-
Title
Certificate Autoenrollment failures from vascert on Linux. ClientCertEnrollment Process exited with an error (Exit value: 1) -
Description
Trying to implement Certificate Autoenrollment on Linux using the vascert utility. The vascert server add command works fine and the vascert server list correctly shows our certificate authority. But, it doesn't pickup our policy and vascert pulse command produces this error: vascert: One Identity Certificate Autoenrollment version 1.1.0.750 Copyright 2017 Quest Software Inc. ALL RIGHTS RESERVED. Processing enrollment policy: ClientCertEnrollment Process exited with an error (Exit value: 1), command was: [/var/opt/quest/vascert/script/certstore.sh, export-machine-certs, /tmp/vascert86*.
-
Resolution
In order for vascert to work on Linux you need to modify some scripts and input information from your environment.
The following script needs to contain where the enrolled certs, CAs, etc are located: /var/opt/quest/vascert/script/certstore-DEV.shvascert calls into this script: /var/opt/quest/vascert/script/certstore.sh specifically it calls the export-machine-certs function in certstore.sh. Certstore.sh calls the exportMachineCerts function in certstore-DEV.sh. This error shows up because the exportMachineCerts function returns 1 by default, which causes vascert to error out. That function, be default, looks like:
exportMachineCerts(){# echo "=== MOCK exportMachineCerts'()', returning nothing ==="# exit 0echo "=== UNIMPLEMENTED exportMachineCerts'()' ==="exit 1}Please do the following:
1 - cp -p certstore-DEV.sh certstore-DEV.original
2 - Edit /var/opt/quest/vascert/script/certstore-Dev.sh and look for the following:exportMachineCerts(){# echo "=== MOCK exportMachineCerts'()', returning nothing ==="# exit 0echo "=== UNIMPLEMENTED exportMachineCerts'()' ==="exit 1}2 - Next uncomment the following two lines:# echo "=== MOCK exportMachineCerts'()', returning nothing ==="# exit 03 - And then comment out the following lines:echo "=== UNIMPLEMENTED exportMachineCerts'()' ==="exit 1}
vascert command information: usage: vascert [common options]Common options:-b Do not display banner text-d Prints additional information according to debug level, higher debug level prints more output-h Display help for a particular command-v Display version (banner text)
Commands:importca Imports trusted root CA certificates based on policy.server Manage local policy server configurationpulse Perform Certificate Autoenrollment processing.configure Allows you to configure Certificate Autoenrollment settings.renew Renews an existing certificate based on a policy template.trigger Triggers machine-based Certificate Autoenrollment policy processing.list Lists all configured policy template namesclean Clears certificate enrollment state information.unconfigure Allows you to un-configure Certificate Autoenrollment settings.info Dumps the contents of a policy template