Philipp Leusmann via FreeIPA-users wrote: > Hi, > > I need to receive a certificate containing the full CA chain. > Since ipa-getcert doesn't seem to offer a prebuilt option to do so (or does > it?), I was looking at the post-save-command of ipa-getcert to merge the > received certificate and the chain.
There isn't. -F/-a is your only option to receive the chain separately. > Unfortunately the command never gets invoked. What command? The command should be a script or simple command. No pipes or redirects. > I cannot find a way how to find out the reason. > Are there any prerequisites for the commands? I understand certmonger offers > debug options. But I have no idea how and where certmonger is started. I also > do not understand possible argument values for the DEBUG. > > Any help is appreciated. For the daemon itself you can control output in /etc/sysconfig/certmonger by setting OPTS=-d<int>. 2 or 3 should do it. The helpers have their own debugging but it's tricky. Your best bet is to shut down certmonger and modify the CA that is issuing the cert (in /var/log/certmonger/cas/*). Add -v (or several) to the end of the submit helper to get more output, then restart certmonger. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
