Hi Rob,
I've created the associated ticket at
https://pagure.io/certmonger/issue/93
Great, thanks. I'm investigating this along with the supported cipher
and digest algos. It has been pretty slow going so far.
rob
On Thu, Feb 1, 2018 at 10:41 AM, Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Trevor Vaughan via FreeIPA-users wrote:
> As an update, the sscep application set works properly with the sub-CA
> so it's definitely an issue on the certmonger side of things.
>
> sscep in AES mode throws an exception in Dogtag and, unfortunately,
> sscep also doesn't support above SHA1.
>
> That said, it's at least reasonable isolation of the issue at hand.
>
> It looks like the sscep code may be able to be lifted directly into the
> certmonger stack if the licenses are compatible without too much issue.
I think your best bet is to open an issue at
https://pagure.io/certmonger with as much detail as possible to
reproduce this.
rob
>
> Thanks,
>
> Trevor
>
> On Wed, Jan 31, 2018 at 2:27 PM, Trevor Vaughan <tvaughan(a)onyxpoint.com
<mailto:tvaughan@onyxpoint.com>
> <mailto:tvaughan@onyxpoint.com <mailto:tvaughan@onyxpoint.com>>>
wrote:
>
> Hi Rob,
>
> Thanks for getting back to me, I have no idea how I missed this message.
>
> I dug through the CA and KRA debug logs and don't see any PKCS7
> output anywhere.
>
> I've been running certmonger in debug mode connected to the
> foreground and haven't really gotten anywhere there either.
>
> I did determine that the spot where things are failing is at
> https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065>
> <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065>> but I
> haven't been able to figure out how to print what is being received
> from the server.
>
> Running the 'scep-submit' command by hand with -C works as expected
> (of course Dogtag doesn't respond with server capabilities so it
> downgrades itself into instanity but that doesn't seem to be the
> issue). I also checked to see that the certmonger configuration is
> correct in the ~/.config/certmonger space and the entire certificate
> chain appears to be present as expected.
>
> Thanks,
>
> Trevor
>
> On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
>
> Trevor Vaughan via FreeIPA-users wrote:
> > Hi All,
> >
> > I have a setup where I have a root CA and a sub CA and
the sub
> CA is set
> > up with a KRA and SCEP enabled.
> >
> > I've fired up certmonger and added the SCEP CA.
> >
> > When I attempt to request a certificate, the enrollment
completes
> > successfully per the Dogtag side of the equation but the
> response from
> > the server cannot be decrypted by the client and I get the
> following
> > error in the certmonger debug log:
> >
> > 2018-01-29 23:56:43 [5396] Child output:
> > "Error: failed to verify signature on server
> > response.
> > "
> > 2018-01-29 23:56:43 [5396] Error: failed to verify signature
> on server
> > response.
> >
> > The following commands were used for server addition and
> certificate
> > registration.
> >
> > getcert add-scep-ca -c Site_CA -u
> >
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>
> <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>>
> >
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>
> <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
<
https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>>> -R
> > /etc/pki/site-pki.pem
> >
> > getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
> > /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
> >
> > Looking at the certmonger code, it looks like it is
completely
> skipping
> > all of the case statements and simply dropping down to
the 'goto:'
> >
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
>
<https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>>
> >
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
>
<https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
<
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>>>
> >
> > I've tried recompiling certmonger with some debug
statements but I
> > haven't managed to suss out what's going on. If someone
could
> tell me
> > how to print the actual response from the server, it
would be
> appreciated.
> >
> > It certainly feels like the SCEP support has taken a
back seat
> to the
> > CMC features but the CMC features just aren't ready to
replace
> SCEP at
> > this time and, of course, can't support a lot of hardware
> requirements.
>
> A couple of things to try:
>
> - look in the dogtag debug log
(/var/log/pki-tomcat/somewhere).
> It may
> have the raw PKCS#7 data to poke at
> - stop the certmonger service and start it in a terminal with
> certmonger
> -d 9 -n 2>&1 | tee /path/to/some/log and then redo the
request.
> Again,
> you may be able to get some data out of it.
>
> I haven't tried SCEP with a subCA. It could be there is some
> disagreement about who is actually signing the response.
>
> rob
>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788 <tel:%28410%29%20541-6699%20x788>
<tel:(410)%20541-6699>
>
> -- This account not approved for unencrypted proprietary information --
>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788 <tel:%28410%29%20541-6699%20x788>
>
> -- This account not approved for unencrypted proprietary information --
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --