[Pki-users] expired pki-server 10.3.3 certificates
Dinesh Prasanth Moluguwan Krishnamoorthy
dmoluguw at redhat.com
Mon Nov 19 15:01:30 UTC 2018
Z D,
No. The "approve" operation you are trying to achieve is an action from
admin. So, you need to change this to the following:
`pki -d <client nss db location> -c <client nss db pass> -n <admin cert
nickname> ca-cert-request-review 7 --action approve`
-d = either /root/.dogtagpki/pki-tomcat/ca/alias OR
/root/.dogtagpki/nssdb-c = The password for the nssdb that you point in
-d-n = the nickname of the cert in the nssdb that you point in -d. Do a
`certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a
list of certs available in the nssdb.
NOTE:1. You need to have a valid client admin cert to approve the
request2. This client admin cert must be available in ldap server
Reference:https://www.dogtagpki.org/wiki/PKI_Client_CLI
Regards,Dinesh
On Mon, 2018-11-19 at 06:15 +0000, Z D wrote:
> Thanks Dinesh, I was able to submit request using
> caManualRenewal.xml file, but I need clarity about approval.
>
>
>
> I believe default CA admin can be used as CA agent. So password I use
> for "-c" is the one I have in files like
> /root/.dogtag/pki-tomcat/ca/password.conf and
>
>
>
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
>
>
>
>
>
> NSS database is located in /etc/pki/pki-tomcat/alias, is this the one
> I should use for "-d" ?
>
>
>
>
>
>
> The command:
>
>
> pki -d /etc/pki/pki-tomcat/alias -n admin -c <password> ca-cert-
> request-review 7 --action approve
>
>
>
> give the output:
>
>
>
> IncorrectPasswordException: Incorrect client security database
> password.
>
>
>
>
>
>
>
>
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
>
> Sent: Sunday, November 18, 2018 10:40:01 AM
>
> To: Z D; John Magne; pki-users at redhat.com
>
> Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
>
>
>
> <!--
> p
> {margin-top:0;
> margin-bottom:0}
> -->
>
>
> Hi Zarko,
>
>
>
> May be this documentation might help?
> https://www.dogtagpki.org/wiki/System_Certificate_Renewal
>
>
>
> It has instructions for 10.3 or earlier. Let us know if that helped!
>
>
>
> Regards,
> Dinesh
>
>
>
>
>
>
> On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:
> >
> > Hi John, thanks for the feedback.
> >
> >
> >
> >
> >
> > I used this URL as help to disable self tests.
> >
> >
> >
> >
https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process
> >
> >
> >
> > Many of "pki-server" command options are not present for me, since
> > pki-server version is 10.3, I believe the doc applies for 10.5.
> >
> >
> >
> >
> > But I was able to disable self test and PKI is responsive now.
> >
> >
> >
> > After system time is back, I use 'getcert resubmit' to renew a cert
> > and seeing this certmonger errors
> >
> >
> >
> >
> >
> > Basically is some :
> >
> >
> >
> > "ACIError: Insufficient access: Invalid credentials"
> >
> >
> >
> >
> >
> > [journalctl messages]
> >
> >
> >
> > ------------------------------
> >
> >
> >
> > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit:
> > Traceback (most recent call last):#012 File
> > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
> > 511, in <module>#012 sys.exit(main())#012 File
> > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
> > line 497, in main#012 if ca.is_renewal_master():#012 File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> > line 1188, in is_renewal_master#012 self.ldap_connect()#012
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/service.py",
> > line 177, in ldap_connect#012 conn.do_bind(self.dm_password,
> > autobind=self.autobind)#012 File "/usr/lib/python2.7/site-
> > packages/ipapython/ipaldap.py", line 1690, in do_bind#012
> > self.do_sasl_gssapi_bind(timeout=timeout)#012 File
> > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> > line 1668, in do_sasl_gssapi_bind#012
> > self.__bind_with_wait(self.gssapi_bind, timeout)#012 File
> > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650,
> > in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File
> > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> > line 1108, in gssapi_bind#012 '', auth_tokens, server_controls,
> > client_controls)#012 File "/usr/lib64/python2.7/contextlib.py",
> > line 35, in __exit__#012 self.gen.throw(type, value,
> > traceback)#012 File "/usr/lib/python2.7/site-
> > packages/ipapython/ipaldap.py",
> > line 973, in error_handler#012 raise errors.ACIError(info="%s
> > %s" % (info, desc))#012ACIError: Insufficient access: Invalid
> > credentials
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > [syslog messages]
> >
> > ------------------------
> >
> >
> >
> > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]:
> > Traceback (most recent call last):
> >
> > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
> > line 511, in <module>
> >
> > sys.exit(main())
> >
> > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
> > line 497, in main if ca.is_renewal_master():
> >
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/cainstance.py", line 1188, in
> > is_renewal_master
> >
> > self.ldap_connect()
> >
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/service.py", line 177, in ldap_connect
> >
> > conn.do_bind(self.dm_password, autobind=self.autobind)
> >
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1690, in do_bind
> >
> > self.do_sasl_gssapi_bind(timeout=timeout)
> >
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1668, in do_sasl_gssapi_bind
> >
> > self.__bind_with_wait(self.gssapi_bind, timeout)
> >
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1650, in __bind_with_wait
> >
> > bind_func(*args, **kwargs)
> >
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1108, in gssapi_bind
> >
> > '', auth_tokens, server_controls, client_controls)
> >
> > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> >
> > self.gen.throw(type, value, traceback)
> >
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 973, in error_handler
> >
> > raise errors.ACIError(info="%s %s" % (info, desc))
> >
> > ACIError: Insufficient access: Invalid credentials
> >
> > Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34
> > [8834] Internal error
> >
> >
> >
> >
> > Is there any URL that's relevant for pki 10.3
> >
> >
> >
> >
> >
> > thanks in advance, Zarko
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > From: John Magne <jmagne at redhat.com>
> >
> > Sent: Wednesday, November 14, 2018 6:16 PM
> >
> > To: Z D
> >
> > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
> >
> >
> >
> > Hi:
> >
> >
> >
> > YOu can try to temporarily disable the self tests for you ca, until
> >
> > the new certs are resolved.
> >
> >
> >
> > Look in the CS.cfg file for the ca in question and there is a big
> > section
> >
> > controlling the self tests. Just experiment with commenting out the
> > tests and see if that
> >
> >
> > gets you past the hurdle..
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20181119/50140a1d/attachment.htm>
More information about the Pki-users
mailing list