Hi,
I need to receive a certificate containing the full CA chain. Since ipa-getcert doesn't seem to offer a prebuilt option to do so (or does it?), I was looking at the post-save-command of ipa-getcert to merge the received certificate and the chain.
Unfortunately the command never gets invoked.
I cannot find a way how to find out the reason. Are there any prerequisites for the commands? I understand certmonger offers debug options. But I have no idea how and where certmonger is started. I also do not understand possible argument values for the DEBUG.
Any help is appreciated.
Regards, Philipp
Philipp Leusmann via FreeIPA-users wrote:
Hi,
I need to receive a certificate containing the full CA chain. Since ipa-getcert doesn't seem to offer a prebuilt option to do so (or does it?), I was looking at the post-save-command of ipa-getcert to merge the received certificate and the chain.
There isn't. -F/-a is your only option to receive the chain separately.
Unfortunately the command never gets invoked.
What command? The command should be a script or simple command. No pipes or redirects.
I cannot find a way how to find out the reason. Are there any prerequisites for the commands? I understand certmonger offers debug options. But I have no idea how and where certmonger is started. I also do not understand possible argument values for the DEBUG.
Any help is appreciated.
For the daemon itself you can control output in /etc/sysconfig/certmonger by setting OPTS=-d<int>. 2 or 3 should do it.
The helpers have their own debugging but it's tricky. Your best bet is to shut down certmonger and modify the CA that is issuing the cert (in /var/log/certmonger/cas/*). Add -v (or several) to the end of the submit helper to get more output, then restart certmonger.
rob
Rob,
What command? The command should be a script or simple command. No pipes or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘ I also tried calling a bash-script instead of the -C argument. Doesn’t help
I cannot find a way how to find out the reason. Are there any prerequisites for the commands? I understand certmonger offers debug options. But I have no idea how and where certmonger is started. I also do not understand possible argument values for the DEBUG.
Any help is appreciated.
For the daemon itself you can control output in /etc/sysconfig/certmonger by setting OPTS=-d<int>. 2 or 3 should do it.
Even with -d5 I see a lot of debugging output but no hint whatsoever on trying to invoke the post-save command.
— snip —
[…] May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'NEWLY_ADDED_START_READING_CERT' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') now. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'NEWLY_ADDED_READING_CERT' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') on traffic from 11. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Dequeuing FD 7 for Read for 0x5569f1232870:0x5569f12373b0. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Handling D-Bus traffic (Read) on FD 7 for 0x5569f1232870. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] message 0x5569f1232870(method_return)->87->55 May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] message 0x5569f1232870(method_return)->88->56 May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] User ID 0 PID 9887 called /org/fedorahosted/certmonger/requests/Request4:org.fedorahosted.certmonger.request.get_nickname. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Queuing FD 7 for Read for 0x5569f1232870:0x5569f1248610. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Read value "0" from "/proc/sys/crypto/fips_enabled". May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Not attempting to set NSS FIPS mode. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'NEWLY_ADDED_DECIDING' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') now. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') releasing writing lock May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') has a certificate, monitoring it May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'MONITORING' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') now. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') in 86400 seconds.
— snip —
The helpers have their own debugging but it's tricky. Your best bet is to shut down certmonger and modify the CA that is issuing the cert (in /var/log/certmonger/cas/*). Add -v (or several) to the end of the submit helper to get more output, then restart certmonger.
Doesn’t add anything to the logging output seen.
Any further ideas?
Regards, Philipp
----------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) -----------------------------
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
Leusmann, Philipp via FreeIPA-users wrote:
Rob,
What command? The command should be a script or simple command. No pipes or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘ I also tried calling a bash-script instead of the -C argument. Doesn’t help
I created /usr/local/catcerts.sh with:
#!/bin/bash # # concatenate a server cert and the chain into a single file
cert=$1 chain=$2 target=$3
cat $cert $chain > $target
Then got a cert:
# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C "/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem"
And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.
rob
I cannot find a way how to find out the reason. Are there any prerequisites for the commands? I understand certmonger offers debug options. But I have no idea how and where certmonger is started. I also do not understand possible argument values for the DEBUG.
Any help is appreciated.
For the daemon itself you can control output in /etc/sysconfig/certmonger by setting OPTS=-d<int>. 2 or 3 should do it.
Even with -d5 I see a lot of debugging output but no hint whatsoever on trying to invoke the post-save command.
