To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.
To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.
As mentioned in the Certificate Autoenrollment on UNIX and Linux section, some important Certification Autoenrollment commands, such as vascert pulse, will NOT work until the necessary platform-specific functionality has been implemented in certstore-DEV.sh. For more information on modifying certstore-DEV.sh and a simple example script, see the Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix (284711) KB article.
Until the certstore-DEV.sh script is modified, the following issues will happen when running vascert pulse:
<VASCERT PULSE COMMAND>
$ vascert pulse
vascert: One Identity Certificate Autoenrollment version 1.1.0.750
Copyright 2017 Quest Software Inc. ALL RIGHTS RESERVED.
Processing enrollment policy: dc1.domain.com
Process exited with an error (Exit value: 1), command was: [/var/opt/quest/vascert/script/certstore.sh, export-machine-certs, /tmp/6353628018779558796pk12, mdzDFXBD7znDYDO8B]
</VASCERT PULSE COMMAND>
The output shows which script vascert ran and the parameters passed to the script. As previously mentioned, certstore.sh calls (on all platforms other than macOS) certstore-DEV.sh. In the example above, certstore.sh calls into certstore-DEV.sh's exportMachineCerts function. By default, that function only returns a 1 indicating an error as shown here:
exportMachineCerts()
{
echo "=== UNIMPLEMENTED exportMachineCerts'()' ==="
exit 1
}
See the Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix (284711) KB article for a deeper understanding of that function, expected parameters, and an example for using that function. As long as that function returns '1', autoenrollment will cease at this point and vascert will not enroll for a new certificate. Because this is the first step of many, see the KB article for other functions that need to be modified and examples on how to do so.
You can enable full debug logging for all Certificate Autoenrollment components using the vascert command line utility.
UNIX/Linux: If debug logging is configured, the vascert tool writes files in /var/opt/quest/vascert/.com.quest.X509Enrollment/log for machine enrollment and ~/.com.quest.X509Enrollment/log for user enrollment. You can enable debug logging for all of these components.
To enable debug logging
As root, run the following command to configure debug logging for all users:
/opt/quest/bin/vascert configure debug
To configure debug logging for a specific user, log in as that user and run the same command.
NOTE: Enabling debug logging causes the vascert command to write debug messages to a file in addition to stdout. Even after you enable debug logging, you must set the debug level using the -d command line option when running vascert commands manually.
When you are finished debugging, run the following command as root to turn off debug logging for all users. One Identity recommends that you turn off debug logging to improve performance and conserve disk space.
/opt/quest/bin/vascert unconfigure debug
Use the vascert command line utility to manually perform Certificate Autoenrollment.
To perform Certificate Autoenrollment processing manually
To pulse Certificate Autoenrollment for the machine, run the following command as root (or using sudo):
/opt/quest/bin/vascert pulse
NOTE:
To pulse Certificate Autoenrollment for a specific user, log in as that user and run the following command:
/opt/quest/bin/vascert pulse
NOTE:
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center