Re: [Pki-devel] ACME Support: Error issuing certificate
Hi Endi - Thanks for letting me know about this. We have testing on PKI on our list of tasks as we finish up working on our ACME client. I will let you know what we find when we test. Jesse Van Hill Websphere Identity Management Architect & Dev Lead WebSphere Application Server & Open Liberty https://openliberty.io/ 507-513-6234 jlvan...@us.ibm.com From: Endi Dewata To: Jesse L Van hill Cc: pki-devel@redhat.com Date: 06/29/2020 03:37 PM Subject:[EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing certificate Hi Jesse, I'd like to let you know that we have created a PKI ACME container that can be deployed much more easily on Podman or OpenShift: https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Deploying_ACME_on_Podman.md https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Deploying_ACME_on_OpenShift.md By default the container will generate a self-signed CA signing certificate and use an ephemeral database, but you can configure it with a permanent certificate and persistent database. We've also set up a demo instance that you can try: https://acme.demo.dogtagpki.org/acme/directory Just let me know if you have any questions. Thanks! -- Endi S. Dewata On Tue, Jun 2, 2020 at 8:35 AM Jesse L Van hill wrote: Hi Endi - Unfortunately, customer issues have kept me from pursuing this further. I or one of my team still intends on doing so. I will be sure to let you know when I have tested. Jesse Van Hill Websphere Identity Management Architect & Dev Lead WebSphere Application Server & Open Liberty https://openliberty.io/ 507-513-6234 jlvan...@us.ibm.com Inactive hide details for Endi Sukma Dewata ---06/01/2020 10:42:43 PM Original Message - > > Hi -Endi Sukma Dewata ---06/01/2020 10:42:43 PM Original Message - > > Hi - From: Endi Sukma Dewata To: Jesse L Van hill Cc: pki-devel@redhat.com Date: 06/01/2020 10:42 PM Subject: [EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing certificate Hi Jesse, I was just wondering if you managed to test against the ACME server. FYI, we're working on adding an embedded CA into the ACME server so it can be containerized more easily without dependency on a separate CA. Hopefully we will have something usable by the end of the month. -- Endi S. Dewata ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] ACME Support: Error issuing certificate
Hi Endi - Unfortunately, customer issues have kept me from pursuing this further. I or one of my team still intends on doing so. I will be sure to let you know when I have tested. Jesse Van Hill Websphere Identity Management Architect & Dev Lead WebSphere Application Server & Open Liberty https://openliberty.io/ 507-513-6234 jlvan...@us.ibm.com From: Endi Sukma Dewata To: Jesse L Van hill Cc: pki-devel@redhat.com Date: 06/01/2020 10:42 PM Subject:[EXTERNAL] Re: [Pki-devel] ACME Support: Error issuing certificate - Original Message - > > Hi - > > > > My team is adding ACME 2.0 client support to the Open Liberty application > > server and wanted to test against Dogtag PKI's ACME server. My intention is > > to containerize the ACME server and drive it through the same functional > > tests we run against other ACME CA servers (i.e. - Pebble and Boulder for > > instance) to verify compatibility. > > > > The first error I hit was an issue with using JSS 4.7 and I understand that > > will be fixed by PR https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki_jss_pull_532&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=OeLqSQnCTv2HDGUGIGioVgCfu5htFL_AvF_k0yzMIuQ&m=_vqP6WqfPXWS-lVxVboHe0OGfbRUjz0O-aAdQx1k9yU&s=yR1DB3UWeazhNiqWGB07NHnQX7X0sBaV10lsxjVQCyU&e= . > > > > [snip] > > > > To move past this error, I was advised to move down to JSS 4.6.2. Upon > > doing > > so, I made it past the initial error but now hit the following error: > > > > [snip] > > > > I can see in the ACME server's trace that it does indeed authorize my > > ownership of the domain and then try to issue the certificate. Examining > > the > > AcmeIssuer class shows that this class has several methods that are not > > implemented. > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki_pki_blob_master_base_acme_src_main_java_org_dogtagpki_acme_issuer_ACMEIssuer.java-23L61&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=OeLqSQnCTv2HDGUGIGioVgCfu5htFL_AvF_k0yzMIuQ&m=_vqP6WqfPXWS-lVxVboHe0OGfbRUjz0O-aAdQx1k9yU&s=EMmhxG8NfXwv9nO6Y2ZN9tDB88eHvUbfak_OvsT00Mo&e= > > Is this expected or is it possible I have a misconfiguration? I assume I am > > testing too early and need to wait until the implementation is further > > along, but I wanted to test early enough that if there were issues I could > > detect them earlier rather than later. > > > > If it matters, I am testing the with the image from @pki/master on a Fedora > > 30 docker container. > > Hi Jesse, > > Thanks for your interest on Dogtag PKI and particularly the ACME responder. > Please note that the ACME responder itself is not a CA; it requires another > CA to issue the certificates. Currently the only supported CA is Dogtag PKI > CA which