— snip —
[…] May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'NEWLY_ADDED_START_READING_CERT' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') now. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'NEWLY_ADDED_READING_CERT' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') on traffic from 11. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Dequeuing FD 7 for Read for 0x5569f1232870:0x5569f12373b0. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Handling D-Bus traffic (Read) on FD 7 for 0x5569f1232870. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] message 0x5569f1232870(method_return)->87->55 May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] message 0x5569f1232870(method_return)->88->56 May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] User ID 0 PID 9887 called /org/fedorahosted/certmonger/requests/Request4:org.fedorahosted.certmonger.request.get_nickname. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Queuing FD 7 for Read for 0x5569f1232870:0x5569f1248610. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Read value "0" from "/proc/sys/crypto/fips_enabled". May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Not attempting to set NSS FIPS mode. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'NEWLY_ADDED_DECIDING' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') now. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') releasing writing lock May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') has a certificate, monitoring it May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Request4('artifactory2') moved to state 'MONITORING' May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') now. May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit Request4('artifactory2') in 86400 seconds.
— snip —
The helpers have their own debugging but it's tricky. Your best bet is to shut down certmonger and modify the CA that is issuing the cert (in /var/log/certmonger/cas/*). Add -v (or several) to the end of the submit helper to get more output, then restart certmonger.
Doesn’t add anything to the logging output seen.
Any further ideas?
Regards, Philipp
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
---------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder
Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
----------------------------
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
Am 08.05.2020 um 22:21 schrieb Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com>:
Leusmann, Philipp via FreeIPA-users wrote: Rob,
What command? The command should be a script or simple command. No pipes or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘ I also tried calling a bash-script instead of the -C argument. Doesn’t help
I created /usr/local/catcerts.sh with:
#!/bin/bash # # concatenate a server cert and the chain into a single file
cert=$1 chain=$2 target=$3
cat $cert $chain > $target
Then got a cert:
# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C "/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem"
And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.
Thanks for testing, here the same thing doesn’t work. I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7
post-save command is shown in the list of monitored certificates. Invoking manually works properly.
Any further idea on how to debug this?
Philipp
Leusmann, Philipp wrote:
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder
Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
----------------------------
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
Am 08.05.2020 um 22:21 schrieb Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Leusmann, Philipp via FreeIPA-users wrote:
Rob,
What command? The command should be a script or simple command. No pipes or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘ I also tried calling a bash-script instead of the -C argument. Doesn’t help
I created /usr/local/catcerts.sh with:
#!/bin/bash # # concatenate a server cert and the chain into a single file
cert=$1 chain=$2 target=$3
cat $cert $chain > $target
Then got a cert:
# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C "/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem"
And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.
Thanks for testing, here the same thing doesn’t work. I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7
post-save command is shown in the list of monitored certificates. Invoking manually works properly.
Any further idea on how to debug this?
As I said before, stop certmonger, find the IPA CA, add -v to the helper.
You'll get something like:
May 08 17:41:03 ipa.example.test certmonger[31599]: 2020-05-08 17:41:03 [31599] Adding hook "/usr/local/bin/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem" (0).
I tested this on RHEL 7.7 and it worked for me.
rob
rob
---------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder
Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
----------------------------
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
Am 08.05.2020 um 23:42 schrieb Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com>:
Leusmann, Philipp wrote: ghj,
Am 08.05.2020 um 22:21 schrieb Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com mailto:rcritten@redhat.com>:
Leusmann, Philipp via FreeIPA-users wrote: Rob,
What command? The command should be a script or simple command. No pipes or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘ I also tried calling a bash-script instead of the -C argument. Doesn’t help
I created /usr/local/catcerts.sh with:
#!/bin/bash # # concatenate a server cert and the chain into a single file
cert=$1 chain=$2 target=$3
cat $cert $chain > $target
Then got a cert:
# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C "/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem"
And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.
Thanks for testing, here the same thing doesn’t work. I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7
post-save command is shown in the list of monitored certificates. Invoking manually works properly.
Any further idea on how to debug this?
As I said before, stop certmonger, find the IPA CA, add -v to the helper.
You'll get something like:
May 08 17:41:03 ipa.example.test certmonger[31599]: 2020-05-08 17:41:03 [31599] Adding hook "/usr/local/bin/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem" (0).
I did, but no additional logging content at all.
