[Pki-users] expired pki-server 10.3.3 certificates
Z D
zarko at etcfstab.com
Thu Nov 22 06:17:20 UTC 2018
Hi Dinesh, unfortunately this is what's happening now. Let's please recap.
[1] The list of certs, and expire date, so I go back in time when all certs are valid.
# getcert list | egrep "certificate|expire"
Number of certificates and requests being tracked: 6.
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:38 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:35 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-21 17:18:06 UTC
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
expires: 2018-08-14 20:50:00 UTC
[2] this is my date
# date
Sun Aug 5 01:08:49 PDT 2018
[3] maybe to renew this cert first, s/n is 7.
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
Serial Number: 7 (0x7)
[4] enrollment template is saved
# pki ca-cert-request-profile-show caManualRenewal --output caManualRenewal.xml
-------------------------------------------------
Enrollment Template for Profile "caManualRenewal"
-------------------------------------------------
--------------------------------------------------------------------
Saved enrollment template for caManualRenewal to caManualRenewal.xml
--------------------------------------------------------------------
[5] adding s/n 7
# vi caManualRenewal.xml
[6] Submit cert request, it's pending
# pki ca-cert-request-submit caManualRenewal.xml
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 89990160
Type: renewal
Request Status: pending
Operation Result: success
[7] This fails with message "BadRequestException: Request Not In Pending State", as per [6] it should be in pending state
# pki -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d -n ipaCert ca-cert-request-review 7 --action approve
PKI options: -v -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d
PKI command: ipaCert -n ipaCert ca-cert-request-review 7 --action approve
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /etc/httpd/alias -c e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d --verbose -n ipaCert ca-cert-request-review 7 --action approve
Server URI: http://ca-ldap04.realm.com:8080
Client security database: /etc/httpd/alias
Message format: null
Command: ca-cert-request-review 7 --action approve
Initializing client security database
Logging into security token
Module: ca
HTTP request: GET /ca/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: ca-ldap04.realm.com:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Wed, 31 Dec 1969 16:00:00 PST
Location: https://ca-ldap04.realm.com:8443/ca/rest/account/login
Content-Length: 0
Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/account/login
Client certificate: ipaCert
HTTP request: GET /ca/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: ca-ldap04.realm.com:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=ca-ldap04.realm.com,O=realm.com
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Wed, 31 Dec 1969 16:00:00 PST
Set-Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD; Path=/ca/; Secure; HttpOnly
Content-Type: application/xml
Content-Length: 205
Date: Sun, 05 Aug 2018 08:11:15 GMT
Account:
- User ID: ipara
- Full Name: ipara
- Email: null
- Roles: [Certificate Manager Agents, Registration Manager Agents]
Module: cert
Module: request-review
HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: ca-ldap04.realm.com:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Wed, 31 Dec 1969 16:00:00 PST
Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7
Content-Length: 0
Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7
Client certificate: ipaCert
HTTP request: GET /ca/rest/agent/certrequests/7 HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: ca-ldap04.realm.com:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD
Cookie2: $Version=1
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Wed, 31 Dec 1969 16:00:00 PST
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Accept: application/xml
Content-Length: 15703
Host: ca-ldap04.realm.com:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve
Content-Length: 0
Date: Sun, 05 Aug 2018 08:11:15 GMT
HTTP redirect: https://ca-ldap04.realm.com:8443/ca/rest/agent/certrequests/7/approve
Client certificate: ipaCert
HTTP request: POST /ca/rest/agent/certrequests/7/approve HTTP/1.1
Content-Type: application/xml
Accept-Encoding: gzip, deflate
Accept: application/xml
Content-Length: 15703
Host: ca-ldap04.realm.com:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Cookie: JSESSIONID=01E9ED9A2E8548423871C4E1149F64DD
Cookie2: $Version=1
HTTP response: HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Type: application/xml
Content-Length: 228
Date: Sun, 05 Aug 2018 08:11:15 GMT
Connection: close
com.netscape.certsrv.base.BadRequestException: Request Not In Pending State
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:450)
at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:418)
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:114)
at com.netscape.certsrv.cert.CertClient.approveRequest(CertClient.java:117)
at com.netscape.cmstools.cert.CertRequestReviewCLI.execute(CertRequestReviewCLI.java:162)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:91)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:57)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)
ERROR: Command '[u'/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', u'-Djava.ext.dirs=/usr/share/pki/lib', u'-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '/etc/httpd/alias', '-c', 'e7aae6f3eb9a62a54f2dd18b8d814aa4a579a61d', '--verbose', '-n', 'ipaCert', 'ca-cert-request-review', '7', '--action', 'approve']' returned non-zero exit status 255
________________________________
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
Sent: Monday, November 19, 2018 7:01:30 AM
To: Z D; John Magne; pki-users at redhat.com
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
Z D,
No. The "approve" operation you are trying to achieve is an action from admin. So, you need to change this to the following:
`pki -d <client nss db location> -c <client nss db pass> -n <admin cert nickname> ca-cert-request-review 7 --action approve`
-d = either /root/.dogtagpki/pki-tomcat/ca/alias OR /root/.dogtagpki/nssdb
-c = The password for the nssdb that you point in -d
-n = the nickname of the cert in the nssdb that you point in -d. Do a `certutil -L -d /root/.dogtagpki/pki-tomcat/ca/alias` to give you a list of certs available in the nssdb.
NOTE:
1. You need to have a valid client admin cert to approve the request
2. This client admin cert must be available in ldap server
Reference:
https://www.dogtagpki.org/wiki/PKI_Client_CLI
Regards,
Dinesh
On Mon, 2018-11-19 at 06:15 +0000, Z D wrote:
Thanks Dinesh, I was able to submit request using caManualRenewal.xml file, but I need clarity about approval.
I believe default CA admin can be used as CA agent. So password I use for "-c" is the one I have in files like
/root/.dogtag/pki-tomcat/ca/password.conf and
/root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
NSS database is located in /etc/pki/pki-tomcat/alias, is this the one I should use for "-d" ?
The command:
pki -d /etc/pki/pki-tomcat/alias -n admin -c <password> ca-cert-request-review 7 --action approve
give the output:
IncorrectPasswordException: Incorrect client security database password.
________________________________
From: Dinesh Prasanth Moluguwan Krishnamoorthy <dmoluguw at redhat.com>
Sent: Sunday, November 18, 2018 10:40:01 AM
To: Z D; John Magne; pki-users at redhat.com
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
Hi Zarko,
May be this documentation might help? https://www.dogtagpki.org/wiki/System_Certificate_Renewal
It has instructions for 10.3 or earlier. Let us know if that helped!
Regards,
Dinesh
On Sun, 2018-11-18 at 01:39 +0000, Z D wrote:
Hi John, thanks for the feedback.
I used this URL as help to disable self tests.
https://www.dogtagpki.org/wiki/Offline_System_Certificate_Renewal#Manual_Renewal_Process
Many of "pki-server" command options are not present for me, since pki-server version is 10.3, I believe the doc applies for 10.5.
But I was able to disable self test and PKI is responsive now.
After system time is back, I use 'getcert resubmit' to renew a cert and seeing this certmonger errors
Basically is some :
"ACIError: Insufficient access: Invalid credentials"
[journalctl messages]
------------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit: Traceback (most recent call last):#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>#012 sys.exit(main())#012 File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main#012 if ca.is_renewal_master():#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master#012 self.ldap_connect()#012 File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect#012 conn.do_bind(self.dm_password, autobind=self.autobind)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind#012 self.do_sasl_gssapi_bind(timeout=timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind#012 self.__bind_with_wait(self.gssapi_bind, timeout)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait#012 bind_func(*args, **kwargs)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind#012 '', auth_tokens, server_controls, client_controls)#012 File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__#012 self.gen.throw(type, value, traceback)#012 File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler#012 raise errors.ACIError(info="%s %s" % (info, desc))#012ACIError: Insufficient access: Invalid credentials
[syslog messages]
------------------------
Aug 10 01:04:34 ca-ldap01 dogtag-ipa-ca-renew-agent-submit[9333]: Traceback (most recent call last):
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module>
sys.exit(main())
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 497, in main if ca.is_renewal_master():
File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1188, in is_renewal_master
self.ldap_connect()
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 177, in ldap_connect
conn.do_bind(self.dm_password, autobind=self.autobind)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1690, in do_bind
self.do_sasl_gssapi_bind(timeout=timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1668, in do_sasl_gssapi_bind
self.__bind_with_wait(self.gssapi_bind, timeout)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1650, in __bind_with_wait
bind_func(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1108, in gssapi_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 973, in error_handler
raise errors.ACIError(info="%s %s" % (info, desc))
ACIError: Insufficient access: Invalid credentials
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error
Is there any URL that's relevant for pki 10.3
thanks in advance, Zarko
________________________________
From: John Magne <jmagne at redhat.com>
Sent: Wednesday, November 14, 2018 6:16 PM
To: Z D
Subject: Re: [Pki-users] expired pki-server 10.3.3 certificates
Hi:
YOu can try to temporarily disable the self tests for you ca, until
the new certs are resolved.
Look in the CS.cfg file for the ca in question and there is a big section
controlling the self tests. Just experiment with commenting out the tests and see if that
gets you past the hurdle..
<https://www.redhat.com/mailman/listinfo/pki-users>
_______________________________________________
Pki-users mailing list
Pki-users at redhat.com<mailto:Pki-users at redhat.com>
https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20181122/6efddfed/attachment.htm>
More information about the Pki-users
mailing list