#121 dogtag-submit doesn't send nonce on approval request
Opened a year ago by detchen. Modified a year ago

Running on RHEL 8
Name : certmonger
Version : 0.79.6
Release : 5.el8
Arch : x86_64

Name : pki-ca
Version : 10.6.9
Release : 2.module+el8+2728+a4ad6bba

Running dogtag on it's own without IPA the dogtag-submit helper fails to use the nonce value when submitting it's request to approve the certificate. This causes certmonger to go into an endless loop of requesting a renewal for the certificate.

From the access logs for dogtag I can see it request the renewall
"GET /ca/ee/ca/profileSubmitSSLClient?profileId=caServerCert&serial_num=8&renewal=true&xml=true HTTP/1.1" 200 135

Then gets the info about the renewal request
"GET /ca/agent/ca/profileReview?requestId=473&xml=true HTTP/1.1"

Then tries to approve the cert
"GET /ca/agent/ca/profileProcess?requestId=473&xml=true&op=approve&name=CN%3Dserver.test%2CO%3DTest%2CL%3DManchester%2CST%3DEngland%2CC%3DGB&notBefore=2019-07-10+15%3A13%3A22&notAfter=2021-06-29+15%3A13%3A22&authInfoAccessCritical=false&authInfoAccessGeneralNames=Record+%230%0AMethod%3A1. HTTP/1.1"

However the nonce value is not set hence dogtag errors with:
The Certificate System has encountered an unrecoverable error.

Error Message:
com.netscape.certsrv.base.BadRequestException: Missing nonce.

Please contact your local administrator for assistance.

Manually going through the steps with the addition of the nonce works and the certificate renewal is approved.

The worst bit about this is that certmonger continuosly tries to request a renewall of the certificate, I'm assuming this is down to the fact that even though dogtag has errored it still responds with a 200 http code as if nothing was wrong.

I'm confused by your usage of "renewal".

Is this renewing an already issued certificate or the initial issuance?

Yes this is renewing an already issued certificate.

Here's the full break down of how I was using this.
- Manually sign server cert with dogtog with very short duration
- Copy cert to webserver
- Configure certmonger on webserver with dogtog details including auth cert for dogtag so it can approve the renewal
- Tell certmonger to start tracking certificate and renew automatically

It was the last step of the dogtag-submit command that was failing against dogtag as it failed to send the nonce in the request.

So when dogtag-submit gets the info using GET /ca/agent/ca/profileReview?requestId=473&xml=true HTTP/1.1

It doesn't look at the nonce value that was supplied and send it on the GET /ca/agent/ca/profileProcess?requestId=473 request hence dogtag rejects it as it could potentially be a CSRF.

Can you provide the certmonger CA configuration you are using? The full file from /var/lib/certmonger/cas would be preferred but the exact helper at a minimum.

Also can you provide the command-line you're using for the start-tracking?

Does this work if you request the initial cert using getcert request -c <your_ca> ...?

Login to comment on this ticket.