Trevor Vaughan via FreeIPA-users wrote: > As an update, the sscep application set works properly with the sub-CA > so it's definitely an issue on the certmonger side of things. > > sscep in AES mode throws an exception in Dogtag and, unfortunately, > sscep also doesn't support above SHA1. > > That said, it's at least reasonable isolation of the issue at hand. > > It looks like the sscep code may be able to be lifted directly into the > certmonger stack if the licenses are compatible without too much issue.
I think your best bet is to open an issue at https://pagure.io/certmonger with as much detail as possible to reproduce this. rob > > Thanks, > > Trevor > > On Wed, Jan 31, 2018 at 2:27 PM, Trevor Vaughan <tvaug...@onyxpoint.com > <mailto:tvaug...@onyxpoint.com>> wrote: > > Hi Rob, > > Thanks for getting back to me, I have no idea how I missed this message. > > I dug through the CA and KRA debug logs and don't see any PKCS7 > output anywhere. > > I've been running certmonger in debug mode connected to the > foreground and haven't really gotten anywhere there either. > > I did determine that the spot where things are failing is at > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065> but I > haven't been able to figure out how to print what is being received > from the server. > > Running the 'scep-submit' command by hand with -C works as expected > (of course Dogtag doesn't respond with server capabilities so it > downgrades itself into instanity but that doesn't seem to be the > issue). I also checked to see that the certmonger configuration is > correct in the ~/.config/certmonger space and the entire certificate > chain appears to be present as expected. > > Thanks, > > Trevor > > On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: > > Trevor Vaughan via FreeIPA-users wrote: > > Hi All, > > > > I have a setup where I have a root CA and a sub CA and the sub > CA is set > > up with a KRA and SCEP enabled. > > > > I've fired up certmonger and added the SCEP CA. > > > > When I attempt to request a certificate, the enrollment completes > > successfully per the Dogtag side of the equation but the > response from > > the server cannot be decrypted by the client and I get the > following > > error in the certmonger debug log: > > > > 2018-01-29 23:56:43 [5396] Child output: > > "Error: failed to verify signature on server > > response. > > " > > 2018-01-29 23:56:43 [5396] Error: failed to verify signature > on server > > response. > > > > The following commands were used for server addition and > certificate > > registration. > > > > getcert add-scep-ca -c Site_CA -u > > https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> > > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>> -R > > /etc/pki/site-pki.pem > > > > getcert request -c Site_CA -k /etc/pki/my_cert.pem -f > > /etc/pki/my_cert.pub -I Host_Cert -R -w -L password > > > > Looking at the certmonger code, it looks like it is completely > skipping > > all of the case statements and simply dropping down to the 'goto:' > > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889> > > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>> > > > > I've tried recompiling certmonger with some debug statements but I > > haven't managed to suss out what's going on. If someone could > tell me > > how to print the actual response from the server, it would be > appreciated. > > > > It certainly feels like the SCEP support has taken a back seat > to the > > CMC features but the CMC features just aren't ready to replace > SCEP at > > this time and, of course, can't support a lot of hardware > requirements. > > A couple of things to try: > > - look in the dogtag debug log (/var/log/pki-tomcat/somewhere). > It may > have the raw PKCS#7 data to poke at > - stop the certmonger service and start it in a terminal with > certmonger > -d 9 -n 2>&1 | tee /path/to/some/log and then redo the request. > Again, > you may be able to get some data out of it. > > I haven't tried SCEP with a subCA. It could be there is some > disagreement about who is actually signing the response. > > rob > > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 <tel:(410)%20541-6699> > > -- This account not approved for unencrypted proprietary information -- > > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org