[Pki-users] Problem Renewing Server Certificates

Marc Sauton msauton at redhat.com
Sat Feb 16 01:00:36 UTC 2019 

Try adding a -U option with the CA URL, like for example:
pki -v -U https://ca1.example.test:8443/ca -d ~/.dogtag/subca1
ca-cert-request-submit --profile caManualRenewal --serial 0x3f0 --renewal
I added a -d option to point to a NSS db that already trust the issuer of
the SSL certificate presented in the HTTPS connection.
A request should be created and in pending state, until an agent approves
it.
( use a profile with agent authentication for automatic issuance, user with
SSL client auth should have automatic renewal/cert issuance)
Thanks,
M.

On Fri, Feb 15, 2019 at 11:28 AM Wolf, Brian <Brian.Wolf at risd.org> wrote:

> I installed PKI-CA two years ago on a Redhat 7 server. I used it to create
> certificates for an application and have not needed it since. Now the PKI
> server certificates are about to expire, I’m trying to renew them using the
> directions at https://www.dogtagpki.org/wiki/System_Certificate_Renewal
> .  I am getting an error when I try to submit the renewal request. The
> error seems to be that it can’t find /pki/rest/info.
>
>
>
> Installed packages:
>
>
>
> pki-base-10.5.9-6.el7.noarch
>
> pki-base-java-10.5.9-6.el7.noarch
>
> pki-ca-10.5.9-6.el7.noarch
>
> pki-kra-10.5.9-6.el7.noarch
>
> pki-server-10.5.9-6.el7.noarch
>
> pki-tools-10.5.9-6.el7.x86_64
>
> nuxwdog-1.0.3-8.el7.x86_64
>
>
>
>
>
> java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64
>
> java-1.8.0-openjdk-headless-1.8.0.191.b12-1.el7_6.x86_64
>
> javapackages-tools-3.4.1-11.el7.noarch
>
> javassist-3.16.1-10.el7.noarch
>
> nuxwdog-client-java-1.0.3-8.el7.x86_64
>
>
>
> rest-0.8.1-2.el7.x86_64
>
> resteasy-base-atom-provider-3.0.6-4.el7.noarch
>
> resteasy-base-client-3.0.6-4.el7.noarch
>
> resteasy-base-jackson-provider-3.0.6-4.el7.noarch
>
> resteasy-base-jaxb-provider-3.0.6-4.el7.noarch
>
> resteasy-base-jaxrs-3.0.6-4.el7.noarch
>
> resteasy-base-jaxrs-api-3.0.6-4.el7.noarch
>
>
>
>
>
>
>
> Listing the certificates works. We do not use the default instance of
> pki-tomcat.
>
>
>
> # pki-server cert-find -i <my-instance> ca
>
> -----------------
>
> 5 entries matched
>
> -----------------
>
>   Cert ID: ca_signing
>
>   Nickname: caSigningCert … CA
>
>   Token: Internal Key Storage Token
>
>   Serial Number: 0x1
>
>   Subject DN: CN=CA Signing Certificate,…
>
>   Issuer DN: CN=CA Signing Certificate,…
>
>   Not Valid Before: Fri Mar 10 16:38:21 2017
>
>   Not Valid After: Tue Mar 10 16:38:21 2037
>
>
>
>   Cert ID: ca_ocsp_signing
>
>   Nickname: ocspSigningCert … CA
>
>   Token: Internal Key Storage Token
>
>   Serial Number: 0x2
>
>   Subject DN: CN=CA OCSP Signing Certificate,…
>
>   Issuer DN: CN=CA Signing Certificate,OU=…
>
>   Not Valid Before: Fri Mar 10 16:38:23 2017
>
>   Not Valid After: Thu Feb 28 16:38:23 2019
>
>
>
> [snip]
>
>
>
>
>
> But the renewal request gives a Not Found error:
>
>
>
> # pki -p 8370 ca-cert-request-submit --profile caManualRenewal --serial
> 0x2 --renewal
>
> PKIException: Not Found
>
>
>
> Adding –v shows an error on the HTTP GET of /pki/rest/info. I don’t see
> that directory structure anywhere on the server. Am I missing something in
> the configuration, or is there another package I need to install? Do I have
> to point the command to our non-default instance, and if so, how do I do
> that?
>
>
>
>
>
> # pki -v -p 8370 ca-cert-request-submit --profile caManualRenewal --serial
> 0x2 --renewal
>
> PKI options: -v
>
> PKI command: 8370 -p 8370 ca-cert-request-submit --profile caManualRenewal
> --serial 0x2 --renewal
>
> Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
> -Djava.ext.dirs=/usr/share/pki/lib
> -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties
> com.netscape.cmstools.cli.MainCLI --verbose -p 8370 ca-cert-request-submit
> --profile caManualRenewal --serial 0x2 --renewal
>
> Server URI: http://my-server:8370
>
> Client security database: /root/.dogtag/nssdb
>
> Message format: null
>
> Command: ca-cert-request-submit --profile caManualRenewal --serial 0x2
> --renewal
>
> Initializing security database
>
> Module: ca
>
> Module: cert
>
> Module: request-submit
>
> Retrieving caManualRenewal profile.
>
> Initializing PKIClient
>
> HTTP request: GET /pki/rest/info HTTP/1.1
>
>   Accept-Encoding: gzip, deflate
>
>   Accept: application/xml
>
>   Host: my-server:8370
>
>   Connection: Keep-Alive
>
>   User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
>
> HTTP response: HTTP/1.1 404 Not Found
>
>   Server: Apache-Coyote/1.1
>
>   Content-Type: text/html;charset=utf-8
>
>   Content-Language: en
>
>   Content-Length: 977
>
>   Date: Fri, 15 Feb 2019 18:53:25 GMT
>
> com.netscape.certsrv.base.PKIException: Not Found
>
>         at
> com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
>
>         at
> com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
>
>         at
> com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
>
>         at org.dogtagpki.common.InfoClient.getInfo(InfoClient.java:46)
>
>         at com.netscape.cmstools.cli.MainCLI.getClient(MainCLI.java:576)
>
>         at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
>
>         at com.netscape.cmstools.cli.CLI.getClient(CLI.java:194)
>
>         at
> com.netscape.cmstools.ca.CACertCLI.getCertClient(CACertCLI.java:95)
>
>         at
> com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:138)
>
>         at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
>
>         at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
>
>         at
> com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:67)
>
>         at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
>
>         at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)
>
>         at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)
>
> ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java',
> '-Djava.ext.dirs=/usr/share/pki/lib',
> '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties',
> 'com.netscape.cmstools.cli.MainCLI', '--verbose', '-p', '8370',
> 'ca-cert-request-submit', '--profile', 'caManualRenewal', '--serial',
> '0x2', '--renewal']' returned non-zero exit status 255
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20190215/77e2fff1/attachment.htm>

More information about the Pki-users mailing list