Friday, 2018-04-27

jaosoriorcould I get some reviews for this ?11:56
jmlowealee: Are you around?17:48
aleejmlowe, hey there17:49
aleejmlowe, I have a short meeting in about 10 minutes, but shoudl be free for awhile after that17:50
jmloweok, I think I may have finally gotten a working dogtag but now trying to store a secret "MissingArgumentError: Must supply non-None value argument for SecretStoreMetadatum entry"17:50
jmloweI feel like you had a quick one line deletion for this17:50
aleeyup - let me find that commit17:50
jmlowehmm, looks like I have that17:58
aleejmlowe, can you paste the stacktrace?17:59
aleejmlowe, when you store the secret, try to tail the kra debug log to make sure the request is actuallygetting there17:59
aleejmlowe, tail -f /var/log/pki/pki-tomcat/kra/debug18:00
aleeif something is happening then stuff showld scroll -- we'll know then if we're at least getting to dogtag18:01
jmlowemmm all the verbose java logging I love18:01
jmlowe"KRAService serviceRequest EBaseException:Can't decrypt passphrase."18:02
jmloweok, so back to debugging dogtag/kra18:02
aleejmlowe, ok  meeting over -- progress though - we know its going to dogtag18:11
aleejmlowe, can you try an order ?  ie. try to generate a key18:12
jmloweI finally gave up on trying to run dogtag in a container18:12
aleejmlowe, ah -so its on a different machine somewhere?18:12
jmlowesame node I was trying to run the container on, I'll just deal with it being messy18:13
aleejmlowe, I'll have to try i again soon aginst the latest ipa containers18:13
jmlowedifferent than barbican node though18:13
aleejmlowe, can you paste the dogtag stacktrace?18:14
aleejmlowe, I assume you're using nss db?  what version of dogtag?18:15
aleeand on what os? centos? fedra?18:15
jmlowecentos 718:16
aleejmlowe, which version -- rpm -q pki-ca18:16
aleejmlowe, ok - on your barbican node, you have an nss db in /etc/barbican/alias  I suspect ..18:18
aleeso what certs ae in there -- that is certutil -L -d /etc/barbican/alias18:18
jmlowecertutil -L -d /etc/barbican/alias18:19
jmloweCertificate Nickname                                         Trust Attributes18:19
jmlowe                                                             SSL,S/MIME,JAR/XPI18:19
jmloweKRA transport cert                                           ,,18:19
jmlowewell that didn't paste well18:19
aleenp -- was looking to see if the transport cert ws thee -- you can do certutil -L -d /etc/barbican/alias -n "KRA transport cert"18:20
aleeand compare whats there to the actual transport cert in the kra18:21
aleejmlowe, so in the kra, you should have a certdb at /etc/pki/pki-tomcat/alias18:21
aleejmlowe, wait - thats the admin cert18:22
jmloweso delete that18:22
jmloweit should be grabbing the right cert on startup?18:23
aleemaybe .. I recall adding code to do that ..18:24
aleejmlowe, we can also install it manually to be sure18:24
jmlowe        Subject: "CN=DRM Transport Certificate,OU=pki-tomcat,O=JETSTREAM"18:24
jmlowethere we go18:24
aleeok - much better18:24
jmloweHA! success!18:25
jmloweThank you! Going to Vancouver?18:25
aleeI am yes18:25
aleeyou too?18:25
jmloweI owe you some some sort of beverage18:26
jmloweI am18:26
aleeexcellent -- I'll be giving the project update/onbarding -- so please drop by if you dont see my otherwise18:26
jmloweWill do18:26
aleejmlowe, you might want to add some code I recently added to make the interaction with dogtag more robust ..18:27
aleejmlowe, added retries in case of a connection issue18:28
aleejmlowe, let me know if you run into any other issues18:29
