[Pki-users] expired pki-server 10.3.3 certificates

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Sun Nov 18 18:40:01 UTC 2018 

Hi Zarko,
May be this documentation might help? 
https://www.dogtagpki.org/wiki/System_Certificate_Renewal
It has instructions for 10.3 or earlier. Let us know if that helped! 
Regards,Dinesh

On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:
> 
> Hi John, thanks for the feedback. 
> 
> 
> 
> 
> 
> I used this URL as help to disable self tests.
> 
> 
> 
> 
https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process
> 
> 
> 
> Many of  "pki-server" command options are not present for me, since
> pki-server version is 10.3, I believe the doc applies for 10.5.
> 
> 
> 
> 
> But I was able to disable self test and PKI is responsive now. 
> 
> 
> 
> After system time is back, I use 'getcert resubmit' to renew a cert
> and seeing this certmonger errors 
> 
> 
> 
> 
> 
> Basically is some : 
> 
> 
> 
> "ACIError: Insufficient access:  Invalid credentials"
> 
> 
> 
> 
> 
> [journalctl messages] 
> 
> 
> 
> ------------------------------
> 
> 
> 
> Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback
> (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-
> ipa-ca-renew-agent-submit", line 511, in <module>#012   
> sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-
> renew-agent-submit",
>  line 497, in main#012    if ca.is_renewal_master():#012  File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1188, in is_renewal_master#012    self.ldap_connect()#012  File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>  line 177, in ldap_connect#012    conn.do_bind(self.dm_password,
> autobind=self.autobind)#012  File "/usr/lib/python2.7/site-
> packages/ipapython/ipaldap.py", line 1690, in do_bind#012   
> self.do_sasl_gssapi_bind(timeout=timeout)#012  File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>  line 1668, in do_sasl_gssapi_bind#012   
> self.__bind_with_wait(self.gssapi_bind, timeout)#012  File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650,
> in __bind_with_wait#012    bind_func(*args, **kwargs)#012  File
> "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>  line 1108, in gssapi_bind#012    '', auth_tokens, server_controls,
> client_controls)#012  File "/usr/lib64/python2.7/contextlib.py", line
> 35, in __exit__#012    self.gen.throw(type, value, traceback)#012 
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
>  line 973, in error_handler#012    raise errors.ACIError(info="%s %s"
> % (info, desc))#012ACIError: Insufficient access:  Invalid
> credentials
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> [syslog messages]
> 
> ------------------------
> 
> 
> 
> Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]:
> Traceback (most recent call last):
> 
> File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
> 511, in <module>
> 
> sys.exit(main())
> 
> File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
> 497, in main if ca.is_renewal_master():
> 
> File "/usr/lib/python2.7/site-
> packages/ipaserver/install/cainstance.py", line 1188, in
> is_renewal_master
> 
> self.ldap_connect()
> 
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 
> line 177, in ldap_connect
> 
> conn.do_bind(self.dm_password, autobind=self.autobind)
> 
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1690, in do_bind
> 
> self.do_sasl_gssapi_bind(timeout=timeout)
> 
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1668, in do_sasl_gssapi_bind
> 
> self.__bind_with_wait(self.gssapi_bind, timeout)
> 
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1650, in __bind_with_wait
> 
> bind_func(*args, **kwargs)
> 
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 1108, in gssapi_bind
> 
> '', auth_tokens, server_controls, client_controls)
> 
> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> 
> self.gen.throw(type, value, traceback)
> 
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> 973, in error_handler
> 
> raise errors.ACIError(info="%s %s" % (info, desc))
> 
> ACIError: Insufficient access:  Invalid credentials
> 
> Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34
> [8834] Internal error
> 
> 
> 
> 
> Is there any URL that's relevant for pki 10.3
> 
> 
> 
> 
> 
> thanks in advance, Zarko
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: John Magne <jmagne at redhat.com>
> 
> Sent: Wednesday, November 14, 2018 6:16 PM
> 
> To: Z D
> 
> Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
>  
> 
> 
> Hi:
> 
> 
> 
> YOu can try to temporarily disable the self tests for you ca, until
> 
> the new certs are resolved.
> 
> 
> 
> Look in the CS.cfg file for the ca in question and there is a big
> section
> 
> controlling the self tests. Just experiment with commenting out the
> tests and see if that
> 
> 
> gets you past the hurdle..
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________Pki-users mailing
> listPki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20181118/656841d2/attachment.htm>

More information about the Pki-users mailing list