Rob,
What command? The command should be a script or simple command. No
pipes
or redirects.
I issue ipa-getcert request -I artifactory2 -f server.crt -k fullchain.key -C 'cat
server.crt /etc/ipa/ca.crt > fullchain.crt‘
I also tried calling a bash-script instead of the -C argument. Doesn’t help
> I cannot find a way how to find out the reason.
> Are there any prerequisites for the commands? I understand certmonger offers debug
options. But I have no idea how and where certmonger is started. I also do not understand
possible argument values for the DEBUG.
>
> Any help is appreciated.
For the daemon itself you can control output in
/etc/sysconfig/certmonger by setting OPTS=-d<int>. 2 or 3 should do it.
Even with -d5 I see a lot of debugging output but no hint whatsoever on trying to invoke
the post-save command.
— snip —
[…]
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835]
Request4('artifactory2') moved to state 'NEWLY_ADDED_START_READING_CERT'
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit
Request4('artifactory2') now.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835]
Request4('artifactory2') moved to state 'NEWLY_ADDED_READING_CERT'
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit
Request4('artifactory2') on traffic from 11.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Dequeuing FD 7 for
Read for 0x5569f1232870:0x5569f12373b0.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Handling D-Bus
traffic (Read) on FD 7 for 0x5569f1232870.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] message
0x5569f1232870(method_return)->87->55
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] message
0x5569f1232870(method_return)->88->56
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] User ID 0 PID 9887
called
/org/fedorahosted/certmonger/requests/Request4:org.fedorahosted.certmonger.request.get_nickname.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Queuing FD 7 for
Read for 0x5569f1232870:0x5569f1248610.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Read value
"0" from "/proc/sys/crypto/fips_enabled".
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9891] Not attempting to
set NSS FIPS mode.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835]
Request4('artifactory2') moved to state 'NEWLY_ADDED_DECIDING'
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit
Request4('artifactory2') now.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835]
Request4('artifactory2') releasing writing lock
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835]
Request4('artifactory2') has a certificate, monitoring it
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835]
Request4('artifactory2') moved to state 'MONITORING'
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit
Request4('artifactory2') now.
May 8 21:51:29 artifactory-test certmonger: 2020-05-08 21:51:29 [9835] Will revisit
Request4('artifactory2') in 86400 seconds.
— snip —
The helpers have their own debugging but it's tricky. Your best
bet is
to shut down certmonger and modify the CA that is issuing the cert (in
/var/log/certmonger/cas/*). Add -v (or several) to the end of the submit
helper to get more output, then restart certmonger.
Doesn’t add anything to the logging output seen.
Any further ideas?
Regards,
Philipp
-----------------------------
CONET Solutions GmbH, Theodor-Heuss-Allee 19, 53773 Hennef.
Geschäftsführer/Managing Director: Dirk Lieder
Registergericht/Registration Court: Amtsgericht Siegburg (HRB Nr. 9136)
-----------------------------
Datenschutzhinweise:
https://www.conet.de/DE/conet/datenschutz
Diese E-Mail und etwa anhängende Dateien enthalten vertrauliche Informationen und sind
ausschließlich für den Adressaten bestimmt. Sollten Sie diese E-Mail irrtümlich erhalten
haben, informieren Sie uns hierüber bitte unter presse(a)conet.de und löschen Sie diese
E-Mail einschließlich etwa angehängter Dateien aus Ihrem System. Bitte beachten Sie, dass
die Weitergabe, Kopie und sonstige unautorisierte Nutzung der E-Mail und etwa angehängter
Dateien verboten sind. Vielen Dank.
This e-mail and any files transmitted with it are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have received this
e-mail in error please notify presse(a)conet.de and delete this e-mail including attachments
from your system. Please note that any unauthorized review, copying, disclosing or other
use whatsoever are prohibited. Thank you.