From zarko at etcfstab.com Wed Nov 14 05:37:14 2018 From: zarko at etcfstab.com (Z D) Date: Wed, 14 Nov 2018 05:37:14 +0000 Subject: [Pki-users] expired pki-server 10.3.3 certificates Message-ID: Hi there, I've been using IPA 4.4.0 and pki-server 10.3.3 and have posting on freeipa mailing list, but unfortunately haven't resolved the problem so I am looking for support on this mailing list. [1] since certmonger failed to renew certs, I believe resolution is going back in time when all certs are valid and restart certmonger service [2] I went back into time, and verified that pki-server is running, with command: SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview [3] restart certmonger and getcert list shoes four certs in submitting status # getcert list | egrep "certificate|expire|status" status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:38 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC [4] Here is where problem starts, the CA stop running, and /var/lib/pki/pki-tomcat/logs/ca/selftests.log report 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! [5] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so obviously at this very moment their validity time is not same as for other certs. Hence selftests.logs reports auditSigningCert is invalid, and CA stops running and I am left with tow certs not renewed. New cert list now is: # getcert list | egrep "certificate|expires" certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-29 06:35:38 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-11 20:15:53 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC The question now is how to work around this problem? Instead of restarting certmonger service, is there way to manually renew cert. thanks, Zarko -------------- next part -------------- An HTML attachment was scrubbed... URL: From zarko at etcfstab.com Sun Nov 18 01:39:35 2018 From: zarko at etcfstab.com (Z D) Date: Sun, 18 Nov 2018 01:39:35 +0000 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> Message-ID: Hi John, thanks for the feedback. I used this URL as help to disable self tests. https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5. But I was able to disable self test and PKI is responsive now. After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors Basically is some : "ACIError: Insufficient access: Invalid credentials" [journalctl messages] ------------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in #012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials [syslog messages] ------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master(): File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master self.ldap_connect() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect conn.do_bind(self.dm_password, autobind=self.autobind) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind self.do_sasl_gssapi_bind(timeout=timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind self.__bind_with_wait(self.gssapi_bind, timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait bind_func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ACIError: Insufficient access: Invalid credentials Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error Is there any URL that's relevant for pki 10.3 thanks in advance, Zarko ________________________________ From: John Magne Sent: Wednesday, November 14, 2018 6:16 PM To: Z D Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi: YOu can try to temporarily disable the self tests for you ca, until the new certs are resolved. Look in the CS.cfg file for the ca in question and there is a big section controlling the self tests. Just experiment with commenting out the tests and see if that gets you past the hurdle.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Sun Nov 18 18:40:01 2018 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Sun, 18 Nov 2018 13:40:01 -0500 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> Message-ID: <5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> Hi Zarko, May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal It has instructions for 10.3 or earlier. Let us know if that helped! Regards,Dinesh On Sun, 2018-11-18 at 01:39 +0000, Z D wrote: > > Hi John, thanks for the feedback. > > > > > > I used this URL as help to disable self tests. > > > > https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process > > > > Many of "pki-server" command options are not present for me, since > pki-server version is 10.3, I believe the doc applies for 10.5. > > > > > But I was able to disable self test and PKI is responsive now. > > > > After system time is back, I use 'getcert resubmit' to renew a cert > and seeing this certmonger errors > > > > > > Basically is some : > > > > "ACIError: Insufficient access: Invalid credentials" > > > > > > [journalctl messages] > > > > ------------------------------ > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback > (most recent call last):#012 File "/usr/libexec/certmonger/dogtag- > ipa-ca-renew-agent-submit", line 511, in #012 > sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca- > renew-agent-submit", > line 497, in main#012 if ca.is_renewal_master():#012 File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 1188, in is_renewal_master#012 self.ldap_connect()#012 File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 177, in ldap_connect#012 conn.do_bind(self.dm_password, > autobind=self.autobind)#012 File "/usr/lib/python2.7/site- > packages/ipapython/ipaldap.py", line 1690, in do_bind#012 > self.do_sasl_gssapi_bind(timeout=timeout)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1668, in do_sasl_gssapi_bind#012 > self.__bind_with_wait(self.gssapi_bind, timeout)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, > in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, > client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line > 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > line 973, in error_handler#012 raise errors.ACIError(info="%s %s" > % (info, desc))#012ACIError: Insufficient access: Invalid > credentials > > > > > > > > > > > [syslog messages] > > ------------------------ > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: > Traceback (most recent call last): > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line > 511, in > > sys.exit(main()) > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line > 497, in main if ca.is_renewal_master(): > > File "/usr/lib/python2.7/site- > packages/ipaserver/install/cainstance.py", line 1188, in > is_renewal_master > > self.ldap_connect() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 177, in ldap_connect > > conn.do_bind(self.dm_password, autobind=self.autobind) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1690, in do_bind > > self.do_sasl_gssapi_bind(timeout=timeout) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1668, in do_sasl_gssapi_bind > > self.__bind_with_wait(self.gssapi_bind, timeout) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1650, in __bind_with_wait > > bind_func(*args, **kwargs) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1108, in gssapi_bind > > '', auth_tokens, server_controls, client_controls) > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > > self.gen.throw(type, value, traceback) > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 973, in error_handler > > raise errors.ACIError(info="%s %s" % (info, desc)) > > ACIError: Insufficient access: Invalid credentials > > Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 > [8834] Internal error > > > > > Is there any URL that's relevant for pki 10.3 > > > > > > thanks in advance, Zarko > > > > > > > > > > From: John Magne > > Sent: Wednesday, November 14, 2018 6:16 PM > > To: Z D > > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates > > > > Hi: > > > > YOu can try to temporarily disable the self tests for you ca, until > > the new certs are resolved. > > > > Look in the CS.cfg file for the ca in question and there is a big > section > > controlling the self tests. Just experiment with commenting out the > tests and see if that > > > gets you past the hurdle.. > > > > > > > > > > > > > > > > > > _______________________________________________Pki-users mailing > listPki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From zarko at etcfstab.com Mon Nov 19 06:15:11 2018 From: zarko at etcfstab.com (Z D) Date: Mon, 19 Nov 2018 06:15:11 +0000 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: <5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> , <5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> Message-ID: Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval. I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like /root/.dogtag/pki-tomcat/ca/password.conf and /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ? The command: pki -d /etc/pki/pki-tomcat/alias -n admin -c ca-cert-request-review 7 --action approve give the output: IncorrectPasswordException: Incorrect client security database password. ________________________________ From: Dinesh Prasanth Moluguwan Krishnamoorthy Sent: Sunday, November 18, 2018 10:40:01 AM To: Z D; John Magne; pki-users at redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi Zarko, May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal It has instructions for 10.3 or earlier. Let us know if that helped! Regards, Dinesh On Sun, 2018-11-18 at 01:39 +0000, Z D wrote: Hi John, thanks for the feedback. I used this URL as help to disable self tests. https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5. But I was able to disable self test and PKI is responsive now. After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors Basically is some : "ACIError: Insufficient access: Invalid credentials" [journalctl messages] ------------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in #012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials [syslog messages] ------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master(): File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master self.ldap_connect() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect conn.do_bind(self.dm_password, autobind=self.autobind) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind self.do_sasl_gssapi_bind(timeout=timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind self.__bind_with_wait(self.gssapi_bind, timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait bind_func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ACIError: Insufficient access: Invalid credentials Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error Is there any URL that's relevant for pki 10.3 thanks in advance, Zarko ________________________________ From: John Magne Sent: Wednesday, November 14, 2018 6:16 PM To: Z D Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi: YOu can try to temporarily disable the self tests for you ca, until the new certs are resolved. Look in the CS.cfg file for the ca in question and there is a big section controlling the self tests. Just experiment with commenting out the tests and see if that gets you past the hurdle.. _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Mon Nov 19 15:01:30 2018 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Mon, 19 Nov 2018 10:01:30 -0500 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> ,<5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> Message-ID: <80bd565f0f2df62768d644570c1df887f2b06ad7.camel@redhat.com> Z D, No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following: `pki -d -c -n ca-cert-request-review 7 --action approve` -d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb-c = The password for the nssdb that you point in -d-n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb. NOTE:1. You need to have a valid client admin cert to approve the request2. This client admin cert must be available in ldap server Reference:https://www.dogtagpki.org/wiki/PKI_Client_CLI Regards,Dinesh On Mon, 2018-11-19 at 06:15 +0000, Z D wrote: > Thanks Dinesh, I was able to submit request using > caManualRenewal.xml file, but I need clarity about approval. > > > > I believe default CA admin can be used as CA agent. So password I use > for "-c" is the one I have in files like > /root/.dogtag/pki-tomcat/ca/password.conf and > > > > /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf > > > > > > NSS database is located in /etc/pki/pki-tomcat/alias, is this the one > I should use for "-d" ? > > > > > > > The command: > > > pki -d /etc/pki/pki-tomcat/alias -n admin -c ca-cert- > request-review 7 --action approve > > > > give the output: > > > > IncorrectPasswordException: Incorrect client security database > password. > > > > > > > > > From: Dinesh Prasanth Moluguwan Krishnamoorthy > > Sent: Sunday, November 18, 2018 10:40:01 AM > > To: Z D; John Magne; pki-users at redhat.com > > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates > > > > > > > Hi Zarko, > > > > May be this documentation might help? > https://www.dogtagpki.org/wiki/System_Certificate_Renewal > > > > It has instructions for 10.3 or earlier. Let us know if that helped! > > > > Regards, > Dinesh > > > > > > > On Sun, 2018-11-18 at 01:39 +0000, Z D wrote: > > > > Hi John, thanks for the feedback. > > > > > > > > > > > > I used this URL as help to disable self tests. > > > > > > > > https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process > > > > > > > > Many of "pki-server" command options are not present for me, since > > pki-server version is 10.3, I believe the doc applies for 10.5. > > > > > > > > > > But I was able to disable self test and PKI is responsive now. > > > > > > > > After system time is back, I use 'getcert resubmit' to renew a cert > > and seeing this certmonger errors > > > > > > > > > > > > Basically is some : > > > > > > > > "ACIError: Insufficient access: Invalid credentials" > > > > > > > > > > > > [journalctl messages] > > > > > > > > ------------------------------ > > > > > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: > > Traceback (most recent call last):#012 File > > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line > > 511, in #012 sys.exit(main())#012 File > > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", > > line 497, in main#012 if ca.is_renewal_master():#012 File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 1188, in is_renewal_master#012 self.ldap_connect()#012 > > File "/usr/lib/python2.7/site- > > packages/ipaserver/install/service.py", > > line 177, in ldap_connect#012 conn.do_bind(self.dm_password, > > autobind=self.autobind)#012 File "/usr/lib/python2.7/site- > > packages/ipapython/ipaldap.py", line 1690, in do_bind#012 > > self.do_sasl_gssapi_bind(timeout=timeout)#012 File > > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > > line 1668, in do_sasl_gssapi_bind#012 > > self.__bind_with_wait(self.gssapi_bind, timeout)#012 File > > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, > > in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File > > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", > > line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, > > client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", > > line 35, in __exit__#012 self.gen.throw(type, value, > > traceback)#012 File "/usr/lib/python2.7/site- > > packages/ipapython/ipaldap.py", > > line 973, in error_handler#012 raise errors.ACIError(info="%s > > %s" % (info, desc))#012ACIError: Insufficient access: Invalid > > credentials > > > > > > > > > > > > > > > > > > > > > > [syslog messages] > > > > ------------------------ > > > > > > > > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: > > Traceback (most recent call last): > > > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", > > line 511, in > > > > sys.exit(main()) > > > > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", > > line 497, in main if ca.is_renewal_master(): > > > > File "/usr/lib/python2.7/site- > > packages/ipaserver/install/cainstance.py", line 1188, in > > is_renewal_master > > > > self.ldap_connect() > > > > File "/usr/lib/python2.7/site- > > packages/ipaserver/install/service.py", line 177, in ldap_connect > > > > conn.do_bind(self.dm_password, autobind=self.autobind) > > > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > > 1690, in do_bind > > > > self.do_sasl_gssapi_bind(timeout=timeout) > > > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > > 1668, in do_sasl_gssapi_bind > > > > self.__bind_with_wait(self.gssapi_bind, timeout) > > > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > > 1650, in __bind_with_wait > > > > bind_func(*args, **kwargs) > > > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > > 1108, in gssapi_bind > > > > '', auth_tokens, server_controls, client_controls) > > > > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > > > > self.gen.throw(type, value, traceback) > > > > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > > 973, in error_handler > > > > raise errors.ACIError(info="%s %s" % (info, desc)) > > > > ACIError: Insufficient access: Invalid credentials > > > > Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 > > [8834] Internal error > > > > > > > > > > Is there any URL that's relevant for pki 10.3 > > > > > > > > > > > > thanks in advance, Zarko > > > > > > > > > > > > > > > > > > > > From: John Magne > > > > Sent: Wednesday, November 14, 2018 6:16 PM > > > > To: Z D > > > > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates > > > > > > > > Hi: > > > > > > > > YOu can try to temporarily disable the self tests for you ca, until > > > > the new certs are resolved. > > > > > > > > Look in the CS.cfg file for the ca in question and there is a big > > section > > > > controlling the self tests. Just experiment with commenting out the > > tests and see if that > > > > > > gets you past the hurdle.. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Mon Nov 19 19:50:21 2018 From: cfu at redhat.com (Christina Fu) Date: Mon, 19 Nov 2018 11:50:21 -0800 Subject: [Pki-users] Need help in setting up CRL distribution point In-Reply-To: References: Message-ID: Hi, I am not sure if I completely understand your question. If you are asking how one could create a profile that takes the CRL distribution point url from the cert request submitted via SCEP, then you might want to try the UserSuppliedExtension: https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/#User_Supplied_Extension_Default where if you were to follow the example, you'd want to use the OID for CRL distribution point instead, which is 2.5.29.31 Hope this helps, Christina On Wed, Oct 31, 2018 at 6:39 AM Akshath Hegde wrote: > Hi. I have installed the dogtag pki on centos 7. My client is a router > which uses scep for enrollment. I'm able to authenticate and enroll. But > I'm having trouble in setting up the CRL distribution point. The client > seems to be sending the scep request with a specific URL everytime. So I > need to modify the location where the CRL is placed and the URL to which > the scep server responds and publish this with the certificate. Right now I > can see this is the request - > ca/ee/ca/getCRL?operation=getCRL&crlIssuingPoint=MasterCRL. I modified the > caRouterCert.cfg profile to change the URL that gets published. But Im not > able to figure out how to change the location and map the URI to that. Any > help would be appreciated > > Thanks > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From zarko at etcfstab.com Thu Nov 22 06:17:20 2018 From: zarko at etcfstab.com (Z D) Date: Thu, 22 Nov 2018 06:17:20 +0000 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: <80bd565f0f2df62768d644570c1df887f2b06ad7.camel@redhat.com> References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> ,<5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> , <80bd565f0f2df62768d644570c1df887f2b06ad7.camel@redhat.com> Message-ID: Hi Dinesh, unfortunately this is what's happening now. Let's please recap. [1] The list of certs, and expire date, so I go back in time when all certs are valid. # getcert list | egrep "certificate|expire" Number of certificates and requests being tracked: 6. certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:38 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:35 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-21 17:18:06 UTC certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC [2] this is my date # date Sun Aug 5 01:08:49 PDT 2018 [3] maybe to renew this cert first, s/n is 7. # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 7 (0x7) [4] enrollment template is saved # pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml ------------------------------------------------- Enrollment Template for Profile "caManualRenewal" ------------------------------------------------- -------------------------------------------------------------------- Saved enrollment template for caManualRenewal to caManualRenewal.xml -------------------------------------------------------------------- [5] adding s/n 7 # vi caManualRenewal.xml [6] Submit cert request, it's pending # pki ca-cert-request-submit caManualRenewal.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 89990160 Type: renewal Request Status: pending Operation Result: success [7] This fails with message "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state # pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve PKI options: -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d PKI command: ipaCert -n ipaCert ca-cert-request-review 7 --action approve Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d --verbose -n ipaCert ca-cert-request-review 7 --action approve Server URI: http://ca-ldap04.realm.com:8080 Client security database: /etc/httpd/alias Message format: null Command: ca-cert-request-review 7 --action approve Initializing client security database Logging into security token Module: ca HTTP request: GET /ca/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Location: https://ca-ldap04.realm.com:8443/ca/rest/account/login Content-Length: 0 Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/account/login Client certificate: ipaCert HTTP request: GET /ca/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Server