received this
message in error, please delete this message from your system and
notify the sender immediately. Thank you."
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
6:47 p.m.
Ebbe:
You can leave your current directory instance. When you re-do the config
wizard, you will just have to give unique names for the new directory
trees it will have to create. Removing instances is a great idea for us
to work on.
thanks,
jack
Ebbe Hansen wrote:
Thanks for the advice -- so far I have created three CA instances
using
different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all
three and start all over!
With respect to directory server instance(s) - should I also remove
them?
If yes -- what command(s) should I use?
Ebbe
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Friday, April 25, 2008 4:20 PM
To: Ebbe Hansen; pki-users(a)redhat.com
Subject: Re: [Pki-users] Invalid Credential / User not found
Ebbe:
Thanks for trying out Dogtag. A few tips to help out below.
During the wizard when you saw the message "This certificate can't be
verified and will not be imported. The certificate issuer might be
unknown or untrusted, the certificate might have expired or been
revoked, or the certificate might not have been approved.", you most
probably had your agent certificate imported OK. We have a bug for this
that we are working on. This message shows up despite an actual
successful import.
The "preop.pin" you speak of is used in the case that one has not yet
completed the installation wizard.
Here are few things you can try:
1. If you have already finished the wizard, you should be able to simply
proceed to the agent interface URL without any pin, provided you have
successfully imported the Admin cert. Simply go to
"https://host.example.com:9443" and see if you can proceed using the
agent interface.
2. If the nasty error message from above scared you off of actually
finishing the configuration wizard, go back and do so. This is done with
the URL that gets printed when the instance is installed. It looks
something like:
http://host.example.com:9080/ca/admin/console/config/login?<preop.pin>
3. If everything is too confused, you can start the process over by
using our "pkiremove" tool which removes an existing instance. Try
something like, as root:
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
The "pki-ca" at the end is the name of the instance you are trying to
remove. The very first instance that is installed when you install the
RPM is in fact "pki-ca".
From here you can try again by doing the following as root:
rpm -ev pki-ca
yum install pki-ca
This will reinstall your RPM for the CA and create a brand new instance.
Note: Make sure you have used "pkiremove" to remove all instances you
may have created before trying this.
4. If the above is too confusing, we can hash it out on the "#dogtag-pi"
IRC channel.
thanks,
jack
Ebbe Hansen wrote:
> After using the DogTag WEB Agent client once (based upon "preop.pin"
> value) the WEB Agent fail to continue to operate with error message=
> "Invalid Credential" .
>
> The "/var/lib/<instance>/logs/system" file reports an "User not
found"
>
> error.
>
> NOTE: During the CA configuration setup the following Alert is
> displayed when the administrator certificate is installed:
>
> "This certificate can't be verified and will not be imported. The
> certificate issuer might be unknown or untrusted, the certificate
> might have expired or been revoked, or the certificate might not have
> been approved."
>
> Suggestions on what to try next will be appreciated?
>
> Ebbe Hansen @ SPYRUS
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited. Delivery
>
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
6:59 p.m.
Ebbe,
Actually, I have an update for you on your request. Please see
https://bugzilla.redhat.com/show_bug.cgi?id=440141. If you checkout the
subversion source, we now include a Perl script that will let you remove
DS instances. It's use is documented in the Dogtag Wiki at
http://pki.fedoraproject.org/wiki/PKI_Components_Collectively_via_Subversion.
Once again, thanks for using Dogtag!
-- Matt
Jack Magne wrote:
Ebbe:
You can leave your current directory instance. When you re-do the
config wizard, you will just have to give unique names for the new
directory trees it will have to create. Removing instances is a great
idea for us to work on.
thanks,
jack
Ebbe Hansen wrote:
> Thanks for the advice -- so far I have created three CA instances using
> different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all
> three and start all over!
>
> With respect to directory server instance(s) - should I also remove
> them?
>
> If yes -- what command(s) should I use?
