Re: [Pki-devel] ACME Support: Error issuing certificate
- Original Message - > Hi - > > My team is adding ACME 2.0 client support to the Open Liberty application > server and wanted to test against Dogtag PKI's ACME server. My intention is > to containerize the ACME server and drive it through the same functional > tests we run against other ACME CA servers (i.e. - Pebble and Boulder for > instance) to verify compatibility. > > The first error I hit was an issue with using JSS 4.7 and I understand that > will be fixed by PR https://github.com/dogtagpki/jss/pull/532 . > > [snip] > > To move past this error, I was advised to move down to JSS 4.6.2. Upon doing > so, I made it past the initial error but now hit the following error: > > [snip] > > I can see in the ACME server's trace that it does indeed authorize my > ownership of the domain and then try to issue the certificate. Examining the > AcmeIssuer class shows that this class has several methods that are not > implemented. > > https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61 > Is this expected or is it possible I have a misconfiguration? I assume I am > testing too early and need to wait until the implementation is further > along, but I wanted to test early enough that if there were issues I could > detect them earlier rather than later. > > If it matters, I am testing the with the image from @pki/master on a Fedora > 30 docker container. Hi Jesse, Thanks for your interest on Dogtag PKI and particularly the ACME responder. Please note that the ACME responder itself is not a CA; it requires another CA to issue the certificates. Currently the only supported CA is Dogtag PKI CA which is connected through PKIIssuer: https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java The ACMEIssuer is just a base class. It's possible to support other CAs by extending ACMEIssuer. If you would like to add support for another issuer upstream feel free to submit a pull request. We have a prototype for OpenSSL that we might add later. The issue with JSS is correct, and we're still working to fix it. The unimplemented ACMEIssuer issue seems to be caused by a missing CA. Please follow these docs to install 389 DS, then install Dogtag PKI CA: https://www.dogtagpki.org/wiki/Installing_DS https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_CA.md Then follow these docs to install and verify ACME: https://github.com/dogtagpki/pki/blob/master/docs/installation/Installing_ACME_Responder.md https://github.com/dogtagpki/pki/blob/master/docs/user/Using_ACME_Responder.md Officially we do not support containerization yet, but it's possible to run ACME, CA, and DS in containers under some scenarios. If you run Fedora 30 as a local Docker container, you can execute commands in the container to install ACME, CA, and DS like regular Fedora applications. However, if you want to run each of them as a single process in separate Docker containers, it is possible with some code changes and tricks: https://www.dogtagpki.org/wiki/PKI_ACME_Container https://www.dogtagpki.org/wiki/PKI_CA_Container https://www.dogtagpki.org/wiki/DS_Container Similarly, here are the docs for OpenShift deployment: https://www.dogtagpki.org/wiki/PKI_ACME_OpenShift https://www.dogtagpki.org/wiki/PKI_CA_OpenShift https://www.dogtagpki.org/wiki/DS_OpenShift Please note that the wiki is used for development, so the content might be outdated. The official docs are on GitHub. The ACME responder is easier to containerize. We might be able to officially support its containerization soon. However, the CA might be more difficult due to its dependency on systemd and other issues. The DS seems to require at least some code changes. If you want to test ACME containerization, you probably can install ACME in container with CA and DS running on the host machine. If you just want to test ACME compatibility without containerization, it might be best to install ACME, CA, and DS on regular machine for now. Hope this helps. Let me know if you have any question. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] ACME Support: Error issuing certificate
Hi - My team is adding ACME 2.0 client support to the Open Liberty application server and wanted to test against Dogtag PKI's ACME server. My intention is to containerize the ACME server and drive it through the same functional tests we run against other ACME CA servers (i.e. - Pebble and Boulder for instance) to verify compatibility. The first error I hit was an issue with using JSS 4.7 and I understand that will be fixed by PR https://github.com/dogtagpki/jss/pull/532 . 2020-05-04 22:15:53 [http-nio-8080-exec-5] SEVERE: Unable to validate HTTP-01 challenge: Unable to get SunJSSE provider for TLS: SSLContextImpl is not initialized java.lang.RuntimeException: Unable to get SunJSSE provider for TLS: SSLContextImpl is not initialized at org.mozilla.jss.provider.javax.net.JSSContextSpi.engineGetSocketFactory (JSSContextSpi.java:118) at javax.net.ssl.SSLContext.getSocketFactory (SSLContext.java:294) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. (SSLConnectionSocketFactory.java:292) at org.apache.http.impl.client.HttpClientBuilder.build (HttpClientBuilder.java:978) at org.apache.http.impl.client.HttpClients.createDefault (HttpClients.java:56) at org.dogtagpki.acme.validator.HTTP01Validator.getResponse (HTTP01Validator.java:112) at org.dogtagpki.acme.validator.HTTP01Validator.validateChallenge (HTTP01Validator.java:63) at org.dogtagpki.acme.server.ACMEChallengeService.handlePOST (ACMEChallengeService.java:99) ... To move past this error, I was advised to move down to JSS 4.6.2. Upon doing so, I made it past the initial error but now hit the following error: 2020-05-05 18:36:08 [http-nio-8080-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/acme] threw exception org.jboss.resteasy.spi.UnhandledException: org.apache.commons.lang.NotImplementedException: Code is not implemented at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException (ExceptionHandler.java:78) at org.jboss.resteasy.core.ExceptionHandler.handleException (ExceptionHandler.java:222) ... Caused by: org.apache.commons.lang.NotImplementedException: Code is not implemented at org.dogtagpki.acme.issuer.ACMEIssuer.generateCertificate (ACMEIssuer.java:61) at org.dogtagpki.acme.issuer.ACMEIssuer.issueCertificate (ACMEIssuer.java:73) at org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST (ACMEFinalizeOrderService.java:79) ... I can see in the ACME server's trace that it does indeed authorize my ownership of the domain and then try to issue the certificate. Examining the AcmeIssuer class shows that this class has several methods that are not implemented. https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61 Is this expected or is it possible I have a misconfiguration? I assume I am testing too early and need to wait until the implementation is further along, but I wanted to test early enough that if there were issues I could detect them earlier rather than later. If it matters, I am testing the with the image from @pki/master on a Fedora 30 docker container. Jesse Van Hill Websphere Identity Management Architect & Dev Lead WebSphere Application Server & Open Liberty https://openliberty.io/ 507-513-6234 jlvan...@us.ibm.com ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [CRON] Still Failing: dogtagpki/pki-nightly-test#706 (master - 2a95153)
Build Update for dogtagpki/pki-nightly-test - Build: #706 Status: Still Failing Duration: 18 mins and 18 secs Commit: 2a95153 (master) Author: Dinesh Prasanth M K Message: Remove EOL F29 from matrix and add support for v10.8 branch Signed-off-by: Dinesh Prasanth M K View the changeset: https://github.com/dogtagpki/pki-nightly-test/compare/1cec22733aad03cad1e589a08281f4a2db79ec90...2a95153102234446e6beb5d4074ae6eebd760fb3 View the full build log and details: https://travis-ci.org/github/dogtagpki/pki-nightly-test/builds/683372565?utm_medium=notification_source=email -- You can unsubscribe from build emails from the dogtagpki/pki-nightly-test repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=20325727_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
