Trevor Vaughan wrote: > Hi Rob, > > I've created the associated ticket at https://pagure.io/certmonger/issue/93
Great, thanks. I'm investigating this along with the supported cipher and digest algos. It has been pretty slow going so far. rob > > On Thu, Feb 1, 2018 at 10:41 AM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Trevor Vaughan via FreeIPA-users wrote: > > As an update, the sscep application set works properly with the sub-CA > > so it's definitely an issue on the certmonger side of things. > > > > sscep in AES mode throws an exception in Dogtag and, unfortunately, > > sscep also doesn't support above SHA1. > > > > That said, it's at least reasonable isolation of the issue at hand. > > > > It looks like the sscep code may be able to be lifted directly into the > > certmonger stack if the licenses are compatible without too much issue. > > I think your best bet is to open an issue at > https://pagure.io/certmonger with as much detail as possible to > reproduce this. > > rob > > > > > Thanks, > > > > Trevor > > > > On Wed, Jan 31, 2018 at 2:27 PM, Trevor Vaughan <tvaug...@onyxpoint.com > <mailto:tvaug...@onyxpoint.com> > > <mailto:tvaug...@onyxpoint.com <mailto:tvaug...@onyxpoint.com>>> wrote: > > > > Hi Rob, > > > > Thanks for getting back to me, I have no idea how I missed this > message. > > > > I dug through the CA and KRA debug logs and don't see any PKCS7 > > output anywhere. > > > > I've been running certmonger in debug mode connected to the > > foreground and haven't really gotten anywhere there either. > > > > I did determine that the spot where things are failing is at > > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065> > > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065>> but I > > haven't been able to figure out how to print what is being received > > from the server. > > > > Running the 'scep-submit' command by hand with -C works as expected > > (of course Dogtag doesn't respond with server capabilities so it > > downgrades itself into instanity but that doesn't seem to be the > > issue). I also checked to see that the certmonger configuration is > > correct in the ~/.config/certmonger space and the entire certificate > > chain appears to be present as expected. > > > > Thanks, > > > > Trevor > > > > On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > Trevor Vaughan via FreeIPA-users wrote: > > > Hi All, > > > > > > I have a setup where I have a root CA and a sub CA and > the sub > > CA is set > > > up with a KRA and SCEP enabled. > > > > > > I've fired up certmonger and added the SCEP CA. > > > > > > When I attempt to request a certificate, the enrollment > completes > > > successfully per the Dogtag side of the equation but the > > response from > > > the server cannot be decrypted by the client and I get the > > following > > > error in the certmonger debug log: > > > > > > 2018-01-29 23:56:43 [5396] Child output: > > > "Error: failed to verify signature on server > > > response. > > > " > > > 2018-01-29 23:56:43 [5396] Error: failed to verify signature > > on server > > > response. > > > > > > The following commands were used for server addition and > > certificate > > > registration. > > > > > > getcert add-scep-ca -c Site_CA -u > > > https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> > > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>> > > > > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe> > > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>>> -R > > > /etc/pki/site-pki.pem > > > > > > getcert request -c Site_CA -k /etc/pki/my_cert.pem -f > > > /etc/pki/my_cert.pub -I Host_Cert -R -w -L password > > > > > > Looking at the certmonger code, it looks like it is > completely > > skipping > > > all of the case statements and simply dropping down to > the 'goto:' > > > > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889> > > > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>> > > > > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889> > > > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889 > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>>> > > > > > > I've tried recompiling certmonger with some debug > statements but I > > > haven't managed to suss out what's going on. If someone > could > > tell me > > > how to print the actual response from the server, it > would be > > appreciated. > > > > > > It certainly feels like the SCEP support has taken a > back seat > > to the > > > CMC features but the CMC features just aren't ready to > replace > > SCEP at > > > this time and, of course, can't support a lot of hardware > > requirements. > > > > A couple of things to try: > > > > - look in the dogtag debug log > (/var/log/pki-tomcat/somewhere). > > It may > > have the raw PKCS#7 data to poke at > > - stop the certmonger service and start it in a terminal with > > certmonger > > -d 9 -n 2>&1 | tee /path/to/some/log and then redo the > request. > > Again, > > you may be able to get some data out of it. > > > > I haven't tried SCEP with a subCA. It could be there is some > > disagreement about who is actually signing the response. > > > > rob > > > > > > > > > > -- > > Trevor Vaughan > > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 <tel:%28410%29%20541-6699%20x788> > <tel:(410)%20541-6699> > > > > -- This account not approved for unencrypted proprietary > information -- > > > > > > > > > > -- > > Trevor Vaughan > > Vice President, Onyx Point, Inc > > (410) 541-6699 x788 <tel:%28410%29%20541-6699%20x788> > > > > -- This account not approved for unencrypted proprietary information -- > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
