<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">And if i repeat the process from previous post, but with current time, the step [7] exits with different message "<span>IOException: SocketException cannot write on socket</span>"</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"></p>
<div># pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve<br>
<br>
PKI options: -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d<br>
PKI command: ipaCert -n ipaCert ca-cert-request-review 7 --action approve<br>
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d
--verbose -n ipaCert ca-cert-request-review 7 --action approve<br>
Server URI: http://ca-ldap04.domain.com:8080<br>
Client security database: /etc/httpd/alias<br>
Message format: null<br>
Command: ca-cert-request-review 7 --action approve<br>
Initializing client security database<br>
Logging into security token<br>
Module: ca<br>
HTTP request: GET /ca/rest/account/login HTTP/1.1<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Host: ca-ldap04.domain.com:8080<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
HTTP response: HTTP/1.1 302 Found<br>
Server: Apache-Coyote/1.1<br>
Cache-Control: private<br>
Expires: Wed, 31 Dec 1969 16:00:00 PST<br>
Location: https://ca-ldap04.domain.com:8443/ca/rest/account/login<br>
Content-Length: 0<br>
Date: Sat, 24 Nov 2018 04:25:33 GMT<br>
HTTP redirect: https://ca-ldap04.domain.com:8443/ca/rest/account/login<br>
Client certificate: ipaCert<br>
HTTP request: GET /ca/rest/account/login HTTP/1.1<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Host: ca-ldap04.domain.com:8443<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
Server certificate: CN=ca-ldap04.domain.com,O=domain.com<br>
java.io.IOException: SocketException cannot write on socket<br>
at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1099)<br>
at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:56)<br>
at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:147)<br>
at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:154)<br>
at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:278)<br>
at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:283)<br>
at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:175)<br>
at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:260)<br>
at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)<br>
at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715)<br>
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520)<br>
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)<br>
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)<br>
at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)<br>
at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)<br>
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)<br>
at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)<br>
at com.sun.proxy.$Proxy23.login(Unknown Source)<br>
at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:45)<br>
at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:49)<br>
at com.netscape.cmstools.cli.CACLI.login(CACLI.java:58)<br>
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:54)<br>
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)<br>
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)<br>
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)<br>
ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/etc/httpd/alias', '-c', 'e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d',
'--verbose', '-n', 'ipaCert', 'ca-cert-request-review', '7', '--action', 'approve']' returned non-zero exit status 255<br>
<br>
</div>
<br>
<p></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> pki-users-bounces@redhat.com <pki-users-bounces@redhat.com> on behalf of Z D <zarko@etcfstab.com><br>
<b>Sent:</b> Wednesday, November 21, 2018 10:17:20 PM<br>
<b>To:</b> Dinesh Prasanth Moluguwan Krishnamoorthy; John Magne; pki-users@redhat.com<br>
<b>Subject:</b> Re: [Pki-users] expired pki-server 10.3.3 certificates</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">
<p style="margin-top:0; margin-bottom:0">Hi Dinesh, unfortunately this is what's happening now. Let's please recap.
<br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0"></p>
<div>[1] The list of certs, and expire date, so I go back in time when all certs are valid.
