rob

----------------------------
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef.
Geschäftsführer/Managing Director: Dirk Lieder

Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)

 ----------------------------

 

Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz

 

Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.

This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.

 

Am 08.05.2020 um 23:42 schrieb Rob Crittenden <rcritten@redhat.com>:

Leusmann, Philipp wrote:
ghj, 

Am 08.05.2020 um 22:21 schrieb Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>>:

Leusmann, Philipp via FreeIPA-users wrote:
Rob,

What command? The command should be a script or simple command. No pipes
or redirects.

I issue ipa-getcert request -I artifactory2 -f server.crt -k
fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘
I also tried calling a bash-script instead of the -C argument.
Doesn’t help

I created /usr/local/catcerts.sh with:

#!/bin/bash
#
# concatenate a server cert and the chain into a single file

cert=$1
chain=$2
target=$3

cat $cert $chain > $target

Then got a cert:

# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C
"/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt
/etc/pki/tls/certs/whole.pem"

And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.


Thanks for testing, here the same thing doesn’t work. 
I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7

post-save command is shown in the list of monitored certificates.
Invoking manually works properly. 

Any further idea on how to debug this?

As I said before, stop certmonger, find the IPA CA, add -v to the helper.

You'll get something like:

May 08 17:41:03 ipa.example.test certmonger[31599]: 2020-05-08 17:41:03
[31599] Adding hook "/usr/local/bin/catcerts.sh
/etc/pki/tls/certs/test.pem /etc/ipa/ca.crt
/etc/pki/tls/certs/whole.pem" (0).


I did, but no additional logging content at all.

Here is what I have:

---
[root@artifactory-test pleusmann]# cat /var/lib/certmonger/cas/20200508160103-1
id=IPA
ca_aka=IPA (certmonger 0.78.4)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/ipa-submit -v
ca_root_certs=DEVOPS.XXX.DE IPA CA
 -----BEGIN CERTIFICATE-----
[...]
 -----END CERTIFICATE-----
ca_required_enroll_attributes=template-principal,template-subject
---

This is full content of /var log/messages when issuing 'getcert request -c IPA -f /home/pleusmann/server.crt -k /home/pleusmann/fullchain.key -I test -C "/usr/local/bin/create-fullcert.sh /home/pleusmann/server.crt /etc/ipa/ca.crt /tmp/fullchain.crt“‘ (with OPTS=-d3):

---
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2107] Key is an RSA key.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2107] Key size is 2048.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') starts in state 'NEWLY_ADDED'
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') taking writing lock
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_START_READING_KEYINFO'
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Started Request3('test').
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_READING_KEYINFO'
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2109] Key is an RSA key.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2109] Key size is 2048.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') on traffic from 11.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_START_READING_CERT'
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_READING_CERT'
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') on traffic from 11.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_DECIDING'
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') releasing writing lock
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') has a certificate, monitoring it
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'MONITORING'
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now.
May  9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') in 86400 seconds.

selinux disabled completely.

Seems to me, the system doesn’t even try triggering the command.

Though 'getcert list -i test‘ returns:

---
Number of certificates and requests being tracked: 2.
Request ID 'test':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/home/pleusmann/fullchain.key'
certificate: type=FILE,location='/home/pleusmann/server.crt'
CA: IPA
issuer: CN=DevOps Public CA,O=DEVOPS.XXX.DE
subject: CN=artifactory-test.devops.XXX.de,O=DEVOPS.XXX.DE
expires: 2021-05-02 06:16:03 UTC
dns: artifactory-test.devops.XXX.de
principal name: host/artifactory-test.devops.XXX.de@DEVOPS.XXX.DE
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/local/bin/create-fullcert.sh /home/pleusmann/server.crt /etc/ipa/ca.crt /tmp/fullchain.crt
track: yes
auto-renew: yes

I tested this on RHEL 7.7 and it worked for me.

Same package version?

Regards,
Philipp