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or exempt
> from disclosure under applicable law. These materials are intended only
> for the use of the intended recipient. If you are not the intended
> recipient of this electronic message, you are hereby notified that any
> use of this message is strictly prohibited. Delivery of this message to
> any person other than the intended recipient shall not constitute any
> waiver of any privilege. If you have received this message in error,
> please delete this message from your system and notify the sender
> immediately. Thank you."
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne@redhat.com] Sent: Friday, April 25,
> 2008 4:20 PM
> To: Ebbe Hansen; pki-users(a)redhat.com
> Subject: Re: [Pki-users] Invalid Credential / User not found
>
> Ebbe:
>
> Thanks for trying out Dogtag. A few tips to help out below.
>
> During the wizard when you saw the message "This certificate can't be
> verified and will not be imported. The certificate issuer might be
> unknown or untrusted, the certificate might have expired or been
> revoked, or the certificate might not have been approved.", you most
> probably had your agent certificate imported OK. We have a bug for
> this that we are working on. This message shows up despite an actual
> successful import.
>
> The "preop.pin" you speak of is used in the case that one has not yet
> completed the installation wizard.
>
> Here are few things you can try:
>
> 1. If you have already finished the wizard, you should be able to simply
>
> proceed to the agent interface URL without any pin, provided you have
> successfully imported the Admin cert. Simply go to
> "https://host.example.com:9443" and see if you can proceed using the
> agent interface.
>
> 2. If the nasty error message from above scared you off of actually
> finishing the configuration wizard, go back and do so. This is done with
>
> the URL that gets printed when the instance is installed. It looks
> something like:
>
> http://host.example.com:9080/ca/admin/console/config/login?<preop.pin>
>
> 3. If everything is too confused, you can start the process over by
> using our "pkiremove" tool which removes an existing instance. Try
> something like, as root:
>
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
>
> The "pki-ca" at the end is the name of the instance you are trying to
> remove. The very first instance that is installed when you install
> the RPM is in fact "pki-ca".
>
> From here you can try again by doing the following as root:
>
> rpm -ev pki-ca
> yum install pki-ca
>
> This will reinstall your RPM for the CA and create a brand new instance.
>
> Note: Make sure you have used "pkiremove" to remove all instances you
> may have created before trying this.
>
> 4. If the above is too confusing, we can hash it out on the "#dogtag-pi"
>
> IRC channel.
>
> thanks,
> jack
>
>
> Ebbe Hansen wrote:
>
>> After using the DogTag WEB Agent client once (based upon "preop.pin"
>> value) the WEB Agent fail to continue to operate with error message=
>> "Invalid Credential" .
>>
>> The "/var/lib/<instance>/logs/system" file reports an "User
not found"
>>
>
>
>> error.
>>
>> NOTE: During the CA configuration setup the following Alert is
>> displayed when the administrator certificate is installed:
>>
>> "This certificate can't be verified and will not be imported. The
>> certificate issuer might be unknown or untrusted, the certificate
>> might have expired or been revoked, or the certificate might not
>> have been approved."
>>
>> Suggestions on what to try next will be appreciated?
>>
>> Ebbe Hansen @ SPYRUS
>>
>> "This message and any attached documents contain SPYRUS confidential
>> and/or proprietary information and may be subject to privilege or
>> exempt from disclosure under applicable law. These materials are
>> intended only for the use of the intended recipient. If you are not
>> the intended recipient of this electronic message, you are hereby
>> notified that any use of this message is strictly prohibited. Delivery
>>
>
>
>> of this message to any person other than the intended recipient
>> shall not constitute any waiver of any privilege. If you have
>> received this message in error, please delete this message from your
>> system and notify the sender immediately. Thank you."
>>
>>
>>
> ------------------------------------------------------------------------
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
>
------------------------------------------------------------------------
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5:58 p.m.
DogTag support,
By enabling the Linux LDAP authentication option, I was successful
eliminating the "Invalid Credential" error message when starting the
"DogTag" WEB Agent.
My question is now, how do I "enable" the LDAP authentication option when
executing the WEB Agent via a FireFox browser that executes on a windows-XP
perform?