certificate: CN=ca-ldap04.realm.com,O=realm.com HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Set-Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD; Path=/ca/; Secure; HttpOnly Content-Type: application/xml Content-Length: 205 Date: Sun, 05 Aug 2018 08:11:15 GMT Account: - User ID: ipara - Full Name: ipara - Email: null - Roles: [Certificate Manager Agents, Registration Manager Agents] Module: cert Module: request-review HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7 Content-Length: 0 Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7 Client certificate: ipaCert HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD Cookie2: $Version=1 HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: application/xml Transfer-Encoding: chunked Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1 Content-Type: application/xml Accept-Encoding: gzip, deflate Accept: application/xml Content-Length: 15703 Host: ca-ldap04.realm.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve Content-Length: 0 Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve Client certificate: ipaCert HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1 Content-Type: application/xml Accept-Encoding: gzip, deflate Accept: application/xml Content-Length: 15703 Host: ca-ldap04.realm.com:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD Cookie2: $Version=1 HTTP response: HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 228 Date: Sun, 05 Aug 2018 08:11:15 GMT Connection: close com.netscape.certsrv.base.BadRequestException: Request Not In Pending State at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:450) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:418) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:114) at com.netscape.certsrv.cert.CertClient.approveRequest(CertClient.java:117) at com.netscape.cmstools.cert.CertRequestReviewCLI.execute(CertRequestReviewCLI.java:162) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:91) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:57) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574) ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/etc/httpd/alias', '-c', 'e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d', '--verbose', '-n', 'ipaCert', 'ca-cert-request-review', '7', '--action', 'approve']' returned non-zero exit status 255 ________________________________ From: Dinesh Prasanth Moluguwan Krishnamoorthy Sent: Monday, November 19, 2018 7:01:30 AM To: Z D; John Magne; pki-users at redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Z D, No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following: `pki -d -c -n ca-cert-request-review 7 --action approve` -d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb -c = The password for the nssdb that you point in -d -n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb. NOTE: 1. You need to have a valid client admin cert to approve the request 2. This client admin cert must be available in ldap server Reference: https://www.dogtagpki.org/wiki/PKI_Client_CLI Regards, Dinesh On Mon, 2018-11-19 at 06:15 +0000, Z D wrote: Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval. I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like /root/.dogtag/pki-tomcat/ca/password.conf and /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ? The command: pki -d /etc/pki/pki-tomcat/alias -n admin -c ca-cert-request-review 7 --action approve give the output: IncorrectPasswordException: Incorrect client security database password. ________________________________ From: Dinesh Prasanth Moluguwan Krishnamoorthy Sent: Sunday, November 18, 2018 10:40:01 AM To: Z D; John Magne; pki-users at redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi Zarko, May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal It has instructions for 10.3 or earlier. Let us know if that helped! Regards, Dinesh On Sun, 2018-11-18 at 01:39 +0000, Z D wrote: Hi John, thanks for the feedback. I used this URL as help to disable self tests. https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5. But I was able to disable self test and PKI is responsive now. After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors Basically is some : "ACIError: Insufficient access: Invalid credentials" [journalctl messages] ------------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in #012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials [syslog messages] ------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master(): File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master self.ldap_connect() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect conn.do_bind(self.dm_password, autobind=self.autobind) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind self.do_sasl_gssapi_bind(timeout=timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind self.