Here is what I have:
--- [root@artifactory-test pleusmann]# cat /var/lib/certmonger/cas/20200508160103-1 id=IPA ca_aka=IPA (certmonger 0.78.4) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/ipa-submit -v ca_root_certs=DEVOPS.XXX.DE IPA CA -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- ca_required_enroll_attributes=template-principal,template-subject ---
This is full content of /var log/messages when issuing 'getcert request -c IPA -f /home/pleusmann/server.crt -k /home/pleusmann/fullchain.key -I test -C "/usr/local/bin/create-fullcert.sh /home/pleusmann/server.crt /etc/ipa/ca.crt /tmp/fullchain.crt“‘ (with OPTS=-d3):
--- May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2107] Key is an RSA key. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2107] Key size is 2048. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') starts in state 'NEWLY_ADDED' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') taking writing lock May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_START_READING_KEYINFO' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Started Request3('test'). May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_READING_KEYINFO' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2109] Key is an RSA key. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2109] Key size is 2048. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') on traffic from 11. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_START_READING_CERT' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_READING_CERT' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') on traffic from 11. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_DECIDING' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') releasing writing lock May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') has a certificate, monitoring it May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'MONITORING' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') in 86400 seconds. —
selinux disabled completely.
Seems to me, the system doesn’t even try triggering the command.
Though 'getcert list -i test‘ returns:
--- Number of certificates and requests being tracked: 2. Request ID 'test': status: MONITORING stuck: no key pair storage: type=FILE,location='/home/pleusmann/fullchain.key' certificate: type=FILE,location='/home/pleusmann/server.crt' CA: IPA issuer: CN=DevOps Public CA,O=DEVOPS.XXX.DE subject: CN=artifactory-test.devops.XXX.dehttp://artifactory-test.devops.XXX.de,O=DEVOPS.XXX.DE expires: 2021-05-02 06:16:03 UTC dns: artifactory-test.devops.XXX.dehttp://artifactory-test.devops.XXX.de principal name: host/artifactory-test.devops.XXX.de@DEVOPS.XXX.DEmailto:host/artifactory-test.devops.XXX.de@DEVOPS.XXX.DE key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/local/bin/create-fullcert.sh /home/pleusmann/server.crt /etc/ipa/ca.crt /tmp/fullchain.crt track: yes auto-renew: yes —
I tested this on RHEL 7.7 and it worked for me.
Same package version?
Regards, Philipp
Leusmann, Philipp via FreeIPA-users wrote:
rob
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder
Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
----------------------------
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
Am 08.05.2020 um 23:42 schrieb Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Leusmann, Philipp wrote:
ghj,
Am 08.05.2020 um 22:21 schrieb Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com mailto:rcritten@redhat.com>:
Leusmann, Philipp via FreeIPA-users wrote:
Rob,
What command? The command should be a script or simple command. No pipes or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 'cat server.crt /etc/ipa/ca.crt > fullchain.crt‘ I also tried calling a bash-script instead of the -C argument. Doesn’t help
I created /usr/local/catcerts.sh with:
#!/bin/bash # # concatenate a server cert and the chain into a single file
cert=$1 chain=$2 target=$3
cat $cert $chain > $target
Then got a cert:
# getcert request -f /etc/pki/tls/certs/test.pem [other options] -C "/usr/local/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem"
And /etc/pki/tls/certs/whole.pem contains server cert + IPA chain.
Thanks for testing, here the same thing doesn’t work. I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7
post-save command is shown in the list of monitored certificates. Invoking manually works properly.
Any further idea on how to debug this?
As I said before, stop certmonger, find the IPA CA, add -v to the helper.
You'll get something like:
May 08 17:41:03 ipa.example.test certmonger[31599]: 2020-05-08 17:41:03 [31599] Adding hook "/usr/local/bin/catcerts.sh /etc/pki/tls/certs/test.pem /etc/ipa/ca.crt /etc/pki/tls/certs/whole.pem" (0).
I did, but no additional logging content at all.
The hooks log at level 3 so make that three v's in the helper and you should see something.