I have found some Internet sites that mention a "LDAP plug-in" -- is such
module available for FireFox/windows so I can execute the "DogTag" WEB Agent
from windows??
Ebbe Hansen @ SPYRUS
"This message and any attached documents contain SPYRUS confidential and/or
proprietary information and may be subject to privilege or exempt from
disclosure under applicable law. These materials are intended only for the
use of the intended recipient. If you are not the intended recipient of this
electronic message, you are hereby notified that any use of this message is
strictly prohibited. Delivery of this message to any person other than the
intended recipient shall not constitute any waiver of any privilege. If you
have received this message in error, please delete this message from your
system and notify the sender immediately. Thank you."
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Friday, April 25, 2008 4:48 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Invalid Credential / User not found
Ebbe:
You can leave your current directory instance. When you re-do the config
wizard, you will just have to give unique names for the new directory
trees it will have to create. Removing instances is a great idea for us
to work on.
thanks,
jack
Ebbe Hansen wrote:
Thanks for the advice -- so far I have created three CA instances
using
different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all
three and start all over!
With respect to directory server instance(s) - should I also remove
them?
If yes -- what command(s) should I use?
Ebbe
"This message and any attached documents contain SPYRUS confidential
and/or proprietary information and may be subject to privilege or exempt
from disclosure under applicable law. These materials are intended only
for the use of the intended recipient. If you are not the intended
recipient of this electronic message, you are hereby notified that any
use of this message is strictly prohibited. Delivery of this message to
any person other than the intended recipient shall not constitute any
waiver of any privilege. If you have received this message in error,
please delete this message from your system and notify the sender
immediately. Thank you."
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Friday, April 25, 2008 4:20 PM
To: Ebbe Hansen; pki-users(a)redhat.com
Subject: Re: [Pki-users] Invalid Credential / User not found
Ebbe:
Thanks for trying out Dogtag. A few tips to help out below.
During the wizard when you saw the message "This certificate can't be
verified and will not be imported. The certificate issuer might be
unknown or untrusted, the certificate might have expired or been
revoked, or the certificate might not have been approved.", you most
probably had your agent certificate imported OK. We have a bug for this
that we are working on. This message shows up despite an actual
successful import.
The "preop.pin" you speak of is used in the case that one has not yet
completed the installation wizard.
Here are few things you can try:
1. If you have already finished the wizard, you should be able to simply
proceed to the agent interface URL without any pin, provided you have
successfully imported the Admin cert. Simply go to
"https://host.example.com:9443" and see if you can proceed using the
agent interface.
2. If the nasty error message from above scared you off of actually
finishing the configuration wizard, go back and do so. This is done with
the URL that gets printed when the instance is installed. It looks
something like:
http://host.example.com:9080/ca/admin/console/config/login?<preop.pin>
3. If everything is too confused, you can start the process over by
using our "pkiremove" tool which removes an existing instance. Try
something like, as root:
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
The "pki-ca" at the end is the name of the instance you are trying to
remove. The very first instance that is installed when you install the
RPM is in fact "pki-ca".
From here you can try again by doing the following as root:
rpm -ev pki-ca
yum install pki-ca
This will reinstall your RPM for the CA and create a brand new instance.
Note: Make sure you have used "pkiremove" to remove all instances you
may have created before trying this.
4. If the above is too confusing, we can hash it out on the "#dogtag-pi"
IRC channel.
thanks,
jack
Ebbe Hansen wrote:
> After using the DogTag WEB Agent client once (based upon "preop.pin"
> value) the WEB Agent fail to continue to operate with error message=
> "Invalid Credential" .
>
> The "/var/lib/<instance>/logs/system" file reports an "User not
found"
>
> error.
>
> NOTE: During the CA configuration setup the following Alert is
> displayed when the administrator certificate is installed:
>
> "This certificate can't be verified and will not be imported. The
> certificate issuer might be unknown or untrusted, the certificate
> might have expired or been revoked, or the certificate might not have
> been approved."
