On Thu, Sep 05, 2019 at 09:07:48PM -0000, Ben Rawson via FreeIPA-users wrote:
I'm having some trouble getting sub-ca signed certificates issued
and managed by certmonger. The implementation here
[
https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. I see that the
-X option can be passed to ipa-getcert to specify the issuer, but every time I create a
request with -X specified I get an error.
Steps to reproduce:
1. Create a new CA named "Test" through the FreeIPA web UI.
2. Run the following on a host enrolled in freeIPA:
ipa-getcert request -k /root/test.key -f /root/test.crt -I "testrequest" -X
"Test"
3. Run ipa-getcert list and receive the an error message:
Request ID 'test':
status: CA_REJECTED
ca-error: Server at
https://ipa02.yyy.com/ipa/xml failed request, will retry: 4035 (RPC
failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500.
).
stuck: yes
key pair storage: type=FILE,location='/root/test.key'
certificate: type=FILE,location='/root/test.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Running FreeIPA 4.6.4
Hi Ben,
Have a look at the Dogtag debug log under
/var/log/pki/pki-tomcat/ca/, and also the system journal, on host
ipa02.yyy.com. You should see something related to the error above.
What is your topology like? Do you have multiple CA replicas? Are
the sub-CA signing keys present on ipa02, in the Dogtag NSSDB?
# certutil -d /etc/pki/pki-tomcat/alias -L
Cheers,
Fraser