__bind_with_wait(self.gssapi_bind, timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait bind_func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ACIError: Insufficient access: Invalid credentials Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error Is there any URL that's relevant for pki 10.3 thanks in advance, Zarko ________________________________ From: John Magne Sent: Wednesday, November 14, 2018 6:16 PM To: Z D Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi: YOu can try to temporarily disable the self tests for you ca, until the new certs are resolved. Look in the CS.cfg file for the ca in question and there is a big section controlling the self tests. Just experiment with commenting out the tests and see if that gets you past the hurdle.. _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From zarko at etcfstab.com Sat Nov 24 04:29:23 2018 From: zarko at etcfstab.com (Z D) Date: Sat, 24 Nov 2018 04:29:23 +0000 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> ,<5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> , <80bd565f0f2df62768d644570c1df887f2b06ad7.camel@redhat.com>, Message-ID: And if i repeat the process from previous post, but with current time, the step [7] exits with different message "IOException: SocketException cannot write on socket" # pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve PKI options: -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d PKI command: ipaCert -n ipaCert ca-cert-request-review 7 --action approve Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d --verbose -n ipaCert ca-cert-request-review 7 --action approve Server URI: http://ca-ldap04.domain.com:8080 Client security database: /etc/httpd/alias Message format: null Command: ca-cert-request-review 7 --action approve Initializing client security database Logging into security token Module: ca HTTP request: GET /ca/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.domain.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Location: https://ca-ldap04.domain.com:8443/ca/rest/account/login Content-Length: 0 Date: Sat, 24 Nov 2018 04:25:33 GMT HTTP redirect: https://ca-ldap04.domain.com:8443/ca/rest/account/login Client certificate: ipaCert HTTP request: GET /ca/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.domain.com:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Server certificate: CN=ca-ldap04.domain.com,O=domain.com java.io.IOException: SocketException cannot write on socket at org.mozilla.jss.ssl.SSLSocket.write(SSLSocket.java:1099) at org.mozilla.jss.ssl.SSLOutputStream.write(SSLOutputStream.java:56) at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:147) at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:154) at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:278) at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:283) at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:175) at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:260) at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125) at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62) at com.sun.proxy.$Proxy23.login(Unknown Source) at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:45) at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:49) at com.netscape.cmstools.cli.CACLI.login(CACLI.java:58) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:54) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574) ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/etc/httpd/alias', '-c', 'e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d', '--verbose', '-n', 'ipaCert', 'ca-cert-request-review', '7', '--action', 'approve']' returned non-zero exit status 255 ________________________________ From: pki-users-bounces at redhat.com on behalf of Z D Sent: Wednesday, November 21, 2018 10:17:20 PM To: Dinesh Prasanth Moluguwan Krishnamoorthy; John Magne; pki-users at redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi Dinesh, unfortunately this is what's happening now. Let's please recap. [1] The list of certs, and expire date, so I go back in time when all certs are valid. # getcert list | egrep "certificate|expire" Number of certificates and requests being tracked: 6. certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:38 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:35 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-21 17:18:06 UTC certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC [2] this is my date # date Sun Aug 5 01:08:49 PDT 2018 [3] maybe to renew this cert first, s/n is 7. # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 7 (0x7) [4] enrollment template is saved # pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml ------------------------------------------------- Enrollment Template for Profile "caManualRenewal" ------------------------------------------------- -------------------------------------------------------------------- Saved enrollment template for caManualRenewal to caManualRenewal.xml -------------------------------------------------------------------- [5] adding s/n 7 # vi caManualRenewal.xml [6] Submit cert request, it's pending # pki ca-cert-request-submit caManualRenewal.xml ----------------------------- Submitted certificate request ----------------------------- Request ID: 89990160 Type: renewal Request Status: pending Operation Result: success [7] This fails with message "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state # pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve PKI options: -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d PKI command: ipaCert -n ipaCert ca-cert-request-review 7 --action approve Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d --verbose -n ipaCert ca-cert-request-review 7 --action approve Server URI: http://ca-ldap04.realm.com:8080 Client security database: /etc/httpd/alias Message format: null Command: ca-cert-request-review 7 --action approve Initializing client security database Logging into security token Module: ca HTTP request: GET /ca/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Location: https://ca-ldap04.realm.com:8443/ca/rest/account/login Content-Length: 0 Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/account/login Client certificate: ipaCert HTTP request: GET /ca/rest/account/login HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Server certificate: CN=ca-ldap04.realm.com,O=realm.com HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Set-Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD; Path=/ca/; Secure; HttpOnly Content-Type: application/xml Content-Length: 205 Date: Sun, 05 Aug 2018 08:11:15 GMT Account: - User ID: ipara - Full Name: ipara - Email: null - Roles: [Certificate Manager Agents, Registration Manager Agents] Module: cert Module: request-review HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7 Content-Length: 0 Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7 Client certificate: ipaCert HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: ca-ldap04.realm.com:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD Cookie2: $Version=1 HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: application/xml Transfer-Encoding: chunked Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1 Content-Type: application/xml Accept-Encoding: gzip, deflate Accept: application/xml Content-Length: 15703 Host: ca-ldap04.realm.com:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 302 Found Server: Apache-Coyote/1.1 Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve Content-Length: 0 Date: Sun, 05 Aug 2018 08:11:15 GMT HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve Client certificate: ipaCert HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1 Content-Type: application/xml Accept-Encoding: gzip, deflate Accept: application/xml Content-Length: 15703 Host: ca-ldap04.realm.com:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD Cookie2: $Version=1 HTTP response: HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 228 Date: Sun, 05 Aug 2018 08:11:15 GMT Connection: close com.netscape.certsrv.base.BadRequestException: Request Not In Pending State at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:450) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:418) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:114) at com.netscape.certsrv.cert.CertClient.approveRequest(CertClient.java:117) at com.netscape.cmstools.cert.CertRequestReviewCLI.execute(CertRequestReviewCLI.java:162) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:91) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:57) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574) ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/etc/httpd/alias', '-c', 'e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d', '--verbose', '-n', 'ipaCert', 'ca-cert-request-review', '7', '--action', 'approve']' returned non-zero exit status 255 ________________________________ From: Dinesh Prasanth Moluguwan Krishnamoorthy Sent: Monday, November 19, 2018 7:01:30 AM To: Z D; John Magne; pki-users at redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Z D, No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following: `pki -d -c -n ca-cert-request-review 7 --action approve` -d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb -c = The password for the nssdb that you point in -d -n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb. NOTE: 1. You need to have a valid client admin cert to approve the request 2. This client admin cert must be available in ldap server Reference: https://www.dogtagpki.org/wiki/PKI_Client_CLI Regards, Dinesh On Mon, 2018-11-19 at 06:15 +0000, Z D wrote: Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval. I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like /root/.dogtag/pki-tomcat/ca/password.conf and /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ? The command: pki -d /etc/pki/pki-tomcat/alias -n admin -c ca-cert-request-review 7 --action approve give the output: IncorrectPasswordException: Incorrect client security database password. ________________________________ From: Dinesh Prasanth Moluguwan Krishnamoorthy Sent: Sunday, November 18, 2018 10:40:01 AM To: Z D; John Magne; pki-users at redhat.com Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi Zarko, May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal It has instructions for 10.3 or earlier. Let us know if that helped! Regards, Dinesh On Sun, 2018-11-18 at 01:39 +0000, Z D wrote: Hi John, thanks for the feedback. I used this URL as help to disable self tests. https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5. But I was able to disable self test and PKI is responsive now. After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors Basically is some : "ACIError: Insufficient access: Invalid credentials" [journalctl messages] ------------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in #012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials [syslog messages] ------------------------ Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master(): File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master self.ldap_connect() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect conn.do_bind(self.dm_password, autobind=self.autobind) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind self.do_sasl_gssapi_bind(timeout=timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind self.