>
> Suggestions on what to try next will be appreciated?
>
> Ebbe Hansen @ SPYRUS
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or
> exempt from disclosure under applicable law. These materials are
> intended only for the use of the intended recipient. If you are not
> the intended recipient of this electronic message, you are hereby
> notified that any use of this message is strictly prohibited. Delivery
>
> of this message to any person other than the intended recipient shall
> not constitute any waiver of any privilege. If you have received this
> message in error, please delete this message from your system and
> notify the sender immediately. Thank you."
>
>
>
------------------------------------------------------------------------
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
7:07 p.m.
Ebbe:
I think I may have an idea what the issue is. If I'm off track, please
let me know.
It sounds like you made it successfully through the installation wizard
of the Dogtag CA, and was able to successfully import the "Admin" Cert
into the browser you used to perform the wizard. This means that the
identity of the "Admin" or "Agent" can be presented to the server when
requested. This explains why you were able to get to the Agent page ok.
It sounds like you are now trying to get to the Agent interface using
perhaps another browser on some other machine. If this is the case, you
are being denied because the other browser/machine does not have the
"Admin/Agent" certificate imported. To fix this do the following:
1. Open the browser (I assume Firefox) on the machine where you can get
to the Agent page.
2. Click Edit->Preferences->View Certificates. Note on different OS's
and different versions of Firefox, this procedure may vary.
3. Click "Your Certificates".
4. In the list, you should have one called "Administrator". Click on
this cert.
5. Click the "export" button. This will enable you to export your
certificate to the PKCS#12 format.
6. Grab this XXXXX.p12 file and move it over to the other machine you
want to be able to get to the Agent page from.
7. Open Firefox and clock on Edit->Preferences->View Certificates->Your
Certificates.
8. Click on "import".
9. Find the XXXXXX.p12 file you created and following the instructions.
10. After successfully importing your certificate, you should be able to
get to the Dogtag Agent page from this other machine.
thanks,
jack
Ebbe Hansen wrote:
DogTag support,
By enabling the Linux LDAP authentication option, I was successful
eliminating the "Invalid Credential" error message when starting the
"DogTag" WEB Agent.
My question is now, how do I "enable" the LDAP authentication option when
executing the WEB Agent via a FireFox browser that executes on a windows-XP
perform?
I have found some Internet sites that mention a "LDAP plug-in" -- is such
module available for FireFox/windows so I can execute the "DogTag" WEB Agent
from windows??
Ebbe Hansen @ SPYRUS
"This message and any attached documents contain SPYRUS confidential and/or
proprietary information and may be subject to privilege or exempt from
disclosure under applicable law. These materials are intended only for the
use of the intended recipient. If you are not the intended recipient of this
electronic message, you are hereby notified that any use of this message is
strictly prohibited. Delivery of this message to any person other than the
intended recipient shall not constitute any waiver of any privilege. If you
have received this message in error, please delete this message from your
system and notify the sender immediately. Thank you."
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Friday, April 25, 2008 4:48 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Invalid Credential / User not found
Ebbe:
You can leave your current directory instance. When you re-do the config
wizard, you will just have to give unique names for the new directory
trees it will have to create. Removing instances is a great idea for us
to work on.
thanks,
jack
Ebbe Hansen wrote:
> Thanks for the advice -- so far I have created three CA instances using
> different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all
> three and start all over!
>
> With respect to directory server instance(s) - should I also remove
> them?
>
> If yes -- what command(s) should I use?
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or exempt
> from disclosure under applicable law. These materials are intended only
> for the use of the intended recipient. If you are not the intended
> recipient of this electronic message, you are hereby notified that any
> use of this message is strictly prohibited. Delivery of this message to
> any person other than the intended recipient shall not constitute any
> waiver of any privilege. If you have received this message in error,
> please delete this message from your system and notify the sender
> immediately. Thank you."