<br>
</div>
<div><br>
</div>
<div># getcert list | egrep "certificate|expire"<br>
Number of certificates and requests being tracked: 6.<br>
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'<br>
expires: 2018-08-14 20:49:38 UTC<br>
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'<br>
expires: 2018-08-14 20:49:35 UTC<br>
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'<br>
expires: 2018-08-14 20:49:36 UTC<br>
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'<br>
expires: 2036-08-24 20:49:35 UTC<br>
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'<br>
expires: 2020-07-21 17:18:06 UTC<br>
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br>
expires: 2018-08-14 20:50:00 UTC<br>
<br>
[2] this is my date <br>
<br>
# date<br>
Sun Aug 5 01:08:49 PDT 2018<br>
<br>
<br>
[3] maybe to renew this cert first, s/n is 7. <br>
</div>
<div><br>
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial<br>
Serial Number: 7 (0x7)<br>
<br>
[4] enrollment template is saved <br>
</div>
<div><br>
# pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml<br>
-------------------------------------------------<br>
Enrollment Template for Profile "caManualRenewal"<br>
-------------------------------------------------<br>
--------------------------------------------------------------------<br>
Saved enrollment template for caManualRenewal to caManualRenewal.xml<br>
--------------------------------------------------------------------<br>
</div>
<div><br>
</div>
<div>[5] adding s/n 7</div>
<div><br>
# vi caManualRenewal.xml <br>
</div>
<div><br>
</div>
<div>[6] Submit cert request, it's pending <br>
</div>
<div><br>
# pki ca-cert-request-submit caManualRenewal.xml<br>
-----------------------------<br>
Submitted certificate request<br>
-----------------------------<br>
Request ID: 89990160<br>
Type: renewal<br>
Request Status: pending<br>
Operation Result: success<br>
<br>
<br>
[7] This fails with message "<span>BadRequestException: Request Not In Pending State</span>", as per [6] it should be in pending state<br>
</div>
<div><br>
# pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve<br>
<br>
PKI options: -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d<br>
PKI command: ipaCert -n ipaCert ca-cert-request-review 7 --action approve<br>
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d
--verbose -n ipaCert ca-cert-request-review 7 --action approve<br>
Server URI: http://ca-ldap04.realm.com:8080<br>
Client security database: /etc/httpd/alias<br>
Message format: null<br>
Command: ca-cert-request-review 7 --action approve<br>
Initializing client security database<br>
Logging into security token<br>
Module: ca<br>
HTTP request: GET /ca/rest/account/login HTTP/1.1<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Host: ca-ldap04.realm.com:8080<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
HTTP response: HTTP/1.1 302 Found<br>
Server: Apache-Coyote/1.1<br>
Cache-Control: private<br>
Expires: Wed, 31 Dec 1969 16:00:00 PST<br>
Location: https://ca-ldap04.realm.com:8443/ca/rest/account/login<br>
Content-Length: 0<br>
Date: Sun, 05 Aug 2018 08:11:15 GMT<br>
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/account/login<br>
Client certificate: ipaCert<br>
HTTP request: GET /ca/rest/account/login HTTP/1.1<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Host: ca-ldap04.realm.com:8443<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
Server certificate: CN=ca-ldap04.realm.com,O=realm.com<br>
HTTP response: HTTP/1.1 200 OK<br>
Server: Apache-Coyote/1.1<br>
Cache-Control: private<br>
Expires: Wed, 31 Dec 1969 16:00:00 PST<br>
Set-Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD; Path=/ca/; Secure; HttpOnly<br>
Content-Type: application/xml<br>
Content-Length: 205<br>
Date: Sun, 05 Aug 2018 08:11:15 GMT<br>
Account:<br>
- User ID: ipara<br>
- Full Name: ipara<br>
- Email: null<br>
- Roles: [Certificate Manager Agents, Registration Manager Agents]<br>
Module: cert<br>
Module: request-review<br>
HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Host: ca-ldap04.realm.com:8080<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
HTTP response: HTTP/1.1 302 Found<br>
Server: Apache-Coyote/1.1<br>
Cache-Control: private<br>
Expires: Wed, 31 Dec 1969 16:00:00 PST<br>
Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7<br>
Content-Length: 0<br>
Date: Sun, 05 Aug 2018 08:11:15 GMT<br>
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7<br>
Client certificate: ipaCert<br>
HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Host: ca-ldap04.realm.com:8443<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD<br>
Cookie2: $Version=1<br>
HTTP response: HTTP/1.1 200 OK<br>
Server: Apache-Coyote/1.1<br>
Cache-Control: private<br>