__bind_with_wait(self.gssapi_bind, timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait bind_func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind '', auth_tokens, server_controls, client_controls) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler raise errors.ACIError(info="%s %s" % (info, desc)) ACIError: Insufficient access: Invalid credentials Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error Is there any URL that's relevant for pki 10.3 thanks in advance, Zarko ________________________________ From: John Magne Sent: Wednesday, November 14, 2018 6:16 PM To: Z D Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates Hi: YOu can try to temporarily disable the self tests for you ca, until the new certs are resolved. Look in the CS.cfg file for the ca in question and there is a big section controlling the self tests. Just experiment with commenting out the tests and see if that gets you past the hurdle.. _______________________________________________ Pki-users mailing list Pki-users at redhat.com https://www.redhat.com/mailman/listinfo/pki-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dmoluguw at redhat.com Tue Nov 27 17:56:29 2018 From: dmoluguw at redhat.com (Dinesh Prasanth Moluguwan Krishnamoorthy) Date: Tue, 27 Nov 2018 12:56:29 -0500 Subject: [Pki-users] expired pki-server 10.3.3 certificates In-Reply-To: References: , <1786347373.22072751.1542248219045.JavaMail.zimbra@redhat.com> ,<5eaa84ea25c20ca6d5aeedb424ff1fc988a26cd0.camel@redhat.com> ,<80bd565f0f2df62768d644570c1df887f2b06ad7.camel@redhat.com> Message-ID: <4dfe02080e9efa9a8aad6f91047a07e45040d8fe.camel@redhat.com> ZD, >From [6], your request ID is 89990160. But, you are passing request ID as 7 Regards,Dinesh On Thu, 2018-11-22 at 06:17 +0000, Z D wrote: > [6] Submit cert request, it's pending > > > > > > # pki ca-cert-request-submit caManualRenewal.xml > > ----------------------------- > > Submitted certificate request > > ----------------------------- > > Request ID: 89990160 > > Type: renewal > > Request Status: pending > > Operation Result: success > > > > > > [7] This fails with message "BadRequestException: Request Not In > Pending State", as per [6] it should be in pending state > > > > > > # pki -v -d /etc/httpd/alias -c > e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request- > review 7 --action approve -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Thu Nov 29 03:02:22 2018 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 29 Nov 2018 13:02:22 +1000 Subject: [Pki-users] [Freeipa-users] OCSP responses for an external CA In-Reply-To: <7c6aaaf240467299bd0f00b630ffa2b8b0d717a0.camel@dingman.org> References: <7c6aaaf240467299bd0f00b630ffa2b8b0d717a0.camel@dingman.org> Message-ID: <20181129030222.GL22463@T470s> Hi Andrew, Responses inline. On Wed, Nov 28, 2018 at 05:35:11PM -0800, Andrew C Dingman via FreeIPA-users wrote: > Hi, all > > I'm not sure the following is feasible, but IHAC who may want to use > IPA in an air-gapped network while relying on smart card authentication > using certificates from a very large, external CA. Can anyone give me > an idea of whether the following scenario is feasible, and if so, > supportable? > > External certificate authority E issues user certificates and > provisions smart card tokens. (It runs RHCS, if that matters.) Inside > the isolated network, users are separately maintained in IPA domain P. > When each user is created in P, a certificate issued by E is added to > the user's entry. That certificate is used for pkinit and ssl/tls > client authentication to services in P. > > So far, my understanding is that this should be feasible provided that > E is added as a trusted authority in various places, but I'm a little > fuzzy on the pkinit piece. Where it gets really problematic is dealing > with CRLs. > Yes, so far so good. That's all supported. > Because P and its relying parties are isolated, they can't use OCSP to > check current validity of a certificate. To avoid the hassles of > distributing CRLs to all relying systems and services manually, would > it be possible to add those CRLs to the set served by the OCSP > responder in P? Obviously the responses would be signed by P rather > than E, but if P has verified the CRL on which they were based it seems > at least potentially viable. > X.509 supports delegating OCSP signing authority to 3rd parties. But we do not support it in Dogtag or FreeIPA at this time. It would be complex to implement. If they are already using RHCS, they could consider using a standalone OCSP subsystem to service the OCSP requests. I'm not sure about the setup detail, i.e. whether regulary transporting CRL(s) from the air-gapped CA to the OCSP subsystem is sufficient, or whether LDAP replication must be used. I've Cc'd pki-users ML for input from people who hopefully know more about the OCSP subsystem than I do. On the user certificate issuance side, they are using RHCS. So it is straightforward to configure a profile that sets the Authority Information Access extension to point to whatever OCSP responder they end up using. > > As currently envisioned, E would be completely unaware of the existence > of P, > Not possible. E must at least be aware of P to the extent that it has issued an delegated OCSP signing certificate to P. Otherwise the OCSP responses issued by P, pertaining to certificates issued by E, cannot be trusted by clients, even if they trust P as a CA. > but P would trust certificates issued by E. If that isn't > feasible, would it make any difference if P's CA were subordinate to E? > There are some scenarios that conceptually work (e.g. P's CA certificate, issued by E, contains the id-kp-OCSPSigning Extended Key Usage OID). But it is irrelevant because I do not believe there is a way to configure a Dogtag CA subsystem to service OCSP requests on behalf of an external CA. > Thanks in advance for any guidance you can offer. > You're welcome. Cheers, Fraser