Trevor Vaughan via FreeIPA-users wrote:
> As an update, the sscep application set works properly with the sub-CA
> so it's definitely an issue on the certmonger side of things.
>
> sscep in AES mode throws an exception in Dogtag and, unfortunately,
> sscep also doesn't support above SHA1.
>
> That said, it's at least reasonable isolation of the issue at hand.
>
> It looks like the sscep code may be able to be lifted directly into the
> certmonger stack if the licenses are compatible without too much issue.

I think your best bet is to open an issue at
https://pagure.io/certmonger with as much detail as possible to
reproduce this.

rob

>
> Thanks,
>
> Trevor
>
> On Wed, Jan 31, 2018 at 2:27 PM, Trevor Vaughan <tvaughan@onyxpoint.com
> <mailto:tvaughan@onyxpoint.com>> wrote:
>
>     Hi Rob,
>
>     Thanks for getting back to me, I have no idea how I missed this message.
>
>     I dug through the CA and KRA debug logs and don't see any PKCS7
>     output anywhere.
>
>     I've been running certmonger in debug mode connected to the
>     foreground and haven't really gotten anywhere there either.
>
>     I did determine that the spot where things are failing is at
>     https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065
>     <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065> but I
>     haven't been able to figure out how to print what is being received
>     from the server.
>
>     Running the 'scep-submit' command by hand with -C works as expected
>     (of course Dogtag doesn't respond with server capabilities so it
>     downgrades itself into instanity but that doesn't seem to be the
>     issue). I also checked to see that the certmonger configuration is
>     correct in the ~/.config/certmonger space and the entire certificate
>     chain appears to be present as expected.
>
>     Thanks,
>
>     Trevor
>
>     On Tue, Jan 30, 2018 at 10:38 AM, Rob Crittenden

>     <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote:
>
>         Trevor Vaughan via FreeIPA-users wrote:
>         > Hi All,
>         >
>         > I have a setup where I have a root CA and a sub CA and the sub
>         CA is set
>         > up with a KRA and SCEP enabled.
>         >
>         > I've fired up certmonger and added the SCEP CA.
>         >
>         > When I attempt to request a certificate, the enrollment completes
>         > successfully per the Dogtag side of the equation but the
>         response from
>         > the server cannot be decrypted by the client and I get the
>         following
>         > error in the certmonger debug log:
>         >
>         > 2018-01-29 23:56:43 [5396] Child output:           
>         > "Error: failed to verify signature on server
>         > response.                                                  
>         > "                                                  
>         > 2018-01-29 23:56:43 [5396] Error: failed to verify signature
>         on server
>         > response.
>         >
>         > The following commands were used for server addition and
>         certificate
>         > registration.
>         >
>         > getcert add-scep-ca -c Site_CA -u
>         > https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
>         <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>
>         > <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe
>         <https://ca.int.localdomain:8443/ca/cgi-bin/pkiclient.exe>> -R
>         > /etc/pki/site-pki.pem
>         >
>         > getcert request -c Site_CA -k /etc/pki/my_cert.pem -f
>         > /etc/pki/my_cert.pub -I Host_Cert -R -w -L password
>         >
>         > Looking at the certmonger code, it looks like it is completely
>         skipping
>         > all of the case statements and simply dropping down to the 'goto:'
>         > https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
>         <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>
>         > <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889
>         <https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_889>>
>         >
>         > I've tried recompiling certmonger with some debug statements but I
>         > haven't managed to suss out what's going on. If someone could
>         tell me
>         > how to print the actual response from the server, it would be
>         appreciated.
>         >
>         > It certainly feels like the SCEP support has taken a back seat
>         to the
>         > CMC features but the CMC features just aren't ready to replace
>         SCEP at
>         > this time and, of course, can't support a lot of hardware
>         requirements.
>
>         A couple of things to try:
>
>         - look in the dogtag debug log (/var/log/pki-tomcat/somewhere).
>         It may
>         have the raw PKCS#7 data to poke at
>         - stop the certmonger service and start it in a terminal with
>         certmonger
>         -d 9 -n 2>&1 | tee /path/to/some/log and then redo the request.
>         Again,
>         you may be able to get some data out of it.
>
>         I haven't tried SCEP with a subCA. It could be there is some
>         disagreement about who is actually signing the response.
>
>         rob
>
>
>
>
>     --
>     Trevor Vaughan
>     Vice President, Onyx Point, Inc

>     (410) 541-6699 x788 <tel:(410)%20541-6699>
>
>     -- This account not approved for unencrypted proprietary information --
>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699 x788
>
> -- This account not approved for unencrypted proprietary information --
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>