Expires: Wed, 31 Dec 1969 16:00:00 PST<br>
Content-Type: application/xml<br>
Transfer-Encoding: chunked<br>
Date: Sun, 05 Aug 2018 08:11:15 GMT<br>
HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1<br>
Content-Type: application/xml<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Content-Length: 15703<br>
Host: ca-ldap04.realm.com:8080<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
HTTP response: HTTP/1.1 302 Found<br>
Server: Apache-Coyote/1.1<br>
Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve<br>
Content-Length: 0<br>
Date: Sun, 05 Aug 2018 08:11:15 GMT<br>
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve<br>
Client certificate: ipaCert<br>
HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1<br>
Content-Type: application/xml<br>
Accept-Encoding: gzip, deflate<br>
Accept: application/xml<br>
Content-Length: 15703<br>
Host: ca-ldap04.realm.com:8443<br>
Connection: Keep-Alive<br>
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<br>
Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD<br>
Cookie2: $Version=1<br>
HTTP response: HTTP/1.1 400 Bad Request<br>
Server: Apache-Coyote/1.1<br>
Content-Type: application/xml<br>
Content-Length: 228<br>
Date: Sun, 05 Aug 2018 08:11:15 GMT<br>
Connection: close<br>
com.netscape.certsrv.base.BadRequestException: Request Not In Pending State<br>
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)<br>
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)<br>
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)<br>
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)<br>
at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:450)<br>
at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:418)<br>
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:114)<br>
at com.netscape.certsrv.cert.CertClient.approveRequest(CertClient.java:117)<br>
at com.netscape.cmstools.cert.CertRequestReviewCLI.execute(CertRequestReviewCLI.java:162)<br>
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)<br>
at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:91)<br>
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)<br>
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:57)<br>
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)<br>
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)<br>
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)<br>
ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/etc/httpd/alias', '-c', 'e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d',
'--verbose', '-n', 'ipaCert', 'ca-cert-request-review', '7', '--action', 'approve']' returned non-zero exit status 255<br>
<br>
</div>
<br>
<p></p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com><br>
<b>Sent:</b> Monday, November 19, 2018 7:01:30 AM<br>
<b>To:</b> Z D; John Magne; pki-users@redhat.com<br>
<b>Subject:</b> Re: [Pki-users] expired pki-server 10.3.3 certificates</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr" style="text-align:left; direction:ltr">
<div>Z D,</div>
<div><br>
</div>
<div>No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following:</div>
<div><br>
</div>
<div>`pki -d <client nss db location> -c <client nss db pass> -n <admin cert nickname> ca-cert-request-review 7 --action approve`</div>
<div><br>
</div>
<div>-d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb</div>
<div>-c = The password for the nssdb that you point in -d</div>
<div>-n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb.</div>
<div><br>
</div>
<div>NOTE:</div>
<div>1. You need to have a valid client admin cert to approve the request</div>
<div>2. This client admin cert must be available in ldap server</div>
<div><br>
</div>
<div>Reference:</div>
<div><a href="https://www.dogtagpki.org/wiki/PKI_Client_CLI">https://www.dogtagpki.org/wiki/PKI_Client_CLI</a></div>
<div><br>
</div>
<div>Regards,</div>
<div>Dinesh</div>
<div><br>
</div>
<div>On Mon, 2018-11-19 at 06:15 +0000, Z D wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid; padding-left:1ex">
<div id="x_x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">
<p style="margin-top:0; margin-bottom:0">Thanks Dinesh, I was able to submit request using
<span>caManualRenewal.xml</span> file, but I need clarity about approval. </p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like</p>
<p style="margin-top:0; margin-bottom:0"><span>/root/.dogtag/pki-tomcat/ca/<span>password.conf</span> and
<span><br>
</span></span></p>
<p style="margin-top:0; margin-bottom:0"><span><span>/root/.dogtag/pki-tomcat/ca</span>/<span>pkcs12_password.conf</span></span><br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">NSS database is located in <span>/etc/pki/pki-tomcat/alias</span>, is this the one I should use for "-d" ?
