<html dir="ltr"><head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <style type="text/css" style="display:none;"></style> </head> <body dir="ltr" style="text-align:left; direction:ltr;"><div>Z D,</div><div><br></div><div>No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following:</div><div><br></div><div>`pki -d <client nss db location> -c <client nss db pass> -n <admin cert nickname> ca-cert-request-review 7 --action approve`</div><div><br></div><div>-d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb</div><div>-c = The password for the nssdb that you point in -d</div><div>-n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb.</div><div><br></div><div>NOTE:</div><div>1. You need to have a valid client admin cert to approve the request</div><div>2. This client admin cert must be available in ldap server</div><div><br></div><div>Reference:</div><div><a href="https://www.dogtagpki.org/wiki/PKI_Client_CLI">https://www.dogtagpki.org/wiki/PKI_Client_CLI</a></div><div><br></div><div>Regards,</div><div>Dinesh</div><div><br></div><div>On Mon, 2018-11-19 at 06:15 +0000, Z D wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"> <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr"> <p style="margin-top:0;margin-bottom:0">Thanks Dinesh, I was able to submit request using <span>caManualRenewal.xml</span> file, but I need clarity about approval. </p> <p style="margin-top:0;margin-bottom:0"><br> </p> <p style="margin-top:0;margin-bottom:0">I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like</p> <p style="margin-top:0;margin-bottom:0"><span>/root/.dogtag/pki-tomcat/ca/<span>password.conf</span> and <span><br> </span></span></p> <p style="margin-top:0;margin-bottom:0"><span><span>/root/.dogtag/pki-tomcat/ca</span>/<span>pkcs12_password.conf</span></span><br> </p> <p style="margin-top:0;margin-bottom:0"><br> </p> <p style="margin-top:0;margin-bottom:0">NSS database is located in <span>/etc/pki/pki-tomcat/alias</span>, is this the one I should use for "-d" ? <br> </p> <p style="margin-top:0;margin-bottom:0"><br> </p> <p style="margin-top:0;margin-bottom:0">The command: <br> </p> <p style="margin-top:0;margin-bottom:0">pki -d <span>/etc/pki/pki-tomcat/alias</span> -n admin -c <password> ca-cert-request-review 7 --action approve</p> <p style="margin-top:0;margin-bottom:0"><br> </p> <p style="margin-top:0;margin-bottom:0">give the output:</p> <p style="margin-top:0;margin-bottom:0"><span><br> </span></p> <p style="margin-top:0;margin-bottom:0"><span>IncorrectPasswordException: Incorrect client security database password.</span></p> <p style="margin-top:0;margin-bottom:0"><br> </p> <p style="margin-top:0;margin-bottom:0"><br> </p> </div> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com><br> <b>Sent:</b> Sunday, November 18, 2018 10:40:01 AM<br> <b>To:</b> Z D; John Magne; pki-users@redhat.com<br> <b>Subject:</b> Re: [Pki-users] expired pki-server 10.3.3 certificates</font> <div> </div> </div> <style type="text/css" style="display:none">  </style> <div dir="ltr" style="text-align:left; direction:ltr"> <div>Hi Zarko,</div> <div><br> </div> <div>May be this documentation might help? <a href="https://www.dogtagpki.org/wiki/System_Certificate_Renewal"> https://www.dogtagpki.org/wiki/System_Certificate_Renewal</a></div> <div><br> </div> <div>It has instructions for 10.3 or earlier. Let us know if that helped! </div> <div><br> </div> <div>Regards,</div> <div>Dinesh</div> <div><br> </div> <div><br> </div> <div>On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:</div> <blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"> <div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif"> <div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <p style="margin-top:0; margin-bottom:0">Hi John, thanks for the feedback. <br> </p> <p style="margin-top:0; margin-bottom:0"><br> </p> <p style="margin-top:0; margin-bottom:0">I used this URL as help to disable self tests. <br> </p> <p style="margin-top:0; margin-bottom:0"><a href="https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process" class="x_OWAAutoLink" id="LPlnk241641">https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process</a></p> <p style="margin-top:0; margin-bottom:0"><br> </p> Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5. <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> But I was able to disable self test and PKI is responsive now. <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> Basically is some : <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> "<span>ACIError: Insufficient access: Invalid credentials"</span></div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> [journalctl messages] <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> ------------------------------<br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <div>Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>#012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials<br> <br> </div> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <span><br> </span></div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> [syslog messages]</div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> ------------------------<br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <div>Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last):<br> File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module><br> sys.exit(main())<br> File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master():<br> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master<br> self.ldap_connect()<br> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect<br> conn.do_bind(self.dm_password, autobind=self.autobind)<br> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind<br> self.do_sasl_gssapi_bind(timeout=timeout)<br> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind<br> self.__bind_with_wait(self.gssapi_bind, timeout)<br> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait<br> bind_func(*args, **kwargs)<br> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind<br> '', auth_tokens, server_controls, client_controls)<br> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__<br> self.gen.throw(type, value, traceback)<br> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler<br> raise errors.ACIError(info="%s %s" % (info, desc))<br> ACIError: Insufficient access: Invalid credentials<br> Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error</div> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> Is there any URL that's relevant for pki 10.3</div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> thanks in advance, Zarko<br> </div> <div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols"> <br> <br> <div style="color:rgb(0,0,0)"> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> John Magne <jmagne@redhat.com><br> <b>Sent:</b> Wednesday, November 14, 2018 6:16 PM<br> <b>To:</b> Z D<br> <b>Subject:</b> Re: [Pki-users] expired pki-server 10.3.3 certificates</font> <div> </div> </div> <div class="x_BodyFragment"><font size="2"><span style="font-size:11pt"> <div class="x_PlainText">Hi:<br> <br> YOu can try to temporarily disable the self tests for you ca, until<br> the new certs are resolved.<br> <br> Look in the CS.cfg file for the ca in question and there is a big section<br> controlling the self tests. Just experiment with commenting out the tests and see if that <br> gets you past the hurdle..<br> <br> <br> <br> <a href="https://www.redhat.com/mailman/listinfo/pki-users" id="LPlnk101008" class="x_OWAAutoLink"></a><br> </div> </span></font></div> </div> </div> </div> <pre>_______________________________________________</pre> <pre>Pki-users mailing list</pre> <pre><a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a></pre> <pre><a href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre> </blockquote> </div> </blockquote></body></html>