When the CA helper 'dogtag-ipa-renew-agent-submit' is called with the --agent-submit parameter, the default ee url is http://host:8080/ca/ee/ca and the authentication of the agent fails.
This happens because the code is using eeurl?profileSubmitSSLClient (=http://host:8080/ca/ee/ca?profileSubmitSSLClient) for SUBMIT operation with agent, whereas the connection should be authenticated through SSL. This is inconsistent as the eeurl should be https instead of http.
As a result, the submit operation is run without certificate authentication and fails.
Workaround: specify the eeurl using --ee-url https://host:8443/ca/ee/ca when --agent-submit is used.
Metadata Update from @frenaud:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
to comment on this ticket.