Certmonger is split into 3 parts
- getcert or comparable helper app which the user calls to make requests. The request is put on dbus and and sent to
- The certmonger binary. This reads the request off of dbus and makes a call to
- The help application which makes calls to the remote service.
Debugging this process is much easier if you run the certmonger service from the command line and tell it to log debugging output. Make sure no certmonger-session processes are running:
killall certmonger-session
Then explicitly start the certmonger session binary in non-daemon mode with debugging.
/usr/libexec/certmonger/certmonger-session -n -d 15
I chose 15 as a “very high number” for debugging. It worked for me.
Make sure that the dbus setup for certmonger has been set as an env var:
$ echo $DBUS_SESSION_BUS_ADDRESS unix:abstract=/tmp/dbus-bNCrVqqfu5,guid=36fe37806871d8469a484e91573145db
Then make a request in a separate terminal like:
getcert list -s
And you should see logging from certmonger-session
2016-05-10 16:59:02 [21970] Dequeuing FD 8 for Read for 0x55c4635aba90:0x55c4635af070. 2016-05-10 16:59:02 [21970] Handling D-Bus traffic (Read) on FD 8 for 0x55c4635aba90. 2016-05-10 16:59:02 [21970] message 0x55c4635aba90(method_call)->org.fedorahosted.certmonger:/org/fedorahosted/certmonger:org.fedorahosted.certmonger.get_requests 2016-05-10 16:59:02 [21970] Pending GetConnectionUnixUser serial 105 2016-05-10 16:59:02 [21970] Pending GetConnectionUnixProcessID serial 106 ...
And lots more.
To add a request:
getcert request -n remote -c remote -s -d ~/certs/ -N "uid=ayoung,cn=users,cn=accounts,dc=openstack,dc=freeipa,dc=org"
And see the output.
2016-05-10 17:00:09 [21970] Request2('20160510210008') moved to state 'HAVE_CSR' 2016-05-10 17:00:09 [21970] Will revisit Request2('20160510210008') now. 2016-05-10 17:00:09 [21970] Request2('20160510210008') moved to state 'NEED_TO_SUBMIT' 2016-05-10 17:00:09 [21970] Will revisit Request2('20160510210008') now. 2016-05-10 17:00:09 [21970] Request2('20160510210008') moved to state 'SUBMITTING' 2016-05-10 17:00:09 [21970] Will revisit Request2('20160510210008') on traffic from 15.
Hi Adam,
this was extremely helpful for me to debug why getcert did not work with EJBCA PKI via SCEP. It turned out that it is a bug in scep.c which somebody else had found only some weeks before me. After patching it works now.
Thanks
Peter