<br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">The command: <br>
</p>
<p style="margin-top:0; margin-bottom:0">pki -d <span>/etc/pki/pki-tomcat/alias</span> -n admin -c <password> ca-cert-request-review 7 --action approve</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">give the output:</p>
<p style="margin-top:0; margin-bottom:0"><span><br>
</span></p>
<p style="margin-top:0; margin-bottom:0"><span>IncorrectPasswordException: Incorrect client security database password.</span></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw@redhat.com><br>
<b>Sent:</b> Sunday, November 18, 2018 10:40:01 AM<br>
<b>To:</b> Z D; John Magne; pki-users@redhat.com<br>
<b>Subject:</b> Re: [Pki-users] expired pki-server 10.3.3 certificates</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr" style="text-align:left; direction:ltr">
<div>Hi Zarko,</div>
<div><br>
</div>
<div>May be this documentation might help? <a href="https://www.dogtagpki.org/wiki/System_Certificate_Renewal">
https://www.dogtagpki.org/wiki/System_Certificate_Renewal</a></div>
<div><br>
</div>
<div>It has instructions for 10.3 or earlier. Let us know if that helped! </div>
<div><br>
</div>
<div>Regards,</div>
<div>Dinesh</div>
<div><br>
</div>
<div><br>
</div>
<div>On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid; padding-left:1ex">
<div id="x_x_x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">
<div id="x_x_x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<p style="margin-top:0; margin-bottom:0">Hi John, thanks for the feedback. <br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">I used this URL as help to disable self tests.
<br>
</p>
<p style="margin-top:0; margin-bottom:0"><a href="https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process" class="x_x_x_OWAAutoLink" id="LPlnk241641">https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process</a></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5.
<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
But I was able to disable self test and PKI is responsive now. <br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors </div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
Basically is some : <br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
"<span>ACIError: Insufficient access: Invalid credentials"</span></div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
[journalctl messages] <br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
------------------------------<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<div>Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>#012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials<br>
<br>
</div>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<span><br>
</span></div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
[syslog messages]</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
------------------------<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<div>Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last):<br>
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module><br>
sys.exit(main())<br>
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master():<br>
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master<br>
self.ldap_connect()<br>
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect<br>
conn.do_bind(self.dm_password, autobind=self.autobind)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind<br>
self.do_sasl_gssapi_bind(timeout=timeout)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind<br>
self.__bind_with_wait(self.gssapi_bind, timeout)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait<br>
bind_func(*args, **kwargs)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind<br>
'', auth_tokens, server_controls, client_controls)<br>
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__<br>
self.gen.throw(type, value, traceback)<br>
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler<br>
raise errors.ACIError(info="%s %s" % (info, desc))<br>
ACIError: Insufficient access: Invalid credentials<br>
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error</div>
<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
Is there any URL that's relevant for pki 10.3</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
thanks in advance, Zarko<br>
</div>
<div dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
<br>
<br>
<div style="color:rgb(0,0,0)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_x_x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> John Magne <jmagne@redhat.com><br>
<b>Sent:</b> Wednesday, November 14, 2018 6:16 PM<br>
<b>To:</b> Z D<br>
<b>Subject:</b> Re: [Pki-users] expired pki-server 10.3.3 certificates</font>
<div> </div>
</div>
<div class="x_x_x_BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="x_x_x_PlainText">Hi:<br>
<br>
YOu can try to temporarily disable the self tests for you ca, until<br>
the new certs are resolved.<br>
<br>
Look in the CS.cfg file for the ca in question and there is a big section<br>
controlling the self tests. Just experiment with commenting out the tests and see if that
<br>
gets you past the hurdle..<br>
<br>
<br>
<br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" id="LPlnk101008" class="x_x_x_OWAAutoLink"></a><br>
</div>
</span></font></div>
</div>
</div>
</div>
<pre>_______________________________________________</pre>
<pre>Pki-users mailing list</pre>
<pre><a href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a></pre>
<pre><a href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
</div>
</blockquote>
</div>
</div>
</body>
</html>