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne@redhat.com]
> Sent: Friday, April 25, 2008 4:20 PM
> To: Ebbe Hansen; pki-users(a)redhat.com
> Subject: Re: [Pki-users] Invalid Credential / User not found
>
> Ebbe:
>
> Thanks for trying out Dogtag. A few tips to help out below.
>
> During the wizard when you saw the message "This certificate can't be
> verified and will not be imported. The certificate issuer might be
> unknown or untrusted, the certificate might have expired or been
> revoked, or the certificate might not have been approved.", you most
> probably had your agent certificate imported OK. We have a bug for this
> that we are working on. This message shows up despite an actual
> successful import.
>
> The "preop.pin" you speak of is used in the case that one has not yet
> completed the installation wizard.
>
> Here are few things you can try:
>
> 1. If you have already finished the wizard, you should be able to simply
>
> proceed to the agent interface URL without any pin, provided you have
> successfully imported the Admin cert. Simply go to
> "https://host.example.com:9443" and see if you can proceed using the
> agent interface.
>
> 2. If the nasty error message from above scared you off of actually
> finishing the configuration wizard, go back and do so. This is done with
>
> the URL that gets printed when the instance is installed. It looks
> something like:
>
> http://host.example.com:9080/ca/admin/console/config/login?<preop.pin>
>
> 3. If everything is too confused, you can start the process over by
> using our "pkiremove" tool which removes an existing instance. Try
> something like, as root:
>
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
>
> The "pki-ca" at the end is the name of the instance you are trying to
> remove. The very first instance that is installed when you install the
> RPM is in fact "pki-ca".
>
> From here you can try again by doing the following as root:
>
> rpm -ev pki-ca
> yum install pki-ca
>
> This will reinstall your RPM for the CA and create a brand new instance.
>
> Note: Make sure you have used "pkiremove" to remove all instances you
> may have created before trying this.
>
> 4. If the above is too confusing, we can hash it out on the "#dogtag-pi"
>
> IRC channel.
>
> thanks,
> jack
>
>
> Ebbe Hansen wrote:
>
>
>> After using the DogTag WEB Agent client once (based upon "preop.pin"
>> value) the WEB Agent fail to continue to operate with error message=
>> "Invalid Credential" .
>>
>> The "/var/lib/<instance>/logs/system" file reports an "User
not found"
>>
>>
>
>
>> error.
>>
>> NOTE: During the CA configuration setup the following Alert is
>> displayed when the administrator certificate is installed:
>>
>> "This certificate can't be verified and will not be imported. The
>> certificate issuer might be unknown or untrusted, the certificate
>> might have expired or been revoked, or the certificate might not have
>> been approved."
>>
>> Suggestions on what to try next will be appreciated?
>>
>> Ebbe Hansen @ SPYRUS
>>
>> "This message and any attached documents contain SPYRUS confidential
>> and/or proprietary information and may be subject to privilege or
>> exempt from disclosure under applicable law. These materials are
>> intended only for the use of the intended recipient. If you are not
>> the intended recipient of this electronic message, you are hereby
>> notified that any use of this message is strictly prohibited. Delivery
>>
>>
>
>
>> of this message to any person other than the intended recipient shall
>> not constitute any waiver of any privilege. If you have received this
>> message in error, please delete this message from your system and
>> notify the sender immediately. Thank you."
>>
>>
>>
>>
> ------------------------------------------------------------------------
>
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>
>
8:14 p.m.
Thanks Jack,
I will try to export Agent's the PKCS#12 and then import it into another
client platform.
My initial problem "Invalid Credentials" may have occurred because I issued
a user-type certificate to the Agent itself when running the Agent for the
first time. This second certificate may hereafter have hindered a default
authentication session each time I restarted the Agent services (resulting
in the "Invalid Credentials" message). Only after I enabled the Linux/Fedora
LDAP authentication option was I presented with a choice so I could select
the proper Agent/Admin certificate needed for the initial authentication as
the WEB page is opened.
