<div dir="ltr"><div dir="ltr">Try adding a -U option with the CA URL, like for example:<div><div>pki -v -U <a href="https://ca1.example.test:8443/ca">https://ca1.example.test:8443/ca</a> -d ~/.dogtag/subca1 ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal</div></div><div>I added a -d option to point to a NSS db that already trust the issuer of the SSL certificate presented in the HTTPS connection.</div><div>A request should be created and in pending state, until an agent approves it.</div><div>( use a profile with agent authentication for automatic issuance, user with SSL client auth should have automatic renewal/cert issuance)</div><div>Thanks,</div><div>M.</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian <<a href="mailto:Brian.Wolf@risd.org">Brian.Wolf@risd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">





<div lang="EN-US">
<div class="gmail-m_-2537238782291811480WordSection1">
<p class="MsoNormal">I installed PKI-CA two years ago on a Redhat 7 server. I used it to create certificates for an application and have not needed it since. Now the PKI server certificates are about to expire, I’m trying to renew them using the directions
 at <a href="https://www.dogtagpki.org/wiki/System_Certificate_Renewal" target="_blank">https://www.dogtagpki.org/wiki/System_Certificate_Renewal</a> .  I am getting an error when I try to submit the renewal request. The error seems to be that it can’t find /pki/rest/info.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Installed packages:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:1in">pki-base-10.5.9-6.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">pki-base-java-10.5.9-6.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">pki-ca-10.5.9-6.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">pki-kra-10.5.9-6.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">pki-server-10.5.9-6.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">pki-tools-10.5.9-6.el7.x86_64<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">nuxwdog-1.0.3-8.el7.x86_64<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:1in"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:1in">java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">javapackages-tools-3.4.1-11.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">javassist-3.16.1-10.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">nuxwdog-client-java-1.0.3-8.el7.x86_64<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:1in">rest-0.8.1-2.el7.x86_64<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">resteasy-base-atom-provider-3.0.6-4.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">resteasy-base-client-3.0.6-4.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">resteasy-base-jackson-provider-3.0.6-4.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">resteasy-base-jaxb-provider-3.0.6-4.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">resteasy-base-jaxrs-3.0.6-4.el7.noarch<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:1in">resteasy-base-jaxrs-api-3.0.6-4.el7.noarch<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Listing the certificates works. We do not use the default instance of pki-tomcat.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt"># pki-server cert-find -i <my-instance> ca<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">-----------------<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">5 entries matched<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">-----------------<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Cert ID: ca_signing<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Nickname: caSigningCert … CA<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Token: Internal Key Storage Token<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Serial Number: 0x1<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Subject DN: CN=CA Signing Certificate,…<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Issuer DN: CN=CA Signing Certificate,…<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Not Valid Before: Fri Mar 10 16:38:21 2017<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Not Valid After: Tue Mar 10 16:38:21 2037<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Cert ID: ca_ocsp_signing<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Nickname: ocspSigningCert … CA<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Token: Internal Key Storage Token<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Serial Number: 0x2<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Subject DN: CN=CA OCSP Signing Certificate,…<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Issuer DN: CN=CA Signing Certificate,OU=…<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Not Valid Before: Fri Mar 10 16:38:23 2017<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Not Valid After: Thu Feb 28 16:38:23 2019<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">[snip]<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">But the renewal request gives a Not Found error:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt"># pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">PKIException: Not Found<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Adding –v shows an error on the HTTP GET of /pki/rest/info. I don’t see that directory structure anywhere on the server. Am I missing something in the configuration, or is there another package I need to install? Do I have to point the
 command to our non-default instance, and if so, how do I do that? <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt"># pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">PKI options: -v<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI
 --verbose -p 8370 ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Server URI: <a href="http://my-server:8370" target="_blank">http://my-server:8370</a><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Client security database: /root/.dogtag/nssdb<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Message format: null<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2 --renewal<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Initializing security database<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Module: ca<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Module: cert<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Module: request-submit<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Retrieving caManualRenewal profile.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">Initializing PKIClient<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt;background:yellow">HTTP request: GET /pki/rest/info HTTP/1.1<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Accept-Encoding: gzip, deflate<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Accept: application/xml<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Host: my-server:8370<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Connection: Keep-Alive<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt;background:yellow">HTTP response: HTTP/1.1 404 Not Found<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Server: Apache-Coyote/1.1<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Content-Type: text/html;charset=utf-8<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Content-Language: en<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Content-Length: 977<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">  Date: Fri, 15 Feb 2019 18:53:25 GMT<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt;background:yellow">com.netscape.certsrv.base.PKIException: Not Found<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:9pt">ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI',
 '--verbose', '-p', '8370', 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial', '0x2', '--renewal']' returned non-zero exit status 255<u></u><u></u></span></p>
</div>
</div>

_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></blockquote></div>