[Pki-users] expired pki-server 10.3.3 certificates

Dinesh Prasanth Moluguwan Krishnamoorthy dmoluguw at redhat.com
Mon Nov 19 15:01:30 UTC 2018 

Z D,
No. The "approve" operation you are trying to achieve is an action from
admin. So, you need to change this to the following:
`pki -d <client nss db location> -c <client nss db pass> -n <admin cert
nickname> ca-cert-request-review 7 --action approve`
-d = either /root/.dogtagpki/pki-tomcat/ca/alias  OR
/root/.dogtagpki/nssdb-c = The password for the nssdb that you point in
-d-n = the nickname of the cert in the nssdb that you point in -d. Do a
`certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a
list of certs available in the nssdb.
NOTE:1. You need to have a valid client admin cert to approve the
request2. This client admin cert must be available in ldap server
Reference:https://www.dogtagpki.org/wiki/PKI_Client_CLI
Regards,Dinesh
On Mon, 2018-11-19 at 06:15 +0000, Z D wrote:
> Thanks Dinesh, I was able to submit request using
> caManualRenewal.xml file, but I need clarity about approval. 
> 
> 
> 
> I believe default CA admin can be used as CA agent. So password I use
> for "-c" is the one I have in files like
> /root/.dogtag/pki-tomcat/ca/password.conf and
> 
> 
> 
> /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
> 
> 
> 
> 
> 
> NSS database is located in /etc/pki/pki-tomcat/alias, is this the one
> I should use for "-d" ?
> 
> 
> 
> 
> 
> 
> The command: 
> 
> 
> pki -d /etc/pki/pki-tomcat/alias -n admin -c <password> ca-cert-
> request-review 7 --action approve
> 
> 
> 
> give the output:
> 
> 
> 
> IncorrectPasswordException: Incorrect client security database
> password.
> 
> 
> 
> 
> 
> 
> 
> 
> From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
> 
> Sent: Sunday, November 18, 2018 10:40:01 AM
> 
> To: Z D; John Magne; pki-users at redhat.com
> 
> Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
>  
> 
> 
> <!--
> p
> 	{margin-top:0;
> 	margin-bottom:0}
> -->
> 
> 
> Hi Zarko,
> 
> 
> 
> May be this documentation might help? 
> https://www.dogtagpki.org/wiki/System_Certificate_Renewal
> 
> 
> 
> It has instructions for 10.3 or earlier. Let us know if that helped! 
> 
> 
> 
> Regards,
> Dinesh
> 
> 
> 
> 
> 
> 
> On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:
> > 
> > Hi John, thanks for the feedback. 
> > 
> > 
> > 
> > 
> > 
> > I used this URL as help to disable self tests.
> > 
> > 
> > 
> > 
https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process
> > 
> > 
> > 
> > Many of  "pki-server" command options are not present for me, since
> > pki-server version is 10.3, I believe the doc applies for 10.5.
> > 
> > 
> > 
> > 
> > But I was able to disable self test and PKI is responsive now. 
> > 
> > 
> > 
> > After system time is back, I use 'getcert resubmit' to renew a cert
> > and seeing this certmonger errors 
> > 
> > 
> > 
> > 
> > 
> > Basically is some : 
> > 
> > 
> > 
> > "ACIError: Insufficient access:  Invalid credentials"
> > 
> > 
> > 
> > 
> > 
> > [journalctl messages] 
> > 
> > 
> > 
> > ------------------------------
> > 
> > 
> > 
> > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit:
> > Traceback (most recent call last):#012  File
> > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line
> > 511, in <module>#012    sys.exit(main())#012  File
> > "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
> >  line 497, in main#012    if ca.is_renewal_master():#012  File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", 
> > line 1188, in is_renewal_master#012    self.ldap_connect()#012 
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/service.py",
> >  line 177, in ldap_connect#012    conn.do_bind(self.dm_password,
> > autobind=self.autobind)#012  File "/usr/lib/python2.7/site-
> > packages/ipapython/ipaldap.py", line 1690, in do_bind#012   
> > self.do_sasl_gssapi_bind(timeout=timeout)#012  File
> > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> >  line 1668, in do_sasl_gssapi_bind#012   
> > self.__bind_with_wait(self.gssapi_bind, timeout)#012  File
> > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650,
> > in __bind_with_wait#012    bind_func(*args, **kwargs)#012  File
> > "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
> >  line 1108, in gssapi_bind#012    '', auth_tokens, server_controls,
> > client_controls)#012  File "/usr/lib64/python2.7/contextlib.py",
> > line 35, in __exit__#012    self.gen.throw(type, value,
> > traceback)#012  File "/usr/lib/python2.7/site-
> > packages/ipapython/ipaldap.py",
> >  line 973, in error_handler#012    raise errors.ACIError(info="%s
> > %s" % (info, desc))#012ACIError: Insufficient access:  Invalid
> > credentials
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > [syslog messages]
> > 
> > ------------------------
> > 
> > 
> > 
> > Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]:
> > Traceback (most recent call last):
> > 
> > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
> > line 511, in <module>
> > 
> > sys.exit(main())
> > 
> > File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit",
> > line 497, in main if ca.is_renewal_master():
> > 
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/cainstance.py", line 1188, in
> > is_renewal_master
> > 
> > self.ldap_connect()
> > 
> > File "/usr/lib/python2.7/site-
> > packages/ipaserver/install/service.py", line 177, in ldap_connect
> > 
> > conn.do_bind(self.dm_password, autobind=self.autobind)
> > 
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1690, in do_bind
> > 
> > self.do_sasl_gssapi_bind(timeout=timeout)
> > 
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1668, in do_sasl_gssapi_bind
> > 
> > self.__bind_with_wait(self.gssapi_bind, timeout)
> > 
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1650, in __bind_with_wait
> > 
> > bind_func(*args, **kwargs)
> > 
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 1108, in gssapi_bind
> > 
> > '', auth_tokens, server_controls, client_controls)
> > 
> > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> > 
> > self.gen.throw(type, value, traceback)
> > 
> > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
> > 973, in error_handler
> > 
> > raise errors.ACIError(info="%s %s" % (info, desc))
> > 
> > ACIError: Insufficient access:  Invalid credentials
> > 
> > Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34
> > [8834] Internal error
> > 
> > 
> > 
> > 
> > Is there any URL that's relevant for pki 10.3
> > 
> > 
> > 
> > 
> > 
> > thanks in advance, Zarko
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > From: John Magne <jmagne at redhat.com>
> > 
> > Sent: Wednesday, November 14, 2018 6:16 PM
> > 
> > To: Z D
> > 
> > Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
> >  
> > 
> > 
> > Hi:
> > 
> > 
> > 
> > YOu can try to temporarily disable the self tests for you ca, until
> > 
> > the new certs are resolved.
> > 
> > 
> > 
> > Look in the CS.cfg file for the ca in question and there is a big
> > section
> > 
> > controlling the self tests. Just experiment with commenting out the
> > tests and see if that
> > 
> > 
> > gets you past the hurdle..
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20181119/50140a1d/attachment.htm>

More information about the Pki-users mailing list