On Thu, Sep 05, 2019 at 09:07:48PM -0000, Ben Rawson via FreeIPA-users wrote:
> I'm having some trouble getting sub-ca signed certificates issued and managed by certmonger. The implementation here [https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. I see that the -X option can be passed to ipa-getcert to specify the issuer, but every time I create a request with -X specified I get an error.
>
> Steps to reproduce:
> 1. Create a new CA named "Test" through the FreeIPA web UI.
>
> 2. Run the following on a host enrolled in freeIPA:
> ipa-getcert request -k /root/test.key -f /root/test.crt -I "testrequest" -X "Test"
>
> 3. Run ipa-getcert list and receive the an error message:
> Request ID 'test':
>       status: CA_REJECTED
>       ca-error: Server at https://ipa02.yyy.com/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500: Non-2xx response from CA REST API: 500. ).
>       stuck: yes
>       key pair storage: type=FILE,location='/root/test.key'
>       certificate: type=FILE,location='/root/test.crt'
>       CA: IPA
>       issuer:
>       subject:
>       expires: unknown
>       pre-save command:
>       post-save command:
>       track: yes
>       auto-renew: yes
>
> Running FreeIPA 4.6.4
>
Hi Ben,

Have a look at the Dogtag debug log under
/var/log/pki/pki-tomcat/ca/, and also the system journal, on host
ipa02.yyy.com.  You should see something related to the error above.

What is your topology like?  Do you have multiple CA replicas?  Are
the sub-CA signing keys present on ipa02, in the Dogtag NSSDB?

  # certutil -d /etc/pki/pki-tomcat/alias -L

Cheers,
Fraser