I'd also suggest attaching strace to the running certmonger process to watch for the exec.
rob
Here is what I have:
[root@artifactory-test pleusmann]# cat /var/lib/certmonger/cas/20200508160103-1 id=IPA ca_aka=IPA (certmonger 0.78.4) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/ipa-submit -v ca_root_certs=DEVOPS.XXX.DE IPA CA -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- ca_required_enroll_attributes=template-principal,template-subject
This is full content of /var log/messages when issuing 'getcert request -c IPA -f /home/pleusmann/server.crt -k /home/pleusmann/fullchain.key -I test -C "/usr/local/bin/create-fullcert.sh /home/pleusmann/server.crt /etc/ipa/ca.crt /tmp/fullchain.crt“‘ (with OPTS=-d3):
May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2107] Key is an RSA key. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2107] Key size is 2048. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') starts in state 'NEWLY_ADDED' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') taking writing lock May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_START_READING_KEYINFO' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Started Request3('test'). May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_READING_KEYINFO' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2109] Key is an RSA key. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2109] Key size is 2048. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') on traffic from 11. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_START_READING_CERT' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_READING_CERT' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') on traffic from 11. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'NEWLY_ADDED_DECIDING' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') releasing writing lock May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') has a certificate, monitoring it May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Request3('test') moved to state 'MONITORING' May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') now. May 9 11:35:10 artifactory-test certmonger: 2020-05-09 11:35:10 [2063] Will revisit Request3('test') in 86400 seconds. —
selinux disabled completely.
Seems to me, the system doesn’t even try triggering the command.
Though 'getcert list -i test‘ returns:
Number of certificates and requests being tracked: 2. Request ID 'test': status: MONITORING stuck: no key pair storage: type=FILE,location='/home/pleusmann/fullchain.key' certificate: type=FILE,location='/home/pleusmann/server.crt' CA: IPA issuer: CN=DevOps Public CA,O=DEVOPS.XXX.DE subject: CN=artifactory-test.devops.XXX.de http://artifactory-test.devops.XXX.de,O=DEVOPS.XXX.DE expires: 2021-05-02 06:16:03 UTC dns: artifactory-test.devops.XXX.de http://artifactory-test.devops.XXX.de principal name: host/artifactory-test.devops.XXX.de@DEVOPS.XXX.DE mailto:host/artifactory-test.devops.XXX.de@DEVOPS.XXX.DE key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/local/bin/create-fullcert.sh /home/pleusmann/server.crt /etc/ipa/ca.crt /tmp/fullchain.crt track: yes auto-renew: yes —
I tested this on RHEL 7.7 and it worked for me.
Same package version?
Regards, Philipp
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
rob,
I finally found out what’s wrong: The local files for crt and key already existed during my tests. Obviously they are not being overwritten when stopping monitoring an old request for the certificate and requesting a new one. In result the post-save-command is not triggered. When I delete at least the certificate, everything works as expected.
I think that’s odd behavior. Is that on purpose?
What about an expiry situation: Will the files be overwritten when the certificate is close to expiry?
How can I test the expiry situation? Is it possible to request a certificate with very limited validity by using client arguments only? Or will I need to edit the server ca profile?
Thanks for your great help!
Cheers, Philipp
----------------------------- CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136) -----------------------------
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
Leusmann, Philipp wrote:
rob,
I finally found out what’s wrong: The local files for crt and key already existed during my tests. Obviously they are not being overwritten when stopping monitoring an old request for the certificate and requesting a new one. In result the post-save-command is not triggered. When I delete at least the certificate, everything works as expected.
I think that’s odd behavior. Is that on purpose?
If certmonger finds a cert that matches the request it does a start-tracking on it rather than requesting a new cert.
What about an expiry situation: Will the files be overwritten when the certificate is close to expiry?
The cert will, yes.
How can I test the expiry situation? Is it possible to request a certificate with very limited validity by using client arguments only? Or will I need to edit the server ca profile?
Either edit the CA profile or use date to move time a couple of years forward.
rob
Thanks for your great help!
Cheers, Philipp
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef. Geschäftsführer/Managing Director: Dirk Lieder Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
Datenschutzhinweise: https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten haben, informieren Sie uns hierüber bitte unter presse@conet.de und löschen Sie diese E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify presse@conet.de and delete this e-mail including attachments from your system. Please note that any unauthorized review, copying, disclosing or other use whatsoever are prohibited. Thank you.
On 5/8/20 4:00 PM, Leusmann, Philipp via FreeIPA-users wrote:
Thanks for testing, here the same thing doesn’t work. I am using certmonger-0.78.4-12.el7.x86_64 on CentOS 7
post-save command is shown in the list of monitored certificates. Invoking manually works properly.
Any further idea on how to debug this?
Have you checked for SELinux denials?
freeipa-users@lists.fedorahosted.org