Instead of "cloning" the Agent/Admin certificate (and key - via use of the
PKCS#12) to another location, I would prefer to use a dedicated Agent
(assistance type) certificate template and apply for such certificate using
the EE WEB page from this alternative platform (to be approved by the
original Agent of course). Is such "Agent delegation" possible using the
current DogTag software?
Ebbe
"This message and any attached documents contain SPYRUS confidential and/or
proprietary information and may be subject to privilege or exempt from
disclosure under applicable law. These materials are intended only for the
use of the intended recipient. If you are not the intended recipient of this
electronic message, you are hereby notified that any use of this message is
strictly prohibited. Delivery of this message to any person other than the
intended recipient shall not constitute any waiver of any privilege. If you
have received this message in error, please delete this message from your
system and notify the sender immediately. Thank you."
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Monday, April 28, 2008 5:08 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Invalid Credential / User not found
Ebbe:
I think I may have an idea what the issue is. If I'm off track, please
let me know.
It sounds like you made it successfully through the installation wizard
of the Dogtag CA, and was able to successfully import the "Admin" Cert
into the browser you used to perform the wizard. This means that the
identity of the "Admin" or "Agent" can be presented to the server when
requested. This explains why you were able to get to the Agent page ok.
It sounds like you are now trying to get to the Agent interface using
perhaps another browser on some other machine. If this is the case, you
are being denied because the other browser/machine does not have the
"Admin/Agent" certificate imported. To fix this do the following:
1. Open the browser (I assume Firefox) on the machine where you can get
to the Agent page.
2. Click Edit->Preferences->View Certificates. Note on different OS's
and different versions of Firefox, this procedure may vary.
3. Click "Your Certificates".
4. In the list, you should have one called "Administrator". Click on
this cert.
5. Click the "export" button. This will enable you to export your
certificate to the PKCS#12 format.
6. Grab this XXXXX.p12 file and move it over to the other machine you
want to be able to get to the Agent page from.
7. Open Firefox and clock on Edit->Preferences->View Certificates->Your
Certificates.
8. Click on "import".
9. Find the XXXXXX.p12 file you created and following the instructions.
10. After successfully importing your certificate, you should be able to
get to the Dogtag Agent page from this other machine.
thanks,
jack
Ebbe Hansen wrote:
DogTag support,
By enabling the Linux LDAP authentication option, I was successful
eliminating the "Invalid Credential" error message when starting the
"DogTag" WEB Agent.
My question is now, how do I "enable" the LDAP authentication option when
executing the WEB Agent via a FireFox browser that executes on a
windows-XP
perform?
I have found some Internet sites that mention a "LDAP plug-in" -- is such
module available for FireFox/windows so I can execute the "DogTag" WEB
Agent
from windows??
Ebbe Hansen @ SPYRUS
"This message and any attached documents contain SPYRUS confidential
and/or
proprietary information and may be subject to privilege or exempt
from
disclosure under applicable law. These materials are intended only for the
use of the intended recipient. If you are not the intended recipient of
this
electronic message, you are hereby notified that any use of this
message
is
strictly prohibited. Delivery of this message to any person other
than the
intended recipient shall not constitute any waiver of any privilege. If
you
have received this message in error, please delete this message from
your
system and notify the sender immediately. Thank you."
-----Original Message-----
From: Jack Magne [mailto:jmagne@redhat.com]
Sent: Friday, April 25, 2008 4:48 PM
To: Ebbe Hansen
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] Invalid Credential / User not found
Ebbe:
You can leave your current directory instance. When you re-do the config
wizard, you will just have to give unique names for the new directory
trees it will have to create. Removing instances is a great idea for us
to work on.
thanks,
jack
Ebbe Hansen wrote:
> Thanks for the advice -- so far I have created three CA instances using
> different names (pki-ca, pki-ca1, and pki-ca2) -- I will remove all
> three and start all over!
>
> With respect to directory server instance(s) - should I also remove
> them?
>
> If yes -- what command(s) should I use?
