Hi Hayg,
I am running Fedora 22 so I'm not sure if there is any difference at all.
I would like to understand your issue(s) better.
When you said that your request failed because it was "getting
deferred", does that mean you have it in the enrollment profile for
manual approval? In other words, it was your intention to have the
request manually approved by the CA agents?
You realize that if you require manual agent approval, there is no
option for sscep to "fetch" the already issued cert right?
Or, did you not intend to have the request deferred and failed? In
which case, you want to know why it failed? If so, do you have relevant
debug log to give us some clue?
Did I misunderstand your issue?
Christina
On 04/05/2016 02:57 AM, haygastour...@gmail.com wrote:
Hello everyone,
I've been trying to enroll with dogtag via SSCEP for the last few days
to no avail and I've reached the end of my rope, so I'm reaching out
for your help (which I very much would appreciate).
I am running Ubuntu and my dogtag versions are:
hayg@hayg:~$ dpkg -l | grep dogtag
ii dogtag-pki 10.2.6-1
all Dogtag Public Key Infrastructure (PKI) Suite
ii dogtag-pki-console-theme 10.2.6-1
all Certificate System - PKI Console User Interface
ii dogtag-pki-server-theme 10.2.6-1
all Certificate System - PKI Server User Interface
My SSCEP:
[~/sscep]$ cat VERSION
0.6.1
My flatfile.txt:
hayg@hayg:~$ sudo cat /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt
#UID:172.16.24.238
#PWD:1212
UID:10.129.25.186
PWD:secret
(I restarted my pki-tomcatd service just in case, to make sure it took
effect)
On the SSCEP side I'm doing: ./sscep enroll -l cert.pem -r local.csr
-k local.key -c astourian.crt -u
'http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe'
<http://hayg.astourian.info:8080/ca/cgi-bin/pkiclient.exe%27>
This fails because the request is getting deferred and I have fail on
defer set to true, per the docs.
The request actually shows up in 'List Certificates' when I go to the
web UI, but when I try to approve it, I get:
The Certificate System has encountered an unrecoverable error.
Error Message:
/java.lang.NullPointerException
/Please contact your local administrator for assistance.
When I try to resume the enrollment by adding the -R flag to sscep it
fails with the following error in the logs:
CRSEnrollment: No certificate has been found
My CSR:
[~/sscep]$ openssl req -in local.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=10.129.25.186
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ab:f4:b7:55:bd:26:51:b7:65:b9:51:4e:08:31:
83:ef:d6:b7:97:cc:cb:82:4b:a6:3f:be:ac:1c:9a:
f5:1e:0d:56:7c:6a:be:d3:49:17:b6:ba:42:05:eb:
6c:e2:ff:2b:0f:64:d5:ae:e8:5b:6c:f8:df:74:ef:
1f:a1:94:50:4c:35:90:bc:02:2b:2a:e3:80:b6:e1:
75:a0:34:4d:74:0b:47:2c:f5:2d:87:2a:72:4a:93:
5b:76:a8:cc:96:56:0b:de:62:69:1e:37:30:eb:49:
4a:0a:8c:55:c4:0e:a7:9d:95:88:2d:ed:15:19:c6:
19:93:02:84:40:09:40:44:b1
Exponent: 65537 (0x10001)
Attributes:
challengePassword :secret
Requested Extensions:
X509v3 Subject Alternative Name: critical
IP Address:10.129.25.186
Signature Algorithm: sha1WithRSAEncryption
7e:85:96:60:54:ed:c7:fd:d4:9d:b9:48:4c:d6:5a:2d:b1:62:
8f:26:58:04:da:f2:6d:cf:c7:59:dc:b5:b2:a9:69:8d:e0:df:
4d:26:7b:51:3e:d5:f4:90:21:d9:20:69:6f:6f:e1:58:28:90:
05:a7:38:1b:04:05:e6:84:03:78:95:90:d6:da:0c:56:c1:e9:
16:d4:01:15:c5:5e:06:3f:44:48:6e:e5:dd:f6:dc:62:0a:f9:
af:e7:c5:3d:0a:86:b1:99:40:90:ff:30:02:92:91:fb:dd:50:
f0:df:bf:73:96:6f:04:3e:73:66:02:86:66:a0:00:fa:a7:58:
ea:ae
As you can see, the password is "secret" and the CN is the UID from
flatfile.txt.
I welcome you all to try enrolling with my server. I can then try
approving and see if it works.
Again, I very much appreciate all of your help. Please excuse my wall
of text x_x
Thanks,
Hayg
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