is connected through PKIIssuer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki_pki_blob_master_base_acme_src_main_java_org_dogtagpki_acme_issuer_PKIIssuer.java&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=OeLqSQnCTv2HDGUGIGioVgCfu5htFL_AvF_k0yzMIuQ&m=_vqP6WqfPXWS-lVxVboHe0OGfbRUjz0O-aAdQx1k9yU&s=zYFrC9QqiVzp-IM4fM4if1sH-1FmUK_5zBke2JZfpds&e= > > The ACMEIssuer is just a base class. It's possible to support other CAs > by extending ACMEIssuer. If you would like to add support for another issuer > upstream feel free to submit a pull request. We have a prototype for OpenSSL > that we might add later. > > The issue with JSS is correct, and we're still working to fix it. > > The unimplemented ACMEIssuer issue seems to be caused by a missing CA. Please > follow these docs to install 389 DS, then install Dogtag PKI CA: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.dogtagpki.org_wiki_Installing-5FDS&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=OeLqSQnCTv2HDGUGIGioVgCfu5htFL_AvF_k0yzMIuQ&m=_vqP6WqfPXWS-lVxVboHe0OGfbRUjz0O-aAdQx1k9yU&s=xmA_CJoxQsfhCvG8cKa74L7xDHAFEOwovQW4GiV0oF0&e= > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki_pki_blob_master_docs_installation_Installing-5FCA.md&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=OeLqSQnCTv2HDGUGIGioVgCfu5htFL_AvF_k0yzMIuQ&m=_vqP6WqfPXWS-lVxVboHe0OGfbRUjz0O-aAdQx1k9yU&s=83Pg-UOJPzA7pY9--diEC4lV018HX4hJDeTLCIy-L0Y&e= > > Then follow these docs to install and verify ACME: > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dogtagpki_pki_blob_master_docs_installation_Installing-5FACME-5FResponder.md&d=DwICaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=OeLqSQnCTv2HDGUGIGioVgCfu5htFL_AvF_k0yzMIuQ&m=_vqP6WqfPXWS-lVxVboHe0OGfbRUjz0O-aAdQx1k9yU&s=k3uYPL8AgToneGDmk87jNyTQrbDFB4b
[Pki-devel] ACME Support: Error issuing certificate
Hi - My team is adding ACME 2.0 client support to the Open Liberty application server and wanted to test against Dogtag PKI's ACME server. My intention is to containerize the ACME server and drive it through the same functional tests we run against other ACME CA servers (i.e. - Pebble and Boulder for instance) to verify compatibility. The first error I hit was an issue with using JSS 4.7 and I understand that will be fixed by PR https://github.com/dogtagpki/jss/pull/532 . 2020-05-04 22:15:53 [http-nio-8080-exec-5] SEVERE: Unable to validate HTTP-01 challenge: Unable to get SunJSSE provider for TLS: SSLContextImpl is not initialized java.lang.RuntimeException: Unable to get SunJSSE provider for TLS: SSLContextImpl is not initialized at org.mozilla.jss.provider.javax.net.JSSContextSpi.engineGetSocketFactory (JSSContextSpi.java:118) at javax.net.ssl.SSLContext.getSocketFactory (SSLContext.java:294) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. (SSLConnectionSocketFactory.java:292) at org.apache.http.impl.client.HttpClientBuilder.build (HttpClientBuilder.java:978) at org.apache.http.impl.client.HttpClients.createDefault (HttpClients.java:56) at org.dogtagpki.acme.validator.HTTP01Validator.getResponse (HTTP01Validator.java:112) at org.dogtagpki.acme.validator.HTTP01Validator.validateChallenge (HTTP01Validator.java:63) at org.dogtagpki.acme.server.ACMEChallengeService.handlePOST (ACMEChallengeService.java:99) ... To move past this error, I was advised to move down to JSS 4.6.2. Upon doing so, I made it past the initial error but now hit the following error: 2020-05-05 18:36:08 [http-nio-8080-exec-7] SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/acme] threw exception org.jboss.resteasy.spi.UnhandledException: org.apache.commons.lang.NotImplementedException: Code is not implemented at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException (ExceptionHandler.java:78) at org.jboss.resteasy.core.ExceptionHandler.handleException (ExceptionHandler.java:222) ... Caused by: org.apache.commons.lang.NotImplementedException: Code is not implemented at org.dogtagpki.acme.issuer.ACMEIssuer.generateCertificate (ACMEIssuer.java:61) at org.dogtagpki.acme.issuer.ACMEIssuer.issueCertificate (ACMEIssuer.java:73) at org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST (ACMEFinalizeOrderService.java:79) ... I can see in the ACME server's trace that it does indeed authorize my ownership of the domain and then try to issue the certificate. Examining the AcmeIssuer class shows that this class has several methods that are not implemented. https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dogtagpki/acme/issuer/ACMEIssuer.java#L61 Is this expected or is it possible I have a misconfiguration? I assume I am testing too early and need to wait until the implementation is further along, but I wanted to test early enough that if there were issues I could detect them earlier rather than later. If it matters, I am testing the with the image from @pki/master on a Fedora 30 docker container. Jesse Van Hill Websphere Identity Management Architect & Dev Lead WebSphere Application Server & Open Liberty https://openliberty.io/ 507-513-6234 jlvan...@us.ibm.com ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