>
> Ebbe
>
> "This message and any attached documents contain SPYRUS confidential
> and/or proprietary information and may be subject to privilege or exempt
> from disclosure under applicable law. These materials are intended only
> for the use of the intended recipient. If you are not the intended
> recipient of this electronic message, you are hereby notified that any
> use of this message is strictly prohibited. Delivery of this message to
> any person other than the intended recipient shall not constitute any
> waiver of any privilege. If you have received this message in error,
> please delete this message from your system and notify the sender
> immediately. Thank you."
>
> -----Original Message-----
> From: Jack Magne [mailto:jmagne@redhat.com]
> Sent: Friday, April 25, 2008 4:20 PM
> To: Ebbe Hansen; pki-users(a)redhat.com
> Subject: Re: [Pki-users] Invalid Credential / User not found
>
> Ebbe:
>
> Thanks for trying out Dogtag. A few tips to help out below.
>
> During the wizard when you saw the message "This certificate can't be
> verified and will not be imported. The certificate issuer might be
> unknown or untrusted, the certificate might have expired or been
> revoked, or the certificate might not have been approved.", you most
> probably had your agent certificate imported OK. We have a bug for this
> that we are working on. This message shows up despite an actual
> successful import.
>
> The "preop.pin" you speak of is used in the case that one has not yet
> completed the installation wizard.
>
> Here are few things you can try:
>
> 1. If you have already finished the wizard, you should be able to simply
>
> proceed to the agent interface URL without any pin, provided you have
> successfully imported the Admin cert. Simply go to
> "https://host.example.com:9443" and see if you can proceed using the
> agent interface.
>
> 2. If the nasty error message from above scared you off of actually
> finishing the configuration wizard, go back and do so. This is done with
>
> the URL that gets printed when the instance is installed. It looks
> something like:
>
> http://host.example.com:9080/ca/admin/console/config/login?<preop.pin>
>
> 3. If everything is too confused, you can start the process over by
> using our "pkiremove" tool which removes an existing instance. Try
> something like, as root:
>
> pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca
>
> The "pki-ca" at the end is the name of the instance you are trying to
> remove. The very first instance that is installed when you install the
> RPM is in fact "pki-ca".
>
> From here you can try again by doing the following as root:
>
> rpm -ev pki-ca
> yum install pki-ca
>
> This will reinstall your RPM for the CA and create a brand new instance.
>
> Note: Make sure you have used "pkiremove" to remove all instances you
> may have created before trying this.
>
> 4. If the above is too confusing, we can hash it out on the "#dogtag-pi"
>
> IRC channel.
>
> thanks,
> jack
>
>
> Ebbe Hansen wrote:
>
>
>> After using the DogTag WEB Agent client once (based upon "preop.pin"
>> value) the WEB Agent fail to continue to operate with error message=
>> "Invalid Credential" .
>>
>> The "/var/lib/<instance>/logs/system" file reports an "User
not found"
>>
>>
>
>
>> error.
>>
>> NOTE: During the CA configuration setup the following Alert is
>> displayed when the administrator certificate is installed:
>>
>> "This certificate can't be verified and will not be imported. The
>> certificate issuer might be unknown or untrusted, the certificate
>> might have expired or been revoked, or the certificate might not have
>> been approved."
>>
>> Suggestions on what to try next will be appreciated?
>>
>> Ebbe Hansen @ SPYRUS
>>
>> "This message and any attached documents contain SPYRUS confidential
>> and/or proprietary information and may be subject to privilege or
>> exempt from disclosure under applicable law. These materials are
>> intended only for the use of the intended recipient. If you are not
>> the intended recipient of this electronic message, you are hereby
>> notified that any use of this message is strictly prohibited. Delivery
>>
>>
>
>
>> of this message to any person other than the intended recipient shall
>> not constitute any waiver of any privilege. If you have received this
>> message in error, please delete this message from your system and
>> notify the sender immediately. Thank you."
>>
>>
>>
>>
> ------------------------------------------------------------------------
>
>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>>
>
>
6080
days inactive
6084
days old
7 comments
3 participants
participants (3)
-
Ebbe Hansen -
Jack Magne -
Matthew Harmsen