有来自 的用户的 CSR O=test_org, CN=test。需要test在 FreeIPA 中使用 CA 对其进行签名。我使用以下命令执行此操作:
ipa cert-request test-client.csr --ca=ca-name --certificate-out=signed.crt
之后 IPA 邀请我进入一些校长:
Principal: HTTP/test
但我收到错误:
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. Unable to create enrollment request: Invalid Request.
我已添加别名服务:
ipa service-add HTTP/test --force --skip-host-check
但仍然出现同样的错误。
我如何签署一些普通用户的 CSR?
编辑1。
Text from logfile /var/log/pki/pki-tomcat/ca/debug.2020-09-23.log
2020-09-23 11:03:18 [Timer-0] INFO: SessionTimer: checking security domain sessions
2020-09-23 11:03:21 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: updating serial numbers
2020-09-23 11:06:01 [ajp-nio-127.0.0.1-8009-exec-8] INFO: Searching for certificates
2020-09-23 11:06:01 [ajp-nio-127.0.0.1-8009-exec-8] INFO: Search filter: (|(x509cert.subject=*CN=*test*))
2020-09-23 11:06:01 [ajp-nio-127.0.0.1-8009-exec-8] INFO: Search results: 0
2020-09-23 11:06:37 [ajp-nio-127.0.0.1-8009-exec-1] INFO: Searching for certificates
2020-09-23 11:06:37 [ajp-nio-127.0.0.1-8009-exec-1] INFO: Search filter: (|(x509cert.subject=*CN=*test*))
2020-09-23 11:06:37 [ajp-nio-127.0.0.1-8009-exec-1] INFO: Search results: 0
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Authenticating certificate chain:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - CN=IPA RA, O=<REALM>
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: CertUserDBAuthentication: UID ipara authenticated.
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: User ID: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: User DN: uid=ipara,ou=people,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Roles:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Certificate Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Registration Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: AAclAuthz: Granting login permission for certServer.ca.account
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Creating session DDFF8395C362510FA3DBF577019D6F10
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: Principal:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - ID: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Full Name: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Email:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Roles:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Certificate Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-10] INFO: - Registration Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: Authenticating certificate chain:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: - CN=IPA RA, O=<REALM>
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: CertUserDBAuthentication: UID ipara authenticated.
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: User ID: ipara
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: User DN: uid=ipara,ou=people,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: Roles:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: - Certificate Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: - Registration Manager Agents
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: AAclAuthz: Granting logout permission for certServer.ca.account
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-3] INFO: Destroying session 77064A7AFDA57F5A8D80F4A1DA6775FB
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] INFO: Receiving certificate request
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] WARNING: CertProcessor: No authenticator credentials required
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] INFO: AgentCertAuthentication: authenticated uid=ipara,ou=people,o=ipaca
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] INFO: EnrollProfile: Parsing PKCS #10 request:
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to parse PKCS #10 request: Only named ECParameters supported
java.io.IOException: Only named ECParameters supported
at sun.security.ec.ECParameters.engineInit(ECParameters.java:150)
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
at org.mozilla.jss.netscape.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:219)
at org.mozilla.jss.netscape.security.x509.AlgorithmId.<init>(AlgorithmId.java:193)
at org.mozilla.jss.netscape.security.x509.AlgorithmId.parse(AlgorithmId.java:151)
at org.mozilla.jss.netscape.security.x509.X509Key.parse(X509Key.java:109)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:173)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:235)
at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:249)
at com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:285)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
at org.dogtagpki.server.ca.rest.CertRequestDAO.submitRequest(CertRequestDAO.java:216)
at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:169)
at sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at sun.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.GeneratedMethodAccessor67.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:394)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1379)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2020-09-23 11:07:15 [ajp-nio-127.0.0.1-8009-exec-4] SEVERE: Unable to create enrollment request: Invalid Request
Invalid Request
at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:258)
at com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:285)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:97)
at org.dogtagpki.server.ca.rest.CertRequestDAO.submitRequest(CertRequestDAO.java:216)
at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:169)
at sun.reflect.GeneratedMethodAccessor99.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at sun.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at sun.reflect.GeneratedMethodAccessor67.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:394)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1379)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Only named ECParameters supported
at sun.security.ec.ECParameters.engineInit(ECParameters.java:150)
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
at org.mozilla.jss.netscape.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:219)
at org.mozilla.jss.netscape.security.x509.AlgorithmId.<init>(AlgorithmId.java:193)
at org.mozilla.jss.netscape.security.x509.AlgorithmId.parse(AlgorithmId.java:151)
at org.mozilla.jss.netscape.security.x509.X509Key.parse(X509Key.java:109)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:173)
at org.mozilla.jss.netscape.security.pkcs.PKCS10.<init>(PKCS10.java:235)
at com.netscape.cmscore.cert.CertUtils.parsePKCS10(CertUtils.java:249)
... 67 more