[Pki-users] expired pki-server 10.3.3 certificates

Z D zarko at etcfstab.com
Thu Nov 22 06:17:20 UTC 2018


Hi Dinesh, unfortunately this is what's happening now. Let's please recap.


[1] The list of certs, and expire date, so I go back in time when all certs are valid.

# getcert list | egrep "certificate|expire"
Number of certificates and requests being tracked: 6.
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
        expires: 2018-08-14 20:49:38 UTC
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
        expires: 2018-08-14 20:49:35 UTC
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
        expires: 2018-08-14 20:49:36 UTC
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
        expires: 2036-08-24 20:49:35 UTC
        certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
        expires: 2020-07-21 17:18:06 UTC
        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
        expires: 2018-08-14 20:50:00 UTC

[2] this is my date

# date
Sun Aug  5 01:08:49 PDT 2018


[3] maybe to renew this cert first, s/n is 7.

# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
        Serial Number: 7 (0x7)

[4] enrollment template is saved

# pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml
-------------------------------------------------
Enrollment Template for Profile "caManualRenewal"
-------------------------------------------------
--------------------------------------------------------------------
Saved enrollment template for caManualRenewal to caManualRenewal.xml
--------------------------------------------------------------------

[5] adding s/n 7

# vi caManualRenewal.xml

[6] Submit cert request, it's pending

# pki ca-cert-request-submit caManualRenewal.xml
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 89990160
  Type: renewal
  Request Status: pending
  Operation Result: success


[7] This fails with message  "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state

# pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve

PKI options: -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d
PKI command: ipaCert -n ipaCert ca-cert-request-review 7 --action approve
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d --verbose -n ipaCert ca-cert-request-review 7 --action approve
Server URI: http://ca-ldap04.realm.com:8080
Client security database: /etc/httpd/alias
Message format: null
Command: ca-cert-request-review 7 --action approve
Initializing client security database
Logging into security token
Module: ca
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: ca-ldap04.realm.com:8080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 16:00:00 PST
  Location: https://ca-ldap04.realm.com:8443/ca/rest/account/login
  Content-Length: 0
  Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/account/login
Client certificate: ipaCert
HTTP request: GET /ca/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: ca-ldap04.realm.com:8443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=ca-ldap04.realm.com,O=realm.com
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 16:00:00 PST
  Set-Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD; Path=/ca/; Secure; HttpOnly
  Content-Type: application/xml
  Content-Length: 205
  Date: Sun, 05 Aug 2018 08:11:15 GMT
Account:
 - User ID: ipara
 - Full Name: ipara
 - Email: null
 - Roles: [Certificate Manager Agents, Registration Manager Agents]
Module: cert
Module: request-review
HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: ca-ldap04.realm.com:8080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 16:00:00 PST
  Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7
  Content-Length: 0
  Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7
Client certificate: ipaCert
HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: ca-ldap04.realm.com:8443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD
  Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Wed, 31 Dec 1969 16:00:00 PST
  Content-Type: application/xml
  Transfer-Encoding: chunked
  Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1
  Content-Type: application/xml
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Content-Length: 15703
  Host: ca-ldap04.realm.com:8080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve
  Content-Length: 0
  Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve
Client certificate: ipaCert
HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1
  Content-Type: application/xml
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Content-Length: 15703
  Host: ca-ldap04.realm.com:8443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
  Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD
  Cookie2: $Version=1
HTTP response: HTTP/1.1 400 Bad Request
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 228
  Date: Sun, 05 Aug 2018 08:11:15 GMT
  Connection: close
com.netscape.certsrv.base.BadRequestException: Request Not In Pending State
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:450)
        at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:418)
        at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:114)
        at com.netscape.certsrv.cert.CertClient.approveRequest(CertClient.java:117)
        at com.netscape.cmstools.cert.CertRequestReviewCLI.execute(CertRequestReviewCLI.java:162)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
        at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:91)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
        at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:57)
        at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
        at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)
        at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)
ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/etc/httpd/alias', '-c', 'e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d', '--verbose', '-n', 'ipaCert', 'ca-cert-request-review', '7', '--action', 'approve']' returned non-zero exit status 255



________________________________
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
Sent: Monday, November 19, 2018 7:01:30 AM
To: Z D; John Magne; pki-users at redhat.com
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates

Z D,

No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following:

`pki -d <client nss db location> -c <client nss db pass> -n <admin cert nickname> ca-cert-request-review 7 --action approve`

-d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb
-c = The password for the nssdb that you point in -d
-n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb.

NOTE:
1. You need to have a valid client admin cert to approve the request
2. This client admin cert must be available in ldap server

Reference:
https://www.dogtagpki.org/wiki/PKI_Client_CLI

Regards,
Dinesh

On Mon, 2018-11-19 at 06:15 +0000, Z D wrote:

Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval.


I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like

/root/.dogtag/pki-tomcat/ca/password.conf and

/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf


NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ?


The command:

pki -d /etc/pki/pki-tomcat/alias -n admin -c <password> ca-cert-request-review 7 --action approve


give the output:


IncorrectPasswordException: Incorrect client security database password.



________________________________
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
Sent: Sunday, November 18, 2018 10:40:01 AM
To: Z D; John Magne; pki-users at redhat.com
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates

Hi Zarko,

May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal

It has instructions for 10.3 or earlier. Let us know if that helped!

Regards,
Dinesh


On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:

Hi John, thanks for the feedback.


I used this URL as help to disable self tests.

https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process


Many of  "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5.
But I was able to disable self test and PKI is responsive now.
After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors

Basically is some :
"ACIError: Insufficient access:  Invalid credentials"

[journalctl messages]
------------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>#012    sys.exit(main())#012  File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012    if ca.is_renewal_master():#012  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012    self.ldap_connect()#012  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012    conn.do_bind(self.dm_password, autobind=self.autobind)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012    self.do_sasl_gssapi_bind(timeout=timeout)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012    self.__bind_with_wait(self.gssapi_bind, timeout)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012    bind_func(*args, **kwargs)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012    '', auth_tokens, server_controls, client_controls)#012  File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012    self.gen.throw(type, value, traceback)#012  File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012    raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access:  Invalid credentials


[syslog messages]
------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last):
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>
sys.exit(main())
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master():
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master
self.ldap_connect()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect
conn.do_bind(self.dm_password, autobind=self.autobind)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind
self.do_sasl_gssapi_bind(timeout=timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind
self.__bind_with_wait(self.gssapi_bind, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait
bind_func(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler
raise errors.ACIError(info="%s %s" % (info, desc))
ACIError: Insufficient access:  Invalid credentials
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error

Is there any URL that's relevant for pki 10.3

thanks in advance, Zarko


________________________________
From: John Magne <jmagne at redhat.com>
Sent: Wednesday, November 14, 2018 6:16 PM
To: Z D
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates

Hi:

YOu can try to temporarily disable the self tests for you ca, until
the new certs are resolved.

Look in the CS.cfg file for the ca in question and there is a big section
controlling the self tests. Just experiment with commenting out the tests and see if that
gets you past the hurdle..



<https://www.redhat.com/mailman/listinfo/pki-users>

_______________________________________________

Pki-users mailing list

Pki-users at redhat.com<mailto:Pki-users at redhat.com>

https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20181122/6efddfed/attachment.htm>


More information about the Pki-users mailing list