hi,
I am testing smartcard authentication with a yubikey neo like described in https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-log...
I successfully generated a key using the yubico-piv-tool, and with that a csr.
yubico-piv-tool -a verify-pin -a request-certificate -s 9e -S "/CN=user50/" Enter PIN: Successfully verified PIN.
-----BEGIN CERTIFICATE REQUEST----- MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57 Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5 b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4 lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0= -----END CERTIFICATE REQUEST----- Successfully generated a certificate request.
With this csr I try generating a certificate but it fails:
$ ipa cert-request user50.csr --principal user50 --raw ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Invalid Request
In the pki logs I only see this error. 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET /ca/rest/authorities/edb13864-3c75-4c7d-b5b8-dd4322789437/cert HTTP/1.1" 200 920 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 - 192.168.5.10 - - [08/Nov/2018:22:37:13 +0100] "POST /ca/rest/certrequests?issuer-id=edb13864-3c75-4c7d-b5b8-dd4322789437 HTTP/1.1" 500 123
Any ideas as to what is going wrong?
Thanks!
-- Groeten, natxo
Natxo Asenjo via FreeIPA-users wrote:
hi,
I am testing smartcard authentication with a yubikey neo like described in https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-log...
I successfully generated a key using the yubico-piv-tool, and with that a csr.
yubico-piv-tool -a verify-pin -a request-certificate -s 9e -S "/CN=user50/" Enter PIN: Successfully verified PIN.
-----BEGIN CERTIFICATE REQUEST----- MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57 Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5 b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4 lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0= -----END CERTIFICATE REQUEST----- Successfully generated a certificate request.
With this csr I try generating a certificate but it fails:
$ ipa cert-request user50.csr --principal user50 --raw ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Invalid Request
In the pki logs I only see this error. 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET /ca/rest/authorities/edb13864-3c75-4c7d-b5b8-dd4322789437/cert HTTP/1.1" 200 920 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 - 192.168.5.10 - - [08/Nov/2018:22:37:13 +0100] "POST /ca/rest/certrequests?issuer-id=edb13864-3c75-4c7d-b5b8-dd4322789437 HTTP/1.1" 500 123
Any ideas as to what is going wrong?
You need to specify a profile for it since it is a user certificate.
When I played with this over the summer I started with https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-subcas...
rob
On Thu, Nov 08, 2018 at 05:16:53PM -0500, Rob Crittenden via FreeIPA-users wrote:
Natxo Asenjo via FreeIPA-users wrote:
hi,
I am testing smartcard authentication with a yubikey neo like described in https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-log...
I successfully generated a key using the yubico-piv-tool, and with that a csr.
yubico-piv-tool -a verify-pin -a request-certificate -s 9e -S "/CN=user50/" Enter PIN: Successfully verified PIN.
-----BEGIN CERTIFICATE REQUEST----- MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57 Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5 b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4 lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0= -----END CERTIFICATE REQUEST----- Successfully generated a certificate request.
With this csr I try generating a certificate but it fails:
$ ipa cert-request user50.csr --principal user50 --raw ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Invalid Request
In the pki logs I only see this error. 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET /ca/rest/authorities/edb13864-3c75-4c7d-b5b8-dd4322789437/cert HTTP/1.1" 200 920 192.168.5.10 - ipara [08/Nov/2018:22:37:12 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 - 192.168.5.10 - - [08/Nov/2018:22:37:13 +0100] "POST /ca/rest/certrequests?issuer-id=edb13864-3c75-4c7d-b5b8-dd4322789437 HTTP/1.1" 500 123
Any ideas as to what is going wrong?
You need to specify a profile for it since it is a user certificate.
When I played with this over the summer I started with https://frasertweedale.github.io/blog-redhat/posts/2016-07-25-freeipa-subcas...
Nevertheless, the Dogtag CA should not be returning status 500.
Naxto, could you please provide Dogtag debug log from /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in the journal at the time of this error, please give detail of that too (`journalctl -u pki-tomcatd@pki-tomcat`).
Thanks, Fraser
On Thu, Nov 8, 2018 at 11:32 PM Fraser Tweedale ftweedal@redhat.com wrote:
Naxto, could you please provide Dogtag debug log from /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in the journal at the time of this error, please give detail of that too (`journalctl -u pki-tomcatd@pki-tomcat`).
aha, I see an error now in the debug log:
[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: createRequests: begins [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: Start parsePKCS10(): -----BEGIN CERTIFICATE REQUEST----- MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57 Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5 b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4 lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0= -----END CERTIFICATE REQUEST-----
[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: parsePKCS10: signature verification enabled [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: parsePKCS10 setting thread token [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: Unable to parse PKCS #10 request: java.security.SignatureException: PKCS10: PKCS10: Request Subject: CN=user50: Invalid PKCS #10 signature java.security.SignatureException: PKCS10: PKCS10: Request Subject: CN=user50: Invalid PKCS #10 signature
the journalctl output: Nov 08 22:37:13 kdc1.unix.asenjo.nl server[10677]: PKCS10: PKCS10: Request Subject: CN=user50: sig.verify() failed Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Creating session 23596D3C3AFFCDE19F5B386C288E8290 Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Destroying session 5E49B1956B6902F7DFD52236F5A1A783
Thanks,
Fraser
On Fri, Nov 09, 2018 at 07:42:36AM +0100, Natxo Asenjo via FreeIPA-users wrote:
On Thu, Nov 8, 2018 at 11:32 PM Fraser Tweedale ftweedal@redhat.com wrote:
Naxto, could you please provide Dogtag debug log from /var/log/pki/pki-tomcat/ca/debug and, if there is any traceback in the journal at the time of this error, please give detail of that too (`journalctl -u pki-tomcatd@pki-tomcat`).
aha, I see an error now in the debug log:
[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: createRequests: begins [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: Start parsePKCS10(): -----BEGIN CERTIFICATE REQUEST----- MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGdXNlcjUwMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAkWjUxl0qInlYB4TiZ7GkJkgBdomTTzk5GfK76ZizbsGV 4xyPmUgf+7eEO3GEvkGiBPJxk0NVJuamuEJTIXtn7h7Wgz6ghCE0uCCupjAJqa57 Hdm3h3GvofwWuE442YIRHvXydaSkrCAGsL/M3g4tVi7Xn+jTaWrzKsAeqJxQVRPD h4R9bN4BIzXL+62qGI9jriM8dJEWCrGFzg6viCujRlybkhQhiLxCGvS8lO3HQ7tF lDRZN6Ey/nvFxIC1MtGZgrN3nj/Z37nIBWF4s20CcJau8mfalJQEFjqLkjMh7X8K hWKrSdNj43nBTlO0So3qezs4roLkZFSN1hQnCG/pCQIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAH22PLW7Tuc6y5VxIpnaqdsborbp+Twr/kPoDnibJPjV8JBYqC4G iQCHDJn+uuJSpiBxTUtYX45CscOiwD8kiDoYIH/DCXUqPAhRudsBpJWDn9TKeFC5 b0PrwuN5cDo+yKYZW590eLL8/xdjtb9p/M3AU5tSJTbG3dCA5Rp4MdgE97pOYkPg 3kUHR19YjH/GnZHeuv8Af+WIJVMvDVGKF+MvJEImSjg/ZQUV6hzBI+oAWr9Hj21q KABjiO5AhMyo+uC6WXajkltzUP30cbBlNl0Z34Dw452Ym5uILWAF+ZmlT0sp0Mg4 lwNPSwst5mhUtQL7AmNHYHg7cAAgXx9Xql0= -----END CERTIFICATE REQUEST-----
[08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: parsePKCS10: signature verification enabled [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: parsePKCS10 setting thread token [08/Nov/2018:22:15:55][ajp-bio-127.0.0.1-8009-exec-1]: EnrollProfile: Unable to parse PKCS #10 request: java.security.SignatureException: PKCS10: PKCS10: Request Subject: CN=user50: Invalid PKCS #10 signature java.security.SignatureException: PKCS10: PKCS10: Request Subject: CN=user50: Invalid PKCS #10 signature
the journalctl output: Nov 08 22:37:13 kdc1.unix.asenjo.nl server[10677]: PKCS10: PKCS10: Request Subject: CN=user50: sig.verify() failed Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Creating session 23596D3C3AFFCDE19F5B386C288E8290 Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Registration Manager Agents,)] Nov 08 23:40:01 kdc1.unix.asenjo.nl server[10677]: Destroying session 5E49B1956B6902F7DFD52236F5A1A783
Hi Naxto,
The CSR's signature is indeed invalid. Were you able to solve the issue in the meantime?
I'll have a look to see how we could produce better feedback in this scenario, although it is quite rare to encounter a CSR with bad signature.
Cheers, Fraser
hi Fraser,
On Mon, Dec 3, 2018 at 1:14 AM Fraser Tweedale ftweedal@redhat.com wrote:
Hi Naxto,
The CSR's signature is indeed invalid. Were you able to solve the issue in the meantime?
yes, I generated a csr locally and saved it in the yubikey. If you do that, everything works great.
I'll have a look to see how we could produce better feedback in this
scenario, although it is quite rare to encounter a CSR with bad signature.
Thanks for that.
I must confess I'm really pleased with how well yubikeys work with fedora as smartcards.
-- Regards, natxo
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Natxo Asenjo